Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
V2-Office-C2R-Update-16.exe

Overview

General Information

Sample name:V2-Office-C2R-Update-16.exe
Analysis ID:1520505
MD5:2552e2bfaa2cee3699f2f291f7a369c5
SHA1:9c7800d70eeba2a7b77e0a8093624f2952b966a3
SHA256:60ea622fee92bb134018b84e719a064e1f163bd41c71017d791551ddc0f8ba8e
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • V2-Office-C2R-Update-16.exe (PID: 1872 cmdline: "C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe" MD5: 2552E2BFAA2CEE3699F2F291F7A369C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.5% probability
Machine Learning detection for sample
Source: V2-Office-C2R-Update-16.exeJoe Sandbox ML: detected
Source: V2-Office-C2R-Update-16.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_004054C6 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054C6
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_00405E9C FindFirstFileA,FindClose,0_2_00405E9C
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_00402654 FindFirstFileA,0_2_00402654
Source: V2-Office-C2R-Update-16.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: V2-Office-C2R-Update-16.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_00404FCB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FCB
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_0040310D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040310D
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_00406B010_2_00406B01
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_0040632A0_2_0040632A
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_004047DC0_2_004047DC
Source: V2-Office-C2R-Update-16.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_0040429B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040429B
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeFile created: C:\Users\user\AppData\Local\Temp\nstB5BF.tmpJump to behavior
Source: V2-Office-C2R-Update-16.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeFile read: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\ConfigurationJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeFile created: C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_004054C6 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054C6
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_00405E9C FindFirstFileA,FindClose,0_2_00405E9C
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_00402654 FindFirstFileA,0_2_00402654
Source: V2-Office-C2R-Update-16.exe, 00000000.00000002.1417244942.000000000047E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: I-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Fy;
Source: V2-Office-C2R-Update-16.exe, 00000000.00000002.1417244942.000000000047E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5HSCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeAPI call chain: ExitProcess graph end nodegraph_0-3131
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exeCode function: 0_2_0040310D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040310D

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
File and Directory Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager4
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
V2-Office-C2R-Update-16.exe8%ReversingLabs
V2-Office-C2R-Update-16.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorV2-Office-C2R-Update-16.exefalse
    		unknown
    http://nsis.sf.net/NSIS_ErrorErrorV2-Office-C2R-Update-16.exefalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1520505
    Start date and time:2024-09-27 12:36:44 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 13s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:V2-Office-C2R-Update-16.exe
    Detection:MAL
    Classification:mal48.winEXE@1/2@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 27
    • Number of non-executed functions: 32
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • VT rate limit hit for: V2-Office-C2R-Update-16.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dllMicrosoft-Office-Update 1.exeGet hashmaliciousUnknownBrowse
      Microsoft-Office-Update 1.exeGet hashmaliciousUnknownBrowse
        Setup (1).exeGet hashmaliciousUnknownBrowse
          Setup (1).exeGet hashmaliciousUnknownBrowse
            GzYMZtRVDU.exeGet hashmaliciousUnknownBrowse
              SetupFA.exeGet hashmaliciousUnknownBrowse
                aEkdUAdARk.exeGet hashmaliciousUnknownBrowse
                  https://veryfast.io/downloading.htmlGet hashmaliciousUnknownBrowse
                    Setup 2.exeGet hashmaliciousUnknownBrowse

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\configuration_secpod.xml

                      Download File
                      Process:C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):350
                      Entropy (8bit):5.228076470185639
                      Encrypted:false
                      SSDEEP:6:3NcF1OX5oesdF/l/TgEpSSvdOO+cWY2nEtfMSJ1hwza9T:9cF1OpzsdNl/lpSSvdOLcWHEVFJ1msT
                      MD5:680AE18439055337039C81816E79FC1B
                      SHA1:9C7F0EB818D365552E3E6FE444AB3DFABDA1EF24
                      SHA-256:DD94323152FA0F38E6C05C6E4DD5CBC15B1AE6EC8297E0E6DB61B26FD3EA6DAB
                      SHA-512:2FC266F7EE3DE1DD4B30588992370788CE28E33BEC95485729B8EADC510AA04EC2CEE15908AAB96B9982F925308C7590C68DFF2D8F0D6D4A6F5C91C57951B475
                      Malicious:false
                      Reputation:low
                      Preview:<Configuration>.. <Add OfficeClientEdition="32" Channel="Current" SourcePath="C:\Program Files (x86)\Microsoft Office">.. <Product ID="ProPlus2019Retail">.. </Product>.. </Add>.. <Updates Enabled="TRUE" Channel="Current" />.. <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />.. <Display Level="None" AcceptEULA="TRUE" />..</Configuration>

                      C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dll

                      Download File
                      Process:C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):10752
                      Entropy (8bit):5.7433628862644
                      Encrypted:false
                      SSDEEP:192:Xv+cJZE61KRWJQO6tFiUdK7ckD4k7l1XRBm0w+NiHi1nSJ:Xf6rtFRdbQ1W+fn8
                      MD5:0FF5120F1AFD0F295C2BAA0F7192D3F8
                      SHA1:BDE842D5D11005DCB4FF1D4EA97DA31865477697
                      SHA-256:4CA5BF1BEB4B802914C4D3E2F37861F6BA5ECF969CFEADF5855EDF58F647A721
                      SHA-512:E049FFD7AACE8D136EEE007EE4F8DBC2AE8F3DCE79D1C633D9654392240F8215787DF8A6D08085257DB51F28FF2A8023A13333DDA3EA7F9BDC8B9C57B605F0A0
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Joe Sandbox View:
                      • Filename: Microsoft-Office-Update 1.exe, Detection: malicious, Browse
                      • Filename: Microsoft-Office-Update 1.exe, Detection: malicious, Browse
                      • Filename: Setup (1).exe, Detection: malicious, Browse
                      • Filename: Setup (1).exe, Detection: malicious, Browse
                      • Filename: GzYMZtRVDU.exe, Detection: malicious, Browse
                      • Filename: SetupFA.exe, Detection: malicious, Browse
                      • Filename: aEkdUAdARk.exe, Detection: malicious, Browse
                      • Filename: , Detection: malicious, Browse
                      • Filename: Setup 2.exe, Detection: malicious, Browse
                      Reputation:moderate, very likely benign file
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L...^y.V...........!.................).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text............................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                      Entropy (8bit):7.75862684452235
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:V2-Office-C2R-Update-16.exe
                      File size:125'562 bytes
                      MD5:2552e2bfaa2cee3699f2f291f7a369c5
                      SHA1:9c7800d70eeba2a7b77e0a8093624f2952b966a3
                      SHA256:60ea622fee92bb134018b84e719a064e1f163bd41c71017d791551ddc0f8ba8e
                      SHA512:ff9515ce9e685cc4e12291e37389c7ddd08bc28a98f5b67f96eee81e03cdf55ebbd101df52f8edddf3565f49312ff3324875b8c3b43912377159f5fc89089623
                      SSDEEP:3072:kqRaMrUwmuvDWLcyMrywn3Lq4VAva2GSgbgYZMIvmUlpiH6E:knx1Wr73LDAvaz2IeUlQH6E
                      TLSH:D9C30246F6C0D8ABE4D201704A7F673AF3BBD60702025987CBE44E7639549DB931A32E
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...oy.V.................`.........

                      File Icon

                      Icon Hash:3d2e0f95332b3399

                      Static PE Info

                      General

                      Entrypoint:0x40310d
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x567F796F [Sun Dec 27 05:38:55 2015 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:29b61e5a552b3a9bc00953de1c93be41

                      Entrypoint Preview

                      Instruction
                      sub esp, 00000180h
                      push ebx
                      push ebp
                      push esi
                      push edi
                      xor ebx, ebx
                      push 00008001h
                      mov dword ptr [esp+1Ch], ebx
                      mov dword ptr [esp+14h], 00409188h
                      xor esi, esi
                      mov byte ptr [esp+18h], 00000020h
                      call dword ptr [004070B4h]
                      call dword ptr [004070B0h]
                      cmp ax, 00000006h
                      je 00007FB47CE41283h
                      push ebx
                      call 00007FB47CE44059h
                      cmp eax, ebx
                      je 00007FB47CE41279h
                      push 00000C00h
                      call eax
                      push 0040917Ch
                      call 00007FB47CE43FDAh
                      push 00409174h
                      call 00007FB47CE43FD0h
                      push 00409168h
                      call 00007FB47CE43FC6h
                      push 0000000Dh
                      call 00007FB47CE44029h
                      push 0000000Bh
                      call 00007FB47CE44022h
                      mov dword ptr [0042EC44h], eax
                      call dword ptr [00407034h]
                      push ebx
                      call dword ptr [00407270h]
                      mov dword ptr [0042ECF8h], eax
                      push ebx
                      lea eax, dword ptr [esp+34h]
                      push 00000160h
                      push eax
                      push ebx
                      push 00429078h
                      call dword ptr [00407160h]
                      push 0040915Ch
                      push 0042E440h
                      call 00007FB47CE43C59h
                      call dword ptr [004070ACh]
                      mov ebp, 00434000h
                      push eax
                      push ebp
                      call 00007FB47CE43C47h
                      push ebx
                      call dword ptr [00407144h]

                      Rich Headers

                      Programming Language:
                      • [EXP] VC++ 6.0 SP5 build 8804

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74d80xa0.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x390000x9e0.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x5e3c0x60001a13b408c917b27c9106545148d3b8d3False0.6686197916666666data6.432295288512854IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x70000x126a0x1400921acf8cb0aea87c0603fa899765fcc2False0.43359375data5.00588726544978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x90000x25d380x600797517c6ef57aa95d53df2cf07568953False0.474609375data4.291756049727371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .ndata0x2f0000xa0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x390000x9e00xa005b63d03d3b0f15381a12024976c9428aFalse0.455078125data4.506998627982565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0x391900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                      RT_DIALOG0x394780x100dataEnglishUnited States0.5234375
                      RT_DIALOG0x395780x11cdataEnglishUnited States0.6056338028169014
                      RT_DIALOG0x396980x60dataEnglishUnited States0.7291666666666666
                      RT_GROUP_ICON0x396f80x14dataEnglishUnited States1.2
                      RT_MANIFEST0x397100x2ccXML 1.0 document, ASCII text, with very long lines (716), with no line terminatorsEnglishUnited States0.5656424581005587

                      Imports

                      DLLImport
                      KERNEL32.dllSetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, CreateDirectoryA, lstrcmpiA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, GetWindowsDirectoryA, GetTempPathA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
                      USER32.dllGetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                      ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:06:37:40
                      Start date:27/09/2024
                      Path:C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe"
                      Imagebase:0x400000
                      File size:125'562 bytes
                      MD5 hash:2552E2BFAA2CEE3699F2F291F7A369C5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:16.7%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:22.2%
                        Total number of Nodes:1268
                        Total number of Limit Nodes:26
                        execution_graph 3342 401cc1 GetDlgItem GetClientRect 3343 402a0c 18 API calls 3342->3343 3344 401cf1 LoadImageA SendMessageA 3343->3344 3345 4028a1 3344->3345 3346 401d0f DeleteObject 3344->3346 3346->3345 3347 401dc1 3348 402a0c 18 API calls 3347->3348 3349 401dc7 3348->3349 3350 402a0c 18 API calls 3349->3350 3351 401dd0 3350->3351 3352 402a0c 18 API calls 3351->3352 3353 401dd9 3352->3353 3354 402a0c 18 API calls 3353->3354 3355 401de2 3354->3355 3356 401423 25 API calls 3355->3356 3357 401de9 ShellExecuteA 3356->3357 3358 401e16 3357->3358 2908 4023c5 2919 402b16 2908->2919 2910 4023cf 2911 402a0c 18 API calls 2910->2911 2912 4023d8 2911->2912 2913 4023e2 RegQueryValueExA 2912->2913 2918 402672 2912->2918 2914 402402 2913->2914 2915 402408 RegCloseKey 2913->2915 2914->2915 2923 405aff wsprintfA 2914->2923 2915->2918 2920 402a0c 18 API calls 2919->2920 2921 402b2f 2920->2921 2922 402b3d RegOpenKeyExA 2921->2922 2922->2910 2923->2915 3359 401645 3360 402a0c 18 API calls 3359->3360 3361 40164c 3360->3361 3362 402a0c 18 API calls 3361->3362 3363 401655 3362->3363 3364 402a0c 18 API calls 3363->3364 3365 40165e MoveFileA 3364->3365 3366 401671 3365->3366 3367 40166a 3365->3367 3369 405e9c 2 API calls 3366->3369 3371 40217f 3366->3371 3368 401423 25 API calls 3367->3368 3368->3371 3370 401680 3369->3370 3370->3371 3372 4058ef 40 API calls 3370->3372 3372->3367 3373 401ec5 3374 402a0c 18 API calls 3373->3374 3375 401ecc 3374->3375 3376 405f2d 5 API calls 3375->3376 3377 401edb 3376->3377 3378 401f5b 3377->3378 3379 401ef3 GlobalAlloc 3377->3379 3379->3378 3380 401f07 3379->3380 3381 405f2d 5 API calls 3380->3381 3382 401f0e 3381->3382 3383 405f2d 5 API calls 3382->3383 3384 401f18 3383->3384 3384->3378 3388 405aff wsprintfA 3384->3388 3386 401f4f 3389 405aff wsprintfA 3386->3389 3388->3386 3389->3378 3393 404fcb 3394 405177 3393->3394 3395 404fec GetDlgItem GetDlgItem GetDlgItem 3393->3395 3397 405180 GetDlgItem CreateThread CloseHandle 3394->3397 3398 4051a8 3394->3398 3439 403e92 SendMessageA 3395->3439 3397->3398 3400 4051f5 3398->3400 3401 4051bf ShowWindow ShowWindow 3398->3401 3402 4051d3 3398->3402 3399 40505d 3406 405064 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3399->3406 3448 403ec4 3400->3448 3444 403e92 SendMessageA 3401->3444 3403 4051e4 3402->3403 3404 40520a ShowWindow 3402->3404 3407 405231 3402->3407 3445 403e36 3403->3445 3411 40522a 3404->3411 3412 40521c 3404->3412 3413 4050d3 3406->3413 3414 4050b7 SendMessageA SendMessageA 3406->3414 3407->3400 3415 40523c SendMessageA 3407->3415 3410 405203 3417 403e36 SendMessageA 3411->3417 3416 404e8d 25 API calls 3412->3416 3418 4050e6 3413->3418 3419 4050d8 SendMessageA 3413->3419 3414->3413 3415->3410 3420 405255 CreatePopupMenu 3415->3420 3416->3411 3417->3407 3440 403e5d 3418->3440 3419->3418 3421 405bc3 18 API calls 3420->3421 3424 405265 AppendMenuA 3421->3424 3423 4050f6 3427 405133 GetDlgItem SendMessageA 3423->3427 3428 4050ff ShowWindow 3423->3428 3425 405278 GetWindowRect 3424->3425 3426 40528b 3424->3426 3429 405294 TrackPopupMenu 3425->3429 3426->3429 3427->3410 3431 40515a SendMessageA SendMessageA 3427->3431 3430 405115 ShowWindow 3428->3430 3433 405122 3428->3433 3429->3410 3432 4052b2 3429->3432 3430->3433 3431->3410 3434 4052ce SendMessageA 3432->3434 3443 403e92 SendMessageA 3433->3443 3434->3434 3436 4052eb OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3434->3436 3437 40530d SendMessageA 3436->3437 3437->3437 3438 40532e GlobalUnlock SetClipboardData CloseClipboard 3437->3438 3438->3410 3439->3399 3441 405bc3 18 API calls 3440->3441 3442 403e68 SetDlgItemTextA 3441->3442 3442->3423 3443->3427 3444->3402 3446 403e43 SendMessageA 3445->3446 3447 403e3d 3445->3447 3446->3400 3447->3446 3449 403edc GetWindowLongA 3448->3449 3459 403f65 3448->3459 3450 403eed 3449->3450 3449->3459 3451 403efc GetSysColor 3450->3451 3452 403eff 3450->3452 3451->3452 3453 403f05 SetTextColor 3452->3453 3454 403f0f SetBkMode 3452->3454 3453->3454 3455 403f27 GetSysColor 3454->3455 3456 403f2d 3454->3456 3455->3456 3457 403f34 SetBkColor 3456->3457 3458 403f3e 3456->3458 3457->3458 3458->3459 3460 403f51 DeleteObject 3458->3460 3461 403f58 CreateBrushIndirect 3458->3461 3459->3410 3460->3461 3461->3459 3462 402b51 3463 402b60 SetTimer 3462->3463 3464 402b79 3462->3464 3463->3464 3465 402bce 3464->3465 3466 402b93 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3464->3466 3466->3465 2818 4024d4 2819 4024d9 2818->2819 2820 4024ea 2818->2820 2827 4029ef 2819->2827 2821 402a0c 18 API calls 2820->2821 2823 4024f1 lstrlenA 2821->2823 2824 4024e0 2823->2824 2825 402510 WriteFile 2824->2825 2826 402672 2824->2826 2825->2826 2828 405bc3 18 API calls 2827->2828 2829 402a03 2828->2829 2829->2824 3467 404254 3468 404264 3467->3468 3469 40428a 3467->3469 3471 403e5d 19 API calls 3468->3471 3470 403ec4 8 API calls 3469->3470 3472 404296 3470->3472 3473 404271 SetDlgItemTextA 3471->3473 3473->3469 3474 402654 3475 402a0c 18 API calls 3474->3475 3476 40265b FindFirstFileA 3475->3476 3477 40267e 3476->3477 3481 40266e 3476->3481 3482 405aff wsprintfA 3477->3482 3479 402685 3483 405ba1 lstrcpynA 3479->3483 3482->3479 3483->3481 3484 4014d6 3485 4029ef 18 API calls 3484->3485 3486 4014dc Sleep 3485->3486 3488 4028a1 3486->3488 3494 4018d8 3495 40190f 3494->3495 3496 402a0c 18 API calls 3495->3496 3497 401914 3496->3497 3498 4054c6 70 API calls 3497->3498 3499 40191d 3498->3499 3500 4018db 3501 402a0c 18 API calls 3500->3501 3502 4018e2 3501->3502 3503 405462 MessageBoxIndirectA 3502->3503 3504 4018eb 3503->3504 3505 4047dc GetDlgItem GetDlgItem 3506 404830 7 API calls 3505->3506 3515 404a4d 3505->3515 3507 4048d6 DeleteObject 3506->3507 3508 4048c9 SendMessageA 3506->3508 3509 4048e1 3507->3509 3508->3507 3510 404918 3509->3510 3514 405bc3 18 API calls 3509->3514 3512 403e5d 19 API calls 3510->3512 3511 404b37 3513 404be6 3511->3513 3517 404a40 3511->3517 3523 404b90 SendMessageA 3511->3523 3516 40492c 3512->3516 3518 404bfb 3513->3518 3519 404bef SendMessageA 3513->3519 3520 4048fa SendMessageA SendMessageA 3514->3520 3515->3511 3539 404ac1 3515->3539 3558 40475c SendMessageA 3515->3558 3522 403e5d 19 API calls 3516->3522 3524 403ec4 8 API calls 3517->3524 3526 404c14 3518->3526 3527 404c0d ImageList_Destroy 3518->3527 3535 404c24 3518->3535 3519->3518 3520->3509 3540 40493a 3522->3540 3523->3517 3529 404ba5 SendMessageA 3523->3529 3530 404dd6 3524->3530 3525 404b29 SendMessageA 3525->3511 3531 404c1d GlobalFree 3526->3531 3526->3535 3527->3526 3528 404d8a 3528->3517 3536 404d9c ShowWindow GetDlgItem ShowWindow 3528->3536 3533 404bb8 3529->3533 3531->3535 3532 404a0e GetWindowLongA SetWindowLongA 3534 404a27 3532->3534 3546 404bc9 SendMessageA 3533->3546 3537 404a45 3534->3537 3538 404a2d ShowWindow 3534->3538 3535->3528 3544 40140b 2 API calls 3535->3544 3551 404c56 3535->3551 3536->3517 3557 403e92 SendMessageA 3537->3557 3556 403e92 SendMessageA 3538->3556 3539->3511 3539->3525 3540->3532 3543 404989 SendMessageA 3540->3543 3547 404a08 3540->3547 3548 4049c5 SendMessageA 3540->3548 3549 4049d6 SendMessageA 3540->3549 3543->3540 3544->3551 3545 404c9a 3550 404d60 InvalidateRect 3545->3550 3555 404d0e SendMessageA SendMessageA 3545->3555 3546->3513 3547->3532 3547->3534 3548->3540 3549->3540 3550->3528 3552 404d76 3550->3552 3551->3545 3553 404c84 SendMessageA 3551->3553 3563 404717 3552->3563 3553->3545 3555->3545 3556->3517 3557->3515 3559 4047bb SendMessageA 3558->3559 3560 40477f GetMessagePos ScreenToClient SendMessageA 3558->3560 3561 4047b3 3559->3561 3560->3561 3562 4047b8 3560->3562 3561->3539 3562->3559 3566 404652 3563->3566 3565 40472c 3565->3528 3567 404668 3566->3567 3568 405bc3 18 API calls 3567->3568 3569 4046cc 3568->3569 3570 405bc3 18 API calls 3569->3570 3571 4046d7 3570->3571 3572 405bc3 18 API calls 3571->3572 3573 4046ed lstrlenA wsprintfA SetDlgItemTextA 3572->3573 3573->3565 3574 404ddd 3575 404e02 3574->3575 3576 404deb 3574->3576 3578 404e10 IsWindowVisible 3575->3578 3584 404e27 3575->3584 3577 404df1 3576->3577 3592 404e6b 3576->3592 3579 403ea9 SendMessageA 3577->3579 3581 404e1d 3578->3581 3578->3592 3582 404dfb 3579->3582 3580 404e71 CallWindowProcA 3580->3582 3583 40475c 5 API calls 3581->3583 3583->3584 3584->3580 3593 405ba1 lstrcpynA 3584->3593 3586 404e56 3594 405aff wsprintfA 3586->3594 3588 404e5d 3589 40140b 2 API calls 3588->3589 3590 404e64 3589->3590 3595 405ba1 lstrcpynA 3590->3595 3592->3580 3593->3586 3594->3588 3595->3592 3596 4025e2 3597 4025e9 3596->3597 3600 40284e 3596->3600 3598 4029ef 18 API calls 3597->3598 3599 4025f4 3598->3599 3601 4025fb SetFilePointer 3599->3601 3601->3600 3602 40260b 3601->3602 3604 405aff wsprintfA 3602->3604 3604->3600 3605 401ae5 3606 402a0c 18 API calls 3605->3606 3607 401aec 3606->3607 3608 4029ef 18 API calls 3607->3608 3609 401af5 wsprintfA 3608->3609 3610 4028a1 3609->3610 3611 4019e6 3612 402a0c 18 API calls 3611->3612 3613 4019ef ExpandEnvironmentStringsA 3612->3613 3614 401a03 3613->3614 3616 401a16 3613->3616 3615 401a08 lstrcmpA 3614->3615 3614->3616 3615->3616 2924 401f67 2925 401f79 2924->2925 2926 402028 2924->2926 2927 402a0c 18 API calls 2925->2927 2928 401423 25 API calls 2926->2928 2929 401f80 2927->2929 2935 40217f 2928->2935 2930 402a0c 18 API calls 2929->2930 2931 401f89 2930->2931 2932 401f91 GetModuleHandleA 2931->2932 2933 401f9e LoadLibraryExA 2931->2933 2932->2933 2934 401fae GetProcAddress 2932->2934 2933->2926 2933->2934 2936 401ffb 2934->2936 2937 401fbe 2934->2937 2938 404e8d 25 API calls 2936->2938 2939 401423 25 API calls 2937->2939 2940 401fce 2937->2940 2938->2940 2939->2940 2940->2935 2941 40201c FreeLibrary 2940->2941 2941->2935 3617 4045ec 3618 404618 3617->3618 3619 4045fc 3617->3619 3621 40464b 3618->3621 3622 40461e SHGetPathFromIDListA 3618->3622 3628 405446 GetDlgItemTextA 3619->3628 3624 404635 SendMessageA 3622->3624 3625 40462e 3622->3625 3623 404609 SendMessageA 3623->3618 3624->3621 3626 40140b 2 API calls 3625->3626 3626->3624 3628->3623 3629 401c6d 3630 4029ef 18 API calls 3629->3630 3631 401c73 IsWindow 3630->3631 3632 4019d6 3631->3632 3633 4014f0 SetForegroundWindow 3634 4028a1 3633->3634 3635 403f71 lstrcpynA lstrlenA 3636 4016fa 3637 402a0c 18 API calls 3636->3637 3638 401701 SearchPathA 3637->3638 3639 4027cc 3638->3639 3640 40171c 3638->3640 3640->3639 3642 405ba1 lstrcpynA 3640->3642 3642->3639 3643 40287c SendMessageA 3644 4028a1 3643->3644 3645 402896 InvalidateRect 3643->3645 3645->3644 3646 40227d 3647 402a0c 18 API calls 3646->3647 3648 40228b 3647->3648 3649 402a0c 18 API calls 3648->3649 3650 402294 3649->3650 3651 402a0c 18 API calls 3650->3651 3652 40229e GetPrivateProfileStringA 3651->3652 3653 4014fe 3654 401506 3653->3654 3656 401519 3653->3656 3655 4029ef 18 API calls 3654->3655 3655->3656 3657 401000 3658 401037 BeginPaint GetClientRect 3657->3658 3659 40100c DefWindowProcA 3657->3659 3661 4010f3 3658->3661 3662 401179 3659->3662 3663 401073 CreateBrushIndirect FillRect DeleteObject 3661->3663 3664 4010fc 3661->3664 3663->3661 3665 401102 CreateFontIndirectA 3664->3665 3666 401167 EndPaint 3664->3666 3665->3666 3667 401112 6 API calls 3665->3667 3666->3662 3667->3666 3668 401b06 3669 401b57 3668->3669 3671 401b13 3668->3671 3672 401b80 GlobalAlloc 3669->3672 3673 401b5b 3669->3673 3670 402211 3676 405bc3 18 API calls 3670->3676 3671->3670 3679 401b2a 3671->3679 3675 405bc3 18 API calls 3672->3675 3674 401b9b 3673->3674 3689 405ba1 lstrcpynA 3673->3689 3675->3674 3678 40221e 3676->3678 3682 405462 MessageBoxIndirectA 3678->3682 3687 405ba1 lstrcpynA 3679->3687 3680 401b6d GlobalFree 3680->3674 3682->3674 3683 401b39 3688 405ba1 lstrcpynA 3683->3688 3685 401b48 3690 405ba1 lstrcpynA 3685->3690 3687->3683 3688->3685 3689->3680 3690->3674 3691 402188 3692 402a0c 18 API calls 3691->3692 3693 40218e 3692->3693 3694 402a0c 18 API calls 3693->3694 3695 402197 3694->3695 3696 402a0c 18 API calls 3695->3696 3697 4021a0 3696->3697 3698 405e9c 2 API calls 3697->3698 3699 4021a9 3698->3699 3700 4021ba lstrlenA lstrlenA 3699->3700 3705 4021ad 3699->3705 3701 404e8d 25 API calls 3700->3701 3703 4021f6 SHFileOperationA 3701->3703 3702 404e8d 25 API calls 3704 4021b5 3702->3704 3703->3704 3703->3705 3705->3702 3705->3704 2942 401389 2944 401390 2942->2944 2943 4013fe 2944->2943 2945 4013cb MulDiv SendMessageA 2944->2945 2945->2944 3706 40220a 3707 402211 3706->3707 3710 402224 3706->3710 3708 405bc3 18 API calls 3707->3708 3709 40221e 3708->3709 3711 405462 MessageBoxIndirectA 3709->3711 3711->3710 3712 40398a 3713 4039a2 3712->3713 3714 403add 3712->3714 3713->3714 3715 4039ae 3713->3715 3716 403b2e 3714->3716 3717 403aee GetDlgItem GetDlgItem 3714->3717 3718 4039b9 SetWindowPos 3715->3718 3719 4039cc 3715->3719 3721 403b88 3716->3721 3729 401389 2 API calls 3716->3729 3720 403e5d 19 API calls 3717->3720 3718->3719 3723 4039d1 ShowWindow 3719->3723 3724 4039e9 3719->3724 3725 403b18 SetClassLongA 3720->3725 3722 403ea9 SendMessageA 3721->3722 3771 403ad8 3721->3771 3769 403b9a 3722->3769 3723->3724 3726 4039f1 DestroyWindow 3724->3726 3727 403a0b 3724->3727 3728 40140b 2 API calls 3725->3728 3779 403de6 3726->3779 3731 403a10 SetWindowLongA 3727->3731 3732 403a21 3727->3732 3728->3716 3730 403b60 3729->3730 3730->3721 3733 403b64 SendMessageA 3730->3733 3731->3771 3736 403a2d GetDlgItem 3732->3736 3748 403a98 3732->3748 3733->3771 3734 40140b 2 API calls 3734->3769 3735 403de8 DestroyWindow EndDialog 3735->3779 3739 403a40 SendMessageA IsWindowEnabled 3736->3739 3740 403a5d 3736->3740 3737 403ec4 8 API calls 3737->3771 3738 403e17 ShowWindow 3738->3771 3739->3740 3739->3771 3742 403a6a 3740->3742 3743 403ab1 SendMessageA 3740->3743 3744 403a7d 3740->3744 3752 403a62 3740->3752 3741 405bc3 18 API calls 3741->3769 3742->3743 3742->3752 3743->3748 3746 403a85 3744->3746 3747 403a9a 3744->3747 3745 403e36 SendMessageA 3745->3748 3749 40140b 2 API calls 3746->3749 3750 40140b 2 API calls 3747->3750 3748->3737 3749->3752 3750->3752 3751 403e5d 19 API calls 3751->3769 3752->3745 3752->3748 3753 403e5d 19 API calls 3754 403c15 GetDlgItem 3753->3754 3755 403c32 ShowWindow EnableWindow 3754->3755 3756 403c2a 3754->3756 3780 403e7f EnableWindow 3755->3780 3756->3755 3758 403c5c EnableWindow 3761 403c70 3758->3761 3759 403c75 GetSystemMenu EnableMenuItem SendMessageA 3760 403ca5 SendMessageA 3759->3760 3759->3761 3760->3761 3761->3759 3781 403e92 SendMessageA 3761->3781 3782 405ba1 lstrcpynA 3761->3782 3764 403cd3 lstrlenA 3765 405bc3 18 API calls 3764->3765 3766 403ce4 SetWindowTextA 3765->3766 3767 401389 2 API calls 3766->3767 3767->3769 3768 403d28 DestroyWindow 3770 403d42 CreateDialogParamA 3768->3770 3768->3779 3769->3734 3769->3735 3769->3741 3769->3751 3769->3753 3769->3768 3769->3771 3772 403d75 3770->3772 3770->3779 3773 403e5d 19 API calls 3772->3773 3774 403d80 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3773->3774 3775 401389 2 API calls 3774->3775 3776 403dc6 3775->3776 3776->3771 3777 403dce ShowWindow 3776->3777 3778 403ea9 SendMessageA 3777->3778 3778->3779 3779->3738 3779->3771 3780->3758 3781->3761 3782->3764 3783 401c8a 3784 4029ef 18 API calls 3783->3784 3785 401c91 3784->3785 3786 4029ef 18 API calls 3785->3786 3787 401c99 GetDlgItem 3786->3787 3788 4024ce 3787->3788 3085 40310d SetErrorMode GetVersion 3086 403143 3085->3086 3087 403149 3085->3087 3088 405f2d 5 API calls 3086->3088 3089 405ec3 3 API calls 3087->3089 3088->3087 3090 40315e 3089->3090 3091 405ec3 3 API calls 3090->3091 3092 403168 3091->3092 3093 405ec3 3 API calls 3092->3093 3094 403172 3093->3094 3095 405f2d 5 API calls 3094->3095 3096 403179 3095->3096 3097 405f2d 5 API calls 3096->3097 3098 403180 #17 OleInitialize SHGetFileInfoA 3097->3098 3178 405ba1 lstrcpynA 3098->3178 3100 4031bd GetCommandLineA 3179 405ba1 lstrcpynA 3100->3179 3102 4031cf GetModuleHandleA 3103 4031e6 3102->3103 3104 4056bf CharNextA 3103->3104 3105 4031fa CharNextA 3104->3105 3113 403207 3105->3113 3106 403270 3107 403283 GetTempPathA 3106->3107 3180 4030dc 3107->3180 3109 403299 3110 4032bd DeleteFileA 3109->3110 3111 40329d GetWindowsDirectoryA lstrcatA 3109->3111 3190 402c38 GetTickCount GetModuleFileNameA 3110->3190 3114 4030dc 12 API calls 3111->3114 3112 4056bf CharNextA 3112->3113 3113->3106 3113->3112 3117 403272 3113->3117 3116 4032b9 3114->3116 3116->3110 3119 40333b ExitProcess CoUninitialize 3116->3119 3275 405ba1 lstrcpynA 3117->3275 3118 4032ce 3118->3119 3125 4056bf CharNextA 3118->3125 3157 403327 3118->3157 3121 403350 3119->3121 3122 40345f 3119->3122 3126 405462 MessageBoxIndirectA 3121->3126 3123 403502 ExitProcess 3122->3123 3127 405f2d 5 API calls 3122->3127 3130 4032e5 3125->3130 3131 40335e ExitProcess 3126->3131 3132 403472 3127->3132 3134 403302 3130->3134 3135 403366 3130->3135 3133 405f2d 5 API calls 3132->3133 3136 40347b 3133->3136 3138 405775 18 API calls 3134->3138 3278 4053e9 3135->3278 3139 405f2d 5 API calls 3136->3139 3141 40330d 3138->3141 3142 403484 3139->3142 3141->3119 3276 405ba1 lstrcpynA 3141->3276 3151 403492 GetCurrentProcess 3142->3151 3160 4034a2 3142->3160 3143 403387 lstrcatA lstrcmpiA 3143->3119 3146 4033a3 3143->3146 3144 40337c lstrcatA 3144->3143 3145 405f2d 5 API calls 3161 4034d9 3145->3161 3148 4033a8 3146->3148 3149 4033af 3146->3149 3281 40534f CreateDirectoryA 3148->3281 3286 4053cc CreateDirectoryA 3149->3286 3150 40331c 3277 405ba1 lstrcpynA 3150->3277 3151->3160 3152 4034ee ExitWindowsEx 3152->3123 3158 4034fb 3152->3158 3218 4035f4 3157->3218 3291 40140b 3158->3291 3159 4033b4 SetCurrentDirectoryA 3163 4033c3 3159->3163 3164 4033ce 3159->3164 3160->3145 3161->3152 3161->3158 3289 405ba1 lstrcpynA 3163->3289 3290 405ba1 lstrcpynA 3164->3290 3167 405bc3 18 API calls 3168 4033fe DeleteFileA 3167->3168 3169 40340b CopyFileA 3168->3169 3175 4033dc 3168->3175 3169->3175 3170 403453 3172 4058ef 40 API calls 3170->3172 3171 4058ef 40 API calls 3171->3175 3173 40345a 3172->3173 3173->3119 3174 405bc3 18 API calls 3174->3175 3175->3167 3175->3170 3175->3171 3175->3174 3176 405401 2 API calls 3175->3176 3177 40343f CloseHandle 3175->3177 3176->3175 3177->3175 3178->3100 3179->3102 3181 405e03 5 API calls 3180->3181 3182 4030e8 3181->3182 3183 4030f2 3182->3183 3184 405694 3 API calls 3182->3184 3183->3109 3185 4030fa 3184->3185 3186 4053cc 2 API calls 3185->3186 3187 403100 3186->3187 3188 4058a7 2 API calls 3187->3188 3189 40310b 3188->3189 3189->3109 3294 405878 GetFileAttributesA CreateFileA 3190->3294 3192 402c78 3217 402c88 3192->3217 3295 405ba1 lstrcpynA 3192->3295 3194 402c9e 3195 4056db 2 API calls 3194->3195 3196 402ca4 3195->3196 3296 405ba1 lstrcpynA 3196->3296 3198 402caf GetFileSize 3199 402dab 3198->3199 3211 402cc6 3198->3211 3297 402bd4 3199->3297 3201 402db4 3203 402de4 GlobalAlloc 3201->3203 3201->3217 3308 4030c5 SetFilePointer 3201->3308 3202 403093 ReadFile 3202->3211 3309 4030c5 SetFilePointer 3203->3309 3205 402e17 3209 402bd4 6 API calls 3205->3209 3207 402dcd 3210 403093 ReadFile 3207->3210 3208 402dff 3212 402e71 33 API calls 3208->3212 3209->3217 3213 402dd8 3210->3213 3211->3199 3211->3202 3211->3205 3214 402bd4 6 API calls 3211->3214 3211->3217 3215 402e0b 3212->3215 3213->3203 3213->3217 3214->3211 3215->3215 3216 402e48 SetFilePointer 3215->3216 3215->3217 3216->3217 3217->3118 3219 405f2d 5 API calls 3218->3219 3220 403608 3219->3220 3221 403620 3220->3221 3222 40360e 3220->3222 3223 405a88 3 API calls 3221->3223 3319 405aff wsprintfA 3222->3319 3224 403641 3223->3224 3225 40365f lstrcatA 3224->3225 3227 405a88 3 API calls 3224->3227 3228 40361e 3225->3228 3227->3225 3310 4038bd 3228->3310 3231 405775 18 API calls 3232 403691 3231->3232 3233 40371a 3232->3233 3235 405a88 3 API calls 3232->3235 3234 405775 18 API calls 3233->3234 3236 403720 3234->3236 3238 4036bd 3235->3238 3237 403730 LoadImageA 3236->3237 3239 405bc3 18 API calls 3236->3239 3240 4037e4 3237->3240 3241 40375b RegisterClassA 3237->3241 3238->3233 3242 4036d9 lstrlenA 3238->3242 3245 4056bf CharNextA 3238->3245 3239->3237 3244 40140b 2 API calls 3240->3244 3243 403797 SystemParametersInfoA CreateWindowExA 3241->3243 3273 403337 3241->3273 3246 4036e7 lstrcmpiA 3242->3246 3247 40370d 3242->3247 3243->3240 3248 4037ea 3244->3248 3249 4036d7 3245->3249 3246->3247 3250 4036f7 GetFileAttributesA 3246->3250 3251 405694 3 API calls 3247->3251 3253 4038bd 19 API calls 3248->3253 3248->3273 3249->3242 3252 403703 3250->3252 3254 403713 3251->3254 3252->3247 3255 4056db 2 API calls 3252->3255 3256 4037fb 3253->3256 3320 405ba1 lstrcpynA 3254->3320 3255->3247 3258 403807 ShowWindow 3256->3258 3259 40388a 3256->3259 3261 405ec3 3 API calls 3258->3261 3321 404f5f OleInitialize 3259->3321 3263 40381f 3261->3263 3262 403890 3264 403894 3262->3264 3265 4038ac 3262->3265 3266 40382d GetClassInfoA 3263->3266 3268 405ec3 3 API calls 3263->3268 3272 40140b 2 API calls 3264->3272 3264->3273 3267 40140b 2 API calls 3265->3267 3269 403841 GetClassInfoA RegisterClassA 3266->3269 3270 403857 DialogBoxParamA 3266->3270 3267->3273 3268->3266 3269->3270 3271 40140b 2 API calls 3270->3271 3274 40387f 3271->3274 3272->3273 3273->3119 3274->3273 3275->3107 3276->3150 3277->3157 3279 405f2d 5 API calls 3278->3279 3280 40336b lstrcatA 3279->3280 3280->3143 3280->3144 3282 4053a0 GetLastError 3281->3282 3283 4033ad 3281->3283 3282->3283 3284 4053af SetFileSecurityA 3282->3284 3283->3159 3284->3283 3285 4053c5 GetLastError 3284->3285 3285->3283 3287 4053e0 GetLastError 3286->3287 3288 4053dc 3286->3288 3287->3288 3288->3159 3289->3164 3290->3175 3292 401389 2 API calls 3291->3292 3293 401420 3292->3293 3293->3123 3294->3192 3295->3194 3296->3198 3298 402bf5 3297->3298 3299 402bdd 3297->3299 3302 402c05 GetTickCount 3298->3302 3303 402bfd 3298->3303 3300 402be6 DestroyWindow 3299->3300 3301 402bed 3299->3301 3300->3301 3301->3201 3304 402c13 CreateDialogParamA ShowWindow 3302->3304 3305 402c36 3302->3305 3306 405f69 2 API calls 3303->3306 3304->3305 3305->3201 3307 402c03 3306->3307 3307->3201 3308->3207 3309->3208 3311 4038d1 3310->3311 3328 405aff wsprintfA 3311->3328 3313 403942 3314 405bc3 18 API calls 3313->3314 3315 40394e SetWindowTextA 3314->3315 3316 40366f 3315->3316 3317 40396a 3315->3317 3316->3231 3317->3316 3318 405bc3 18 API calls 3317->3318 3318->3317 3319->3228 3320->3233 3329 403ea9 3321->3329 3323 403ea9 SendMessageA 3325 404fbb OleUninitialize 3323->3325 3324 404f82 3327 404fa9 3324->3327 3332 401389 3324->3332 3325->3262 3327->3323 3328->3313 3330 403ec1 3329->3330 3331 403eb2 SendMessageA 3329->3331 3330->3324 3331->3330 3334 401390 3332->3334 3333 4013fe 3333->3324 3334->3333 3335 4013cb MulDiv SendMessageA 3334->3335 3335->3334 3789 401490 3790 404e8d 25 API calls 3789->3790 3791 401497 3790->3791 3792 402611 3793 4028a1 3792->3793 3794 402618 3792->3794 3795 40261e FindClose 3794->3795 3795->3793 3796 402692 3797 402a0c 18 API calls 3796->3797 3798 4026a0 3797->3798 3799 4026b6 3798->3799 3800 402a0c 18 API calls 3798->3800 3801 405859 2 API calls 3799->3801 3800->3799 3802 4026bc 3801->3802 3822 405878 GetFileAttributesA CreateFileA 3802->3822 3804 4026c9 3805 402772 3804->3805 3806 4026d5 GlobalAlloc 3804->3806 3807 40277a DeleteFileA 3805->3807 3808 40278d 3805->3808 3809 402769 CloseHandle 3806->3809 3810 4026ee 3806->3810 3807->3808 3809->3805 3823 4030c5 SetFilePointer 3810->3823 3812 4026f4 3813 403093 ReadFile 3812->3813 3814 4026fd GlobalAlloc 3813->3814 3815 402741 WriteFile GlobalFree 3814->3815 3816 40270d 3814->3816 3818 402e71 33 API calls 3815->3818 3817 402e71 33 API calls 3816->3817 3821 40271a 3817->3821 3819 402766 3818->3819 3819->3809 3820 402738 GlobalFree 3820->3815 3821->3820 3822->3804 3823->3812 3824 402793 3825 4029ef 18 API calls 3824->3825 3826 402799 3825->3826 3827 4027d4 3826->3827 3828 4027bd 3826->3828 3834 402672 3826->3834 3829 4027ea 3827->3829 3830 4027de 3827->3830 3831 4027c2 3828->3831 3837 4027d1 3828->3837 3833 405bc3 18 API calls 3829->3833 3832 4029ef 18 API calls 3830->3832 3838 405ba1 lstrcpynA 3831->3838 3832->3837 3833->3837 3837->3834 3839 405aff wsprintfA 3837->3839 3838->3834 3839->3834 3840 401595 3841 402a0c 18 API calls 3840->3841 3842 40159c SetFileAttributesA 3841->3842 3843 4015ae 3842->3843 3844 401e95 3845 402a0c 18 API calls 3844->3845 3846 401e9c 3845->3846 3847 405e9c 2 API calls 3846->3847 3848 401ea2 3847->3848 3850 401eb4 3848->3850 3851 405aff wsprintfA 3848->3851 3851->3850 3852 401696 3853 402a0c 18 API calls 3852->3853 3854 40169c GetFullPathNameA 3853->3854 3855 4016b3 3854->3855 3856 4016d4 3854->3856 3855->3856 3859 405e9c 2 API calls 3855->3859 3857 4028a1 3856->3857 3858 4016e8 GetShortPathNameA 3856->3858 3858->3857 3860 4016c4 3859->3860 3860->3856 3862 405ba1 lstrcpynA 3860->3862 3862->3856 3863 402319 3864 40231f 3863->3864 3865 402a0c 18 API calls 3864->3865 3866 402331 3865->3866 3867 402a0c 18 API calls 3866->3867 3868 40233b RegCreateKeyExA 3867->3868 3869 4028a1 3868->3869 3870 402365 3868->3870 3871 40237d 3870->3871 3872 402a0c 18 API calls 3870->3872 3873 402389 3871->3873 3875 4029ef 18 API calls 3871->3875 3874 402376 lstrlenA 3872->3874 3876 4023a4 RegSetValueExA 3873->3876 3877 402e71 33 API calls 3873->3877 3874->3871 3875->3873 3878 4023ba RegCloseKey 3876->3878 3877->3876 3878->3869 3880 402819 3881 4029ef 18 API calls 3880->3881 3882 40281f 3881->3882 3883 402850 3882->3883 3885 40282d 3882->3885 3886 402672 3882->3886 3884 405bc3 18 API calls 3883->3884 3883->3886 3884->3886 3885->3886 3888 405aff wsprintfA 3885->3888 3888->3886 2946 40351a 2947 403532 2946->2947 2948 403524 CloseHandle 2946->2948 2953 40355f 2947->2953 2948->2947 2954 40356d 2953->2954 2955 403537 2954->2955 2956 403572 FreeLibrary GlobalFree 2954->2956 2957 4054c6 2955->2957 2956->2955 2956->2956 2998 405775 2957->2998 2960 4054e3 DeleteFileA 2962 403543 2960->2962 2961 4054fa 2963 40562f 2961->2963 3012 405ba1 lstrcpynA 2961->3012 2963->2962 2968 405e9c 2 API calls 2963->2968 2965 405524 2966 405535 2965->2966 2967 405528 lstrcatA 2965->2967 3014 4056db lstrlenA 2966->3014 2969 40553b 2967->2969 2972 405654 2968->2972 2971 405549 lstrcatA 2969->2971 2973 405554 lstrlenA FindFirstFileA 2969->2973 2971->2973 2972->2962 2974 405694 3 API calls 2972->2974 2973->2963 2977 405578 2973->2977 2976 40565e 2974->2976 2975 4056bf CharNextA 2975->2977 2978 405859 2 API calls 2976->2978 2977->2975 2983 40560e FindNextFileA 2977->2983 2990 405859 2 API calls 2977->2990 2991 4054c6 61 API calls 2977->2991 2994 404e8d 25 API calls 2977->2994 2997 4055ec 2977->2997 3013 405ba1 lstrcpynA 2977->3013 2979 405664 RemoveDirectoryA 2978->2979 2980 405686 2979->2980 2981 40566f 2979->2981 2982 404e8d 25 API calls 2980->2982 2981->2962 2985 405675 2981->2985 2982->2962 2983->2977 2986 405626 FindClose 2983->2986 2987 404e8d 25 API calls 2985->2987 2986->2963 2988 40567d 2987->2988 2989 4058ef 40 API calls 2988->2989 2992 405684 2989->2992 2993 4055db DeleteFileA 2990->2993 2991->2977 2992->2962 2993->2977 2994->2983 2995 404e8d 25 API calls 2995->2997 2997->2983 2997->2995 3018 4058ef 2997->3018 3044 405ba1 lstrcpynA 2998->3044 3000 405786 3001 405728 4 API calls 3000->3001 3002 40578c 3001->3002 3003 4054da 3002->3003 3004 405e03 5 API calls 3002->3004 3003->2960 3003->2961 3010 40579c 3004->3010 3005 4057c7 lstrlenA 3006 4057d2 3005->3006 3005->3010 3007 405694 3 API calls 3006->3007 3009 4057d7 GetFileAttributesA 3007->3009 3008 405e9c 2 API calls 3008->3010 3009->3003 3010->3003 3010->3005 3010->3008 3011 4056db 2 API calls 3010->3011 3011->3005 3012->2965 3013->2977 3015 4056e8 3014->3015 3016 4056f9 3015->3016 3017 4056ed CharPrevA 3015->3017 3016->2969 3017->3015 3017->3016 3045 405f2d GetModuleHandleA 3018->3045 3021 405957 GetShortPathNameA 3022 405a4c 3021->3022 3023 40596c 3021->3023 3022->2997 3023->3022 3025 405974 wsprintfA 3023->3025 3027 405bc3 18 API calls 3025->3027 3026 40593b CloseHandle GetShortPathNameA 3026->3022 3028 40594f 3026->3028 3029 40599c 3027->3029 3028->3021 3028->3022 3052 405878 GetFileAttributesA CreateFileA 3029->3052 3031 4059a9 3031->3022 3032 4059b8 GetFileSize GlobalAlloc 3031->3032 3033 405a45 CloseHandle 3032->3033 3034 4059d6 ReadFile 3032->3034 3033->3022 3034->3033 3035 4059ea 3034->3035 3035->3033 3053 4057ed lstrlenA 3035->3053 3038 405a59 3040 4057ed 4 API calls 3038->3040 3039 4059ff 3058 405ba1 lstrcpynA 3039->3058 3042 405a0d 3040->3042 3043 405a20 SetFilePointer WriteFile GlobalFree 3042->3043 3043->3033 3044->3000 3046 405f53 GetProcAddress 3045->3046 3047 405f49 3045->3047 3049 4058fa 3046->3049 3059 405ec3 GetSystemDirectoryA 3047->3059 3049->3021 3049->3022 3051 405878 GetFileAttributesA CreateFileA 3049->3051 3050 405f4f 3050->3046 3050->3049 3051->3026 3052->3031 3054 405823 lstrlenA 3053->3054 3055 405801 lstrcmpiA 3054->3055 3056 40582d 3054->3056 3055->3056 3057 40581a CharNextA 3055->3057 3056->3038 3056->3039 3057->3054 3058->3042 3060 405ee5 wsprintfA LoadLibraryA 3059->3060 3060->3050 3062 401e1b 3063 402a0c 18 API calls 3062->3063 3064 401e21 3063->3064 3065 404e8d 25 API calls 3064->3065 3066 401e2b 3065->3066 3077 405401 CreateProcessA 3066->3077 3068 401e31 3069 401e87 CloseHandle 3068->3069 3070 402672 3068->3070 3071 401e50 WaitForSingleObject 3068->3071 3080 405f69 3068->3080 3069->3070 3071->3068 3072 401e5e GetExitCodeProcess 3071->3072 3074 401e70 3072->3074 3075 401e79 3072->3075 3084 405aff wsprintfA 3074->3084 3075->3069 3078 405430 CloseHandle 3077->3078 3079 40543c 3077->3079 3078->3079 3079->3068 3081 405f86 PeekMessageA 3080->3081 3082 405f96 3081->3082 3083 405f7c DispatchMessageA 3081->3083 3082->3071 3083->3081 3084->3075 3889 401d1b GetDC GetDeviceCaps 3890 4029ef 18 API calls 3889->3890 3891 401d37 MulDiv 3890->3891 3892 4029ef 18 API calls 3891->3892 3893 401d4c 3892->3893 3894 405bc3 18 API calls 3893->3894 3895 401d85 CreateFontIndirectA 3894->3895 3896 4024ce 3895->3896 3897 40429b 3898 4042c7 3897->3898 3899 4042d8 3897->3899 3958 405446 GetDlgItemTextA 3898->3958 3901 4042e4 GetDlgItem 3899->3901 3902 404343 3899->3902 3904 4042f8 3901->3904 3909 405bc3 18 API calls 3902->3909 3918 404427 3902->3918 3956 4045d1 3902->3956 3903 4042d2 3905 405e03 5 API calls 3903->3905 3907 40430c SetWindowTextA 3904->3907 3908 405728 4 API calls 3904->3908 3905->3899 3911 403e5d 19 API calls 3907->3911 3917 404302 3908->3917 3913 4043b7 SHBrowseForFolderA 3909->3913 3910 404457 3914 405775 18 API calls 3910->3914 3915 404328 3911->3915 3912 403ec4 8 API calls 3916 4045e5 3912->3916 3913->3918 3919 4043cf CoTaskMemFree 3913->3919 3920 40445d 3914->3920 3921 403e5d 19 API calls 3915->3921 3917->3907 3922 405694 3 API calls 3917->3922 3918->3956 3960 405446 GetDlgItemTextA 3918->3960 3923 405694 3 API calls 3919->3923 3961 405ba1 lstrcpynA 3920->3961 3924 404336 3921->3924 3922->3907 3925 4043dc 3923->3925 3959 403e92 SendMessageA 3924->3959 3928 404413 SetDlgItemTextA 3925->3928 3933 405bc3 18 API calls 3925->3933 3928->3918 3929 40433c 3931 405f2d 5 API calls 3929->3931 3930 404474 3932 405f2d 5 API calls 3930->3932 3931->3902 3939 40447b 3932->3939 3934 4043fb lstrcmpiA 3933->3934 3934->3928 3937 40440c lstrcatA 3934->3937 3935 4044b7 3962 405ba1 lstrcpynA 3935->3962 3937->3928 3938 4044be 3940 405728 4 API calls 3938->3940 3939->3935 3943 4056db 2 API calls 3939->3943 3945 40450f 3939->3945 3941 4044c4 GetDiskFreeSpaceA 3940->3941 3944 4044e8 MulDiv 3941->3944 3941->3945 3943->3939 3944->3945 3946 404580 3945->3946 3948 404717 21 API calls 3945->3948 3947 4045a3 3946->3947 3949 40140b 2 API calls 3946->3949 3963 403e7f EnableWindow 3947->3963 3950 40456d 3948->3950 3949->3947 3952 404582 SetDlgItemTextA 3950->3952 3953 404572 3950->3953 3952->3946 3955 404652 21 API calls 3953->3955 3954 4045bf 3954->3956 3964 404230 3954->3964 3955->3946 3956->3912 3958->3903 3959->3929 3960->3910 3961->3930 3962->3938 3963->3954 3965 404243 SendMessageA 3964->3965 3966 40423e 3964->3966 3965->3956 3966->3965 3967 40251c 3968 4029ef 18 API calls 3967->3968 3970 402526 3968->3970 3969 40255a ReadFile 3969->3970 3974 40259c 3969->3974 3970->3969 3971 40259e 3970->3971 3972 4025ae 3970->3972 3970->3974 3976 405aff wsprintfA 3971->3976 3972->3974 3975 4025c4 SetFilePointer 3972->3975 3975->3974 3976->3974 2723 401721 2729 402a0c 2723->2729 2727 40172f 2728 4058a7 2 API calls 2727->2728 2728->2727 2730 402a18 2729->2730 2739 405bc3 2730->2739 2733 401728 2735 4058a7 2733->2735 2736 4058b2 GetTickCount GetTempFileNameA 2735->2736 2737 4058e2 2736->2737 2738 4058de 2736->2738 2737->2727 2738->2736 2738->2737 2744 405bd0 2739->2744 2740 405dea 2741 402a39 2740->2741 2774 405ba1 lstrcpynA 2740->2774 2741->2733 2758 405e03 2741->2758 2743 405c68 GetVersion 2755 405c75 2743->2755 2744->2740 2744->2743 2745 405dc1 lstrlenA 2744->2745 2748 405bc3 10 API calls 2744->2748 2752 405e03 5 API calls 2744->2752 2772 405aff wsprintfA 2744->2772 2773 405ba1 lstrcpynA 2744->2773 2745->2744 2748->2745 2749 405ce0 GetSystemDirectoryA 2749->2755 2751 405cf3 GetWindowsDirectoryA 2751->2755 2752->2744 2753 405d6a lstrcatA 2753->2744 2754 405d27 SHGetSpecialFolderLocation 2754->2755 2757 405d3f SHGetPathFromIDListA CoTaskMemFree 2754->2757 2755->2744 2755->2749 2755->2751 2755->2753 2755->2754 2756 405bc3 10 API calls 2755->2756 2767 405a88 RegOpenKeyExA 2755->2767 2756->2755 2757->2755 2765 405e0f 2758->2765 2759 405e77 2760 405e7b CharPrevA 2759->2760 2762 405e96 2759->2762 2760->2759 2761 405e6c CharNextA 2761->2759 2761->2765 2762->2733 2764 405e5a CharNextA 2764->2765 2765->2759 2765->2761 2765->2764 2766 405e67 CharNextA 2765->2766 2775 4056bf 2765->2775 2766->2761 2768 405af9 2767->2768 2769 405abb RegQueryValueExA 2767->2769 2768->2755 2771 405adc RegCloseKey 2769->2771 2771->2768 2772->2744 2773->2744 2774->2741 2776 4056c5 2775->2776 2777 4056d8 2776->2777 2778 4056cb CharNextA 2776->2778 2777->2765 2778->2776 3977 401922 3978 402a0c 18 API calls 3977->3978 3979 401929 lstrlenA 3978->3979 3980 4024ce 3979->3980 3980->3980 3981 403fa5 3982 403fbb 3981->3982 3987 4040c8 3981->3987 3985 403e5d 19 API calls 3982->3985 3983 404137 3984 40420b 3983->3984 3986 404141 GetDlgItem 3983->3986 3992 403ec4 8 API calls 3984->3992 3988 404011 3985->3988 3989 404157 3986->3989 3990 4041c9 3986->3990 3987->3983 3987->3984 3991 40410c GetDlgItem SendMessageA 3987->3991 3993 403e5d 19 API calls 3988->3993 3989->3990 3997 40417d 6 API calls 3989->3997 3990->3984 3994 4041db 3990->3994 4012 403e7f EnableWindow 3991->4012 4002 404206 3992->4002 3996 40401e CheckDlgButton 3993->3996 3998 4041e1 SendMessageA 3994->3998 3999 4041f2 3994->3999 4010 403e7f EnableWindow 3996->4010 3997->3990 3998->3999 3999->4002 4003 4041f8 SendMessageA 3999->4003 4000 404132 4004 404230 SendMessageA 4000->4004 4003->4002 4004->3983 4005 40403c GetDlgItem 4011 403e92 SendMessageA 4005->4011 4007 404052 SendMessageA 4008 404070 GetSysColor 4007->4008 4009 404079 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4007->4009 4008->4009 4009->4002 4010->4005 4011->4007 4012->4000 4013 401ca5 4014 4029ef 18 API calls 4013->4014 4015 401cb5 SetWindowLongA 4014->4015 4016 4028a1 4015->4016 4017 401a26 4018 4029ef 18 API calls 4017->4018 4019 401a2c 4018->4019 4020 4029ef 18 API calls 4019->4020 4021 4019d6 4020->4021 4022 40262b 4023 402646 4022->4023 4024 40262e 4022->4024 4025 4027cc 4023->4025 4028 405ba1 lstrcpynA 4023->4028 4026 40263b FindNextFileA 4024->4026 4026->4023 4028->4025 4029 401bad 4030 4029ef 18 API calls 4029->4030 4031 401bb4 4030->4031 4032 4029ef 18 API calls 4031->4032 4033 401bbe 4032->4033 4034 402a0c 18 API calls 4033->4034 4038 401bce 4033->4038 4034->4038 4035 402a0c 18 API calls 4039 401bde 4035->4039 4036 401be9 4040 4029ef 18 API calls 4036->4040 4037 401c2d 4041 402a0c 18 API calls 4037->4041 4038->4035 4038->4039 4039->4036 4039->4037 4042 401bee 4040->4042 4043 401c32 4041->4043 4044 4029ef 18 API calls 4042->4044 4045 402a0c 18 API calls 4043->4045 4047 401bf7 4044->4047 4046 401c3b FindWindowExA 4045->4046 4050 401c59 4046->4050 4048 401c1d SendMessageA 4047->4048 4049 401bff SendMessageTimeoutA 4047->4049 4048->4050 4049->4050 4051 4024b2 4052 402a0c 18 API calls 4051->4052 4053 4024b9 4052->4053 4056 405878 GetFileAttributesA CreateFileA 4053->4056 4055 4024c5 4056->4055 4057 4035b2 4058 4035bd 4057->4058 4059 4035c1 4058->4059 4060 4035c4 GlobalAlloc 4058->4060 4060->4059 2779 4015b3 2780 402a0c 18 API calls 2779->2780 2781 4015ba 2780->2781 2797 405728 CharNextA CharNextA 2781->2797 2783 40160a 2785 40162d 2783->2785 2786 40160f 2783->2786 2784 4056bf CharNextA 2788 4015d0 CreateDirectoryA 2784->2788 2790 401423 25 API calls 2785->2790 2803 401423 2786->2803 2791 4015e5 GetLastError 2788->2791 2794 4015c2 2788->2794 2796 40217f 2790->2796 2793 4015f2 GetFileAttributesA 2791->2793 2791->2794 2793->2794 2794->2783 2794->2784 2795 401621 SetCurrentDirectoryA 2795->2796 2798 405742 2797->2798 2802 40574e 2797->2802 2800 405749 CharNextA 2798->2800 2798->2802 2799 40576b 2799->2794 2800->2799 2801 4056bf CharNextA 2801->2802 2802->2799 2802->2801 2807 404e8d 2803->2807 2806 405ba1 lstrcpynA 2806->2795 2808 404ea8 2807->2808 2817 401431 2807->2817 2809 404ec5 lstrlenA 2808->2809 2810 405bc3 18 API calls 2808->2810 2811 404ed3 lstrlenA 2809->2811 2812 404eee 2809->2812 2810->2809 2813 404ee5 lstrcatA 2811->2813 2811->2817 2814 404f01 2812->2814 2815 404ef4 SetWindowTextA 2812->2815 2813->2812 2816 404f07 SendMessageA SendMessageA SendMessageA 2814->2816 2814->2817 2815->2814 2816->2817 2817->2806 2830 401734 2831 402a0c 18 API calls 2830->2831 2832 40173b 2831->2832 2833 401761 2832->2833 2834 401759 2832->2834 2891 405ba1 lstrcpynA 2833->2891 2890 405ba1 lstrcpynA 2834->2890 2837 40175f 2840 405e03 5 API calls 2837->2840 2838 40176c 2892 405694 lstrlenA CharPrevA 2838->2892 2843 40177e 2840->2843 2846 401795 CompareFileTime 2843->2846 2847 401859 2843->2847 2849 401830 2843->2849 2850 405ba1 lstrcpynA 2843->2850 2856 405bc3 18 API calls 2843->2856 2868 405878 GetFileAttributesA CreateFileA 2843->2868 2895 405e9c FindFirstFileA 2843->2895 2898 405859 GetFileAttributesA 2843->2898 2901 405462 2843->2901 2846->2843 2848 404e8d 25 API calls 2847->2848 2851 401863 2848->2851 2852 404e8d 25 API calls 2849->2852 2858 401845 2849->2858 2850->2843 2869 402e71 2851->2869 2852->2858 2855 40188a SetFileTime 2857 40189c CloseHandle 2855->2857 2856->2843 2857->2858 2859 4018ad 2857->2859 2860 4018b2 2859->2860 2861 4018c5 2859->2861 2862 405bc3 18 API calls 2860->2862 2863 405bc3 18 API calls 2861->2863 2866 4018ba lstrcatA 2862->2866 2864 4018cd 2863->2864 2867 405462 MessageBoxIndirectA 2864->2867 2866->2864 2867->2858 2868->2843 2870 402e87 2869->2870 2871 402eb5 2870->2871 2907 4030c5 SetFilePointer 2870->2907 2905 403093 ReadFile 2871->2905 2875 402ed2 GetTickCount 2877 401876 2875->2877 2886 402f21 2875->2886 2876 403027 2878 40302b 2876->2878 2879 403043 2876->2879 2877->2855 2877->2857 2881 403093 ReadFile 2878->2881 2879->2877 2882 403093 ReadFile 2879->2882 2883 40305e WriteFile 2879->2883 2880 403093 ReadFile 2880->2886 2881->2877 2882->2879 2883->2877 2884 403073 2883->2884 2884->2877 2884->2879 2885 402f77 GetTickCount 2885->2886 2886->2877 2886->2880 2886->2885 2887 402f9c MulDiv wsprintfA 2886->2887 2888 402fda WriteFile 2886->2888 2889 404e8d 25 API calls 2887->2889 2888->2877 2888->2886 2889->2886 2890->2837 2891->2838 2893 401772 lstrcatA 2892->2893 2894 4056ae lstrcatA 2892->2894 2893->2837 2894->2893 2896 405eb2 FindClose 2895->2896 2897 405ebd 2895->2897 2896->2897 2897->2843 2899 405875 2898->2899 2900 405868 SetFileAttributesA 2898->2900 2899->2843 2900->2899 2902 405477 2901->2902 2903 4054c3 2902->2903 2904 40548b MessageBoxIndirectA 2902->2904 2903->2843 2904->2903 2906 402ec0 2905->2906 2906->2875 2906->2876 2906->2877 2907->2871 4061 401634 4062 402a0c 18 API calls 4061->4062 4063 40163a 4062->4063 4064 405e9c 2 API calls 4063->4064 4065 401640 4064->4065 4066 401934 4067 4029ef 18 API calls 4066->4067 4068 40193b 4067->4068 4069 4029ef 18 API calls 4068->4069 4070 401945 4069->4070 4071 402a0c 18 API calls 4070->4071 4072 40194e 4071->4072 4073 401961 lstrlenA 4072->4073 4078 40199c 4072->4078 4074 40196b 4073->4074 4074->4078 4079 405ba1 lstrcpynA 4074->4079 4076 401985 4077 401992 lstrlenA 4076->4077 4076->4078 4077->4078 4079->4076 4080 4019b5 4081 402a0c 18 API calls 4080->4081 4082 4019bc 4081->4082 4083 402a0c 18 API calls 4082->4083 4084 4019c5 4083->4084 4085 4019cc lstrcmpiA 4084->4085 4086 4019de lstrcmpA 4084->4086 4087 4019d2 4085->4087 4086->4087 4088 402036 4089 402a0c 18 API calls 4088->4089 4090 40203d 4089->4090 4091 402a0c 18 API calls 4090->4091 4092 402047 4091->4092 4093 402a0c 18 API calls 4092->4093 4094 402050 4093->4094 4095 402a0c 18 API calls 4094->4095 4096 40205a 4095->4096 4097 402a0c 18 API calls 4096->4097 4098 402064 4097->4098 4099 402078 CoCreateInstance 4098->4099 4100 402a0c 18 API calls 4098->4100 4103 402097 4099->4103 4104 40214d 4099->4104 4100->4099 4101 401423 25 API calls 4102 40217f 4101->4102 4103->4104 4105 40212c MultiByteToWideChar 4103->4105 4104->4101 4104->4102 4105->4104 4106 4014b7 4107 4014bd 4106->4107 4108 401389 2 API calls 4107->4108 4109 4014c5 4108->4109 4110 402239 4111 402241 4110->4111 4112 402247 4110->4112 4114 402a0c 18 API calls 4111->4114 4113 402257 4112->4113 4115 402a0c 18 API calls 4112->4115 4116 402265 4113->4116 4117 402a0c 18 API calls 4113->4117 4114->4112 4115->4113 4118 402a0c 18 API calls 4116->4118 4117->4116 4119 40226e WritePrivateProfileStringA 4118->4119 4120 40243d 4121 402b16 19 API calls 4120->4121 4122 402447 4121->4122 4123 4029ef 18 API calls 4122->4123 4124 402450 4123->4124 4125 402473 RegEnumValueA 4124->4125 4126 402467 RegEnumKeyA 4124->4126 4128 402672 4124->4128 4127 40248c RegCloseKey 4125->4127 4125->4128 4126->4127 4127->4128 4130 4022bd 4131 4022c2 4130->4131 4132 4022ed 4130->4132 4134 402b16 19 API calls 4131->4134 4133 402a0c 18 API calls 4132->4133 4135 4022f4 4133->4135 4136 4022c9 4134->4136 4141 402a4c RegOpenKeyExA 4135->4141 4137 402a0c 18 API calls 4136->4137 4140 40230a 4136->4140 4139 4022da RegDeleteValueA RegCloseKey 4137->4139 4139->4140 4143 402a77 4141->4143 4149 402ac3 4141->4149 4142 402a9d RegEnumKeyA 4142->4143 4144 402aaf RegCloseKey 4142->4144 4143->4142 4143->4144 4146 402ad4 RegCloseKey 4143->4146 4147 402a4c 5 API calls 4143->4147 4145 405f2d 5 API calls 4144->4145 4148 402abf 4145->4148 4146->4149 4147->4143 4148->4149 4150 402aef RegDeleteKeyA 4148->4150 4149->4140 4150->4149

                        Executed Functions

                        Function 0040310D Relevance: 80.8, APIs: 26, Strings: 20, Instructions: 313stringfilecomCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 40310d-403141 SetErrorMode GetVersion 1 403143-40314b call 405f2d 0->1 2 403154-4031e4 call 405ec3 * 3 call 405f2d * 2 #17 OleInitialize SHGetFileInfoA call 405ba1 GetCommandLineA call 405ba1 GetModuleHandleA 0->2 1->2 7 40314d 1->7 20 4031f0-403205 call 4056bf CharNextA 2->20 21 4031e6-4031eb 2->21 7->2 24 40326a-40326e 20->24 21->20 25 403270 24->25 26 403207-40320a 24->26 29 403283-40329b GetTempPathA call 4030dc 25->29 27 403212-40321a 26->27 28 40320c-403210 26->28 31 403222-403225 27->31 32 40321c-40321d 27->32 28->27 28->28 38 4032bd-4032d4 DeleteFileA call 402c38 29->38 39 40329d-4032bb GetWindowsDirectoryA lstrcatA call 4030dc 29->39 33 403227-40322b 31->33 34 40325a-403267 call 4056bf 31->34 32->31 36 40323b-403241 33->36 37 40322d-403236 33->37 34->24 51 403269 34->51 43 403251-403258 36->43 44 403243-40324c 36->44 37->36 41 403238 37->41 52 40333b-40334a ExitProcess CoUninitialize 38->52 53 4032d6-4032dc 38->53 39->38 39->52 41->36 43->34 49 403272-40327e call 405ba1 43->49 44->43 48 40324e 44->48 48->43 49->29 51->24 57 403350-403360 call 405462 ExitProcess 52->57 58 40345f-403465 52->58 55 40332b-403332 call 4035f4 53->55 56 4032de-4032e7 call 4056bf 53->56 65 403337 55->65 71 4032f2-4032f4 56->71 59 403502-40350a 58->59 60 40346b-403488 call 405f2d * 3 58->60 66 403510-403514 ExitProcess 59->66 67 40350c 59->67 88 4034d2-4034e0 call 405f2d 60->88 89 40348a-40348c 60->89 65->52 67->66 72 4032f6-403300 71->72 73 4032e9-4032ef 71->73 75 403302-40330f call 405775 72->75 76 403366-40337a call 4053e9 lstrcatA 72->76 73->72 78 4032f1 73->78 75->52 87 403311-403327 call 405ba1 * 2 75->87 85 403387-4033a1 lstrcatA lstrcmpiA 76->85 86 40337c-403382 lstrcatA 76->86 78->71 85->52 91 4033a3-4033a6 85->91 86->85 87->55 99 4034e2-4034ec 88->99 100 4034ee-4034f9 ExitWindowsEx 88->100 89->88 93 40348e-403490 89->93 95 4033a8-4033ad call 40534f 91->95 96 4033af call 4053cc 91->96 93->88 98 403492-4034a4 GetCurrentProcess 93->98 107 4033b4-4033c1 SetCurrentDirectoryA 95->107 96->107 98->88 113 4034a6-4034c8 98->113 99->100 106 4034fb-4034fd call 40140b 99->106 100->59 100->106 106->59 111 4033c3-4033c9 call 405ba1 107->111 112 4033ce-4033e8 call 405ba1 107->112 111->112 118 4033ed-403409 call 405bc3 DeleteFileA 112->118 113->88 121 40344a-403451 118->121 122 40340b-40341b CopyFileA 118->122 121->118 124 403453-40345a call 4058ef 121->124 122->121 123 40341d-40343d call 4058ef call 405bc3 call 405401 122->123 123->121 133 40343f-403446 CloseHandle 123->133 124->52 133->121
                        APIs
                        • SetErrorMode.KERNELBASE ref: 00403131
                        • GetVersion.KERNEL32 ref: 00403137
                        • #17.COMCTL32(0000000B,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00403185
                        • OleInitialize.OLE32(00000000), ref: 0040318C
                        • SHGetFileInfoA.SHELL32(00429078,00000000,?,00000160,00000000), ref: 004031A8
                        • GetCommandLineA.KERNEL32(Office C2R Update Setup,NSIS Error), ref: 004031BD
                        • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",00000000), ref: 004031D0
                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",00409188), ref: 004031FB
                        • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040328E
                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032A3
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032AF
                        • DeleteFileA.KERNELBASE(1033), ref: 004032C2
                          • Part of subcall function 00405F2D: GetModuleHandleA.KERNEL32(?,?,00000000,00403179,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00405F3F
                          • Part of subcall function 00405F2D: GetProcAddress.KERNEL32(00000000,?), ref: 00405F5A
                        • ExitProcess.KERNEL32(00000000), ref: 0040333B
                        • CoUninitialize.COMBASE(00000000), ref: 00403340
                        • ExitProcess.KERNEL32 ref: 00403360
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",00000000,00000000), ref: 00403373
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",00000000,00000000), ref: 00403382
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",00000000,00000000), ref: 0040338D
                        • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403399
                        • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004033B5
                        • DeleteFileA.KERNEL32(00428C78,00428C78,?,0042F000,?), ref: 004033FF
                        • CopyFileA.KERNEL32(C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,00428C78,00000001), ref: 00403413
                        • CloseHandle.KERNEL32(00000000,00428C78,00428C78,?,00428C78,00000000), ref: 00403440
                        • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 00403499
                        • ExitWindowsEx.USER32(00000002,80040002), ref: 004034F1
                        • ExitProcess.KERNEL32 ref: 00403514
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: ExitFileProcesslstrcat$Handle$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpi
                        • String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe$Error launching installer$NCRC$NSIS Error$Office C2R Update Setup$SETUPAPI$SeShutdownPrivilege$USERENV$UXTHEME$\Temp$~nsu
                        • API String ID: 2193684524-2442940367
                        • Opcode ID: ab76eb2c2152f2e93327dec9938e6a45575b05374fc3fe47b3b7ec5c4186d2cd
                        • Instruction ID: 451575da7f46b68c591153a14feb1e54add6b468c03afba2ffefeba693a227d9
                        • Opcode Fuzzy Hash: ab76eb2c2152f2e93327dec9938e6a45575b05374fc3fe47b3b7ec5c4186d2cd
                        • Instruction Fuzzy Hash: 55A1E3705083416AE7216F629C4AF6B7EACEB4570AF04047FF541B61D2CB7C9A058A6F
                        Function 004054C6 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 275 4054c6-4054e1 call 405775 278 4054e3-4054f5 DeleteFileA 275->278 279 4054fa-405504 275->279 280 40568e-405691 278->280 281 405506-405508 279->281 282 405518-405526 call 405ba1 279->282 283 405639-40563f 281->283 284 40550e-405512 281->284 290 405535-405536 call 4056db 282->290 291 405528-405533 lstrcatA 282->291 283->280 286 405641-405644 283->286 284->282 284->283 288 405646-40564c 286->288 289 40564e-405656 call 405e9c 286->289 288->280 289->280 299 405658-40566d call 405694 call 405859 RemoveDirectoryA 289->299 293 40553b-40553e 290->293 291->293 295 405540-405547 293->295 296 405549-40554f lstrcatA 293->296 295->296 298 405554-405572 lstrlenA FindFirstFileA 295->298 296->298 300 405578-40558f call 4056bf 298->300 301 40562f-405633 298->301 314 405686-405689 call 404e8d 299->314 315 40566f-405673 299->315 308 405591-405595 300->308 309 40559a-40559d 300->309 301->283 303 405635 301->303 303->283 308->309 311 405597 308->311 312 4055b0-4055be call 405ba1 309->312 313 40559f-4055a4 309->313 311->309 326 4055c0-4055c8 312->326 327 4055d5-4055e4 call 405859 DeleteFileA 312->327 317 4055a6-4055a8 313->317 318 40560e-405620 FindNextFileA 313->318 314->280 315->288 320 405675-405684 call 404e8d call 4058ef 315->320 317->312 323 4055aa-4055ae 317->323 318->300 321 405626-405629 FindClose 318->321 320->280 321->301 323->312 323->318 326->318 328 4055ca-4055d3 call 4054c6 326->328 335 405606-405609 call 404e8d 327->335 336 4055e6-4055ea 327->336 328->318 335->318 337 4055ec-4055fc call 404e8d call 4058ef 336->337 338 4055fe-405604 336->338 337->318 338->318
                        APIs
                        • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004054E4
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040552E
                        • lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040554F
                        • lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405555
                        • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405566
                        • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 00405618
                        • FindClose.KERNEL32(?), ref: 00405629
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                        • String ID: "C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\*.*$\*.*
                        • API String ID: 2035342205-899572504
                        • Opcode ID: 49a23bcb4989eb2bc55f989632ffb7892a432e638327651476ee734d0b1ae01c
                        • Instruction ID: 7349ebf4964971957ddff473b41d0a41d9b63905a7032000284e6e99f459cf31
                        • Opcode Fuzzy Hash: 49a23bcb4989eb2bc55f989632ffb7892a432e638327651476ee734d0b1ae01c
                        • Instruction Fuzzy Hash: 6C51F130404A487ADB226B228C45BBF3A69DF42318F50853BF909711D1DB7D9982DE6E
                        Function 00405E9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 612 405e9c-405eb0 FindFirstFileA 613 405eb2-405ebb FindClose 612->613 614 405ebd 612->614 615 405ebf-405ec0 613->615 614->615
                        APIs
                        • FindFirstFileA.KERNELBASE(?,0042C110,C:\,004057B8,C:\,C:\,00000000,C:\,C:\,?,?,00000000,004054DA,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA7
                        • FindClose.KERNELBASE(00000000), ref: 00405EB3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID: C:\
                        • API String ID: 2295610775-3404278061
                        • Opcode ID: 6aebaf9d7798dbd017b42e649449a55c665c1a78b7402752724ce15f47781116
                        • Instruction ID: c926c128dd9a58e72073d921ff5d887e323c8f6286bbbccf5b0fc9dd9174debe
                        • Opcode Fuzzy Hash: 6aebaf9d7798dbd017b42e649449a55c665c1a78b7402752724ce15f47781116
                        • Instruction Fuzzy Hash: 60D0C931A0A4205BD3011738AD0985B7A589B453713108E32F565F62E1D37899628AED
                        Function 004035F4 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 134 4035f4-40360c call 405f2d 137 403620-403647 call 405a88 134->137 138 40360e-40361e call 405aff 134->138 142 403649-40365a call 405a88 137->142 143 40365f-403665 lstrcatA 137->143 146 40366a-403693 call 4038bd call 405775 138->146 142->143 143->146 152 403699-40369e 146->152 153 40371a-403722 call 405775 146->153 152->153 154 4036a0-4036c4 call 405a88 152->154 158 403730-403755 LoadImageA 153->158 159 403724-40372b call 405bc3 153->159 154->153 164 4036c6-4036c8 154->164 162 4037e4-4037ec call 40140b 158->162 163 40375b-403791 RegisterClassA 158->163 159->158 177 4037f6-403801 call 4038bd 162->177 178 4037ee-4037f1 162->178 167 4038b3 163->167 168 403797-4037df SystemParametersInfoA CreateWindowExA 163->168 165 4036d9-4036e5 lstrlenA 164->165 166 4036ca-4036d7 call 4056bf 164->166 172 4036e7-4036f5 lstrcmpiA 165->172 173 40370d-403715 call 405694 call 405ba1 165->173 166->165 171 4038b5-4038bc 167->171 168->162 172->173 176 4036f7-403701 GetFileAttributesA 172->176 173->153 180 403703-403705 176->180 181 403707-403708 call 4056db 176->181 187 403807-403821 ShowWindow call 405ec3 177->187 188 40388a-403892 call 404f5f 177->188 178->171 180->173 180->181 181->173 195 403823-403828 call 405ec3 187->195 196 40382d-40383f GetClassInfoA 187->196 193 403894-40389a 188->193 194 4038ac-4038ae call 40140b 188->194 193->178 201 4038a0-4038a7 call 40140b 193->201 194->167 195->196 199 403841-403851 GetClassInfoA RegisterClassA 196->199 200 403857-403888 DialogBoxParamA call 40140b call 403544 196->200 199->200 200->171 201->178
                        APIs
                          • Part of subcall function 00405F2D: GetModuleHandleA.KERNEL32(?,?,00000000,00403179,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00405F3F
                          • Part of subcall function 00405F2D: GetProcAddress.KERNEL32(00000000,?), ref: 00405F5A
                        • lstrcatA.KERNEL32(1033,0042A0C0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0C0,00000000,00000003,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",00000000), ref: 00403665
                        • lstrlenA.KERNEL32(</Configuration>,?,?,?,</Configuration>,00000000,00434400,1033,0042A0C0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0C0,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 004036DA
                        • lstrcmpiA.KERNEL32(?,.exe), ref: 004036ED
                        • GetFileAttributesA.KERNEL32(</Configuration>), ref: 004036F8
                        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00434400), ref: 00403741
                          • Part of subcall function 00405AFF: wsprintfA.USER32 ref: 00405B0C
                        • RegisterClassA.USER32 ref: 00403788
                        • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004037A0
                        • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037D9
                        • ShowWindow.USER32(00000005,00000000), ref: 0040380F
                        • GetClassInfoA.USER32(00000000,RichEdit20A,0042E3E0), ref: 0040383B
                        • GetClassInfoA.USER32(00000000,RichEdit,0042E3E0), ref: 00403848
                        • RegisterClassA.USER32(0042E3E0), ref: 00403851
                        • DialogBoxParamA.USER32(?,00000000,0040398A,00000000), ref: 00403870
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                        • String ID: "C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe"$.DEFAULT\Control Panel\International$.exe$1033$</Configuration>$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
                        • API String ID: 1975747703-1785862987
                        • Opcode ID: 7435158fc53e05b7eb452c6009065ca08444211a86bae1cfffb41dd4ba7d39e0
                        • Instruction ID: 069ef0fb9a42e1b4956c000ddcdb280bce5473b1ca4ea0d36e0de5988d82752f
                        • Opcode Fuzzy Hash: 7435158fc53e05b7eb452c6009065ca08444211a86bae1cfffb41dd4ba7d39e0
                        • Instruction Fuzzy Hash: EE61D8B16442007FD220AFA69C45F273A6CEB44749F44457FF940B32D1CA7DA9018A7E
                        Function 00402C38 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 208 402c38-402c86 GetTickCount GetModuleFileNameA call 405878 211 402c92-402cc0 call 405ba1 call 4056db call 405ba1 GetFileSize 208->211 212 402c88-402c8d 208->212 220 402cc6 211->220 221 402dad-402dbb call 402bd4 211->221 213 402e6a-402e6e 212->213 223 402ccb-402ce2 220->223 228 402e10-402e15 221->228 229 402dbd-402dc0 221->229 224 402ce4 223->224 225 402ce6-402ce8 call 403093 223->225 224->225 230 402ced-402cef 225->230 228->213 231 402dc2-402dd3 call 4030c5 call 403093 229->231 232 402de4-402e0e GlobalAlloc call 4030c5 call 402e71 229->232 234 402cf5-402cfc 230->234 235 402e17-402e1f call 402bd4 230->235 248 402dd8-402dda 231->248 232->228 259 402e21-402e32 232->259 238 402d78-402d7c 234->238 239 402cfe-402d12 call 405839 234->239 235->228 243 402d86-402d8c 238->243 244 402d7e-402d85 call 402bd4 238->244 239->243 257 402d14-402d1b 239->257 250 402d9b-402da5 243->250 251 402d8e-402d98 call 405f9c 243->251 244->243 248->228 254 402ddc-402de2 248->254 250->223 258 402dab 250->258 251->250 254->228 254->232 257->243 261 402d1d-402d24 257->261 258->221 262 402e34 259->262 263 402e3a-402e3f 259->263 261->243 265 402d26-402d2d 261->265 262->263 264 402e40-402e46 263->264 264->264 266 402e48-402e63 SetFilePointer call 405839 264->266 265->243 267 402d2f-402d36 265->267 270 402e68 266->270 267->243 269 402d38-402d58 267->269 269->228 271 402d5e-402d62 269->271 270->213 272 402d64-402d68 271->272 273 402d6a-402d72 271->273 272->258 272->273 273->243 274 402d74-402d76 273->274 274->243
                        APIs
                        • GetTickCount.KERNEL32 ref: 00402C49
                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,00000400), ref: 00402C65
                          • Part of subcall function 00405878: GetFileAttributesA.KERNELBASE(00000003,00402C78,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,80000000,00000003), ref: 0040587C
                          • Part of subcall function 00405878: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040589E
                        • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,80000000,00000003), ref: 00402CB1
                        Strings
                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E10
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C42
                        • Inst, xrefs: 00402D1D
                        • soft, xrefs: 00402D26
                        • C:\Users\user\Desktop, xrefs: 00402C93, 00402C98, 00402C9E
                        • Null, xrefs: 00402D2F
                        • Error launching installer, xrefs: 00402C88
                        • C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe, xrefs: 00402C4F, 00402C5E, 00402C72, 00402C92
                        • "C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe", xrefs: 00402C38
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                        • String ID: "C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                        • API String ID: 4283519449-3154811701
                        • Opcode ID: 52dd5125f2beb4c5a01725ee1ecfb7cda6383a0ef784e60b7ebdc9a7c5e8d2b4
                        • Instruction ID: d5d64c7dde767481ec9b836f5bb8cc7fe4476435a14377af370c0b56c56fa9d6
                        • Opcode Fuzzy Hash: 52dd5125f2beb4c5a01725ee1ecfb7cda6383a0ef784e60b7ebdc9a7c5e8d2b4
                        • Instruction Fuzzy Hash: 7B51D971901214ABDB219FA6DE89B9E7BB8FB40354F10413BF900B62D1D7BC9D418B9D
                        Function 00402E71 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 174fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 344 402e71-402e85 345 402e87 344->345 346 402e8e-402e97 344->346 345->346 347 402ea0-402ea5 346->347 348 402e99 346->348 349 402eb5-402ec2 call 403093 347->349 350 402ea7-402eb0 call 4030c5 347->350 348->347 354 402ec8-402ecc 349->354 355 40303e 349->355 350->349 357 402ed2-402f1b GetTickCount 354->357 358 403027-403029 354->358 356 403040-403041 355->356 361 40308c-403090 356->361 359 402f21-402f29 357->359 360 403089 357->360 362 40302b-40302e 358->362 363 40307e-403082 358->363 364 402f2b 359->364 365 402f2e-402f3c call 403093 359->365 360->361 368 403030 362->368 369 403033-40303c call 403093 362->369 366 403043-403049 363->366 367 403084 363->367 364->365 365->355 378 402f42-402f4b 365->378 371 40304b 366->371 372 40304e-40305c call 403093 366->372 367->360 368->369 369->355 377 403086 369->377 371->372 372->355 381 40305e-403071 WriteFile 372->381 377->360 380 402f51-402f71 call 40600a 378->380 387 402f77-402f8a GetTickCount 380->387 388 40301f-403021 380->388 383 403023-403025 381->383 384 403073-403076 381->384 383->356 384->383 386 403078-40307b 384->386 386->363 389 402f8c-402f94 387->389 390 402fcf-402fd3 387->390 388->356 393 402f96-402f9a 389->393 394 402f9c-402fcc MulDiv wsprintfA call 404e8d 389->394 391 403014-403017 390->391 392 402fd5-402fd8 390->392 391->359 397 40301d 391->397 395 402ffa-403005 392->395 396 402fda-402fee WriteFile 392->396 393->390 393->394 394->390 400 403008-40300c 395->400 396->383 399 402ff0-402ff3 396->399 397->360 399->383 402 402ff5-402ff8 399->402 400->380 403 403012 400->403 402->400 403->360
                        APIs
                        • GetTickCount.KERNEL32 ref: 00402ED8
                        • GetTickCount.KERNEL32 ref: 00402F7F
                        • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FA8
                        • wsprintfA.USER32 ref: 00402FB8
                        • WriteFile.KERNELBASE(00000000,00000000,0041B668,7FFFFFFF,00000000), ref: 00402FE6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CountTick$FileWritewsprintf
                        • String ID: ... %d%%$hLA$hLA$vdA
                        • API String ID: 4209647438-2367115750
                        • Opcode ID: addaab61d9762357401ed889a56f94317b04aa9940b264370ab1ae8ac3205c02
                        • Instruction ID: 8a95cf2a137d7550cfd21daf0583010478331d15a29cb338fc351ae0d0d0651f
                        • Opcode Fuzzy Hash: addaab61d9762357401ed889a56f94317b04aa9940b264370ab1ae8ac3205c02
                        • Instruction Fuzzy Hash: D261AE7190221AEBDB10DFA5DA44AAF7BB8EB40355F10417BF910B72C4D7789A40CBE9
                        Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147stringtimeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 404 401734-401757 call 402a0c call 405701 409 401761-401773 call 405ba1 call 405694 lstrcatA 404->409 410 401759-40175f call 405ba1 404->410 415 401778-40177e call 405e03 409->415 410->415 420 401783-401787 415->420 421 401789-401793 call 405e9c 420->421 422 4017ba-4017bd 420->422 429 4017a5-4017b7 421->429 430 401795-4017a3 CompareFileTime 421->430 424 4017c5-4017e1 call 405878 422->424 425 4017bf-4017c0 call 405859 422->425 432 4017e3-4017e6 424->432 433 401859-401882 call 404e8d call 402e71 424->433 425->424 429->422 430->429 435 4017e8-40182a call 405ba1 * 2 call 405bc3 call 405ba1 call 405462 432->435 436 40183b-401845 call 404e8d 432->436 447 401884-401888 433->447 448 40188a-401896 SetFileTime 433->448 435->420 468 401830-401831 435->468 445 40184e-401854 436->445 449 4028aa 445->449 447->448 451 40189c-4018a7 CloseHandle 447->451 448->451 453 4028ac-4028b0 449->453 454 4028a1-4028a4 451->454 455 4018ad-4018b0 451->455 454->449 457 4018b2-4018c3 call 405bc3 lstrcatA 455->457 458 4018c5-4018c8 call 405bc3 455->458 462 4018cd-402229 call 405462 457->462 458->462 462->453 471 402672-402679 462->471 468->445 470 401833-401834 468->470 470->436 471->454
                        APIs
                        • lstrcatA.KERNEL32(00000000,00000000,00409C60,00434800,00000000,00000000,00000031), ref: 00401773
                        • CompareFileTime.KERNEL32(-00000014,?,00409C60,00409C60,00000000,00000000,00409C60,00434800,00000000,00000000,00000031), ref: 0040179D
                          • Part of subcall function 00405BA1: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Office C2R Update Setup,NSIS Error), ref: 00405BAE
                          • Part of subcall function 00404E8D: lstrlenA.KERNEL32(00429898,00000000,0041B668,755723A0,?,?,?,?,?,?,?,?,?,00402FCC,00000000,?), ref: 00404EC6
                          • Part of subcall function 00404E8D: lstrlenA.KERNEL32(00402FCC,00429898,00000000,0041B668,755723A0,?,?,?,?,?,?,?,?,?,00402FCC,00000000), ref: 00404ED6
                          • Part of subcall function 00404E8D: lstrcatA.KERNEL32(00429898,00402FCC,00402FCC,00429898,00000000,0041B668,755723A0), ref: 00404EE9
                          • Part of subcall function 00404E8D: SetWindowTextA.USER32(00429898,00429898), ref: 00404EFB
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F21
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F3B
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F49
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                        • String ID: </Configuration>$x86
                        • API String ID: 1941528284-877467114
                        • Opcode ID: ea3e664a6eeb0410f738fdec232e3058c6293e6be49e1c2e6a25c63ee9856d32
                        • Instruction ID: e79ae9243306ab86068bc1e71be5748962656d45b0e0834c5e2f96de839f3da3
                        • Opcode Fuzzy Hash: ea3e664a6eeb0410f738fdec232e3058c6293e6be49e1c2e6a25c63ee9856d32
                        • Instruction Fuzzy Hash: 71419632914514BADF107BB9CC45EAF3679EF01329B20823BF421F11E1D77C9A418A6E
                        Function 00402319 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 472 402319-40235f call 402b01 call 402a0c * 2 RegCreateKeyExA 479 4028a1-4028b0 472->479 480 402365-40236d 472->480 482 40237d-402380 480->482 483 40236f-40237c call 402a0c lstrlenA 480->483 485 402390-402393 482->485 486 402382-40238f call 4029ef 482->486 483->482 490 4023a4-4023b8 RegSetValueExA 485->490 491 402395-40239f call 402e71 485->491 486->485 494 4023ba 490->494 495 4023bd-402499 RegCloseKey 490->495 491->490 494->495 495->479
                        APIs
                        • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402357
                        • lstrlenA.KERNEL32(x86,00000023,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402377
                        • RegSetValueExA.ADVAPI32(?,?,?,?,x86,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 004023B0
                        • RegCloseKey.KERNELBASE(?,?,?,x86,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402493
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CloseCreateValuelstrlen
                        • String ID: x86
                        • API String ID: 1356686001-2105985432
                        • Opcode ID: 455413cff14af31db9c9583a2d92b67dbb7ec2e5f501e2c51a8a66b017ebb4b0
                        • Instruction ID: 87e3eab27a64c54b83edf31c6fc5fb34a185908cb1e9cfdfcb2c5e910e3a0e9b
                        • Opcode Fuzzy Hash: 455413cff14af31db9c9583a2d92b67dbb7ec2e5f501e2c51a8a66b017ebb4b0
                        • Instruction Fuzzy Hash: 74116371E00108BEEB10EFB5DE89EAF7A79EB50358F10403AF905B61D1D6B85D019A69
                        Function 00405EC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 497 405ec3-405ee3 GetSystemDirectoryA 498 405ee5 497->498 499 405ee7-405ee9 497->499 498->499 500 405ef9-405efb 499->500 501 405eeb-405ef3 499->501 503 405efc-405f2a wsprintfA LoadLibraryA 500->503 501->500 502 405ef5-405ef7 501->502 502->503
                        APIs
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405EDA
                        • wsprintfA.USER32 ref: 00405F13
                        • LoadLibraryA.KERNELBASE(?), ref: 00405F23
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: DirectoryLibraryLoadSystemwsprintf
                        • String ID: %s%s.dll$\
                        • API String ID: 2200240437-500877883
                        • Opcode ID: bac9a2fc6f46d7ce26ef8fb07d33782f421afe65be062073a8d3b7340457a89d
                        • Instruction ID: bb15d2e5d25401263bf0b052e26ed8f2ff91206720ea4b5c6b623b775464ebc4
                        • Opcode Fuzzy Hash: bac9a2fc6f46d7ce26ef8fb07d33782f421afe65be062073a8d3b7340457a89d
                        • Instruction Fuzzy Hash: 3FF02B309042095BDB149768DC0DEFB3B5CEB08304F1405BBA1C6E10D2E678ED558FD8
                        Function 004058A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 504 4058a7-4058b1 505 4058b2-4058dc GetTickCount GetTempFileNameA 504->505 506 4058eb-4058ed 505->506 507 4058de-4058e0 505->507 509 4058e5-4058e8 506->509 507->505 508 4058e2 507->508 508->509
                        APIs
                        • GetTickCount.KERNEL32 ref: 004058BA
                        • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058D4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CountFileNameTempTick
                        • String ID: "C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                        • API String ID: 1716503409-2146412189
                        • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                        • Instruction ID: 40dff32a3e5f00750648796d4805ff32b13dc741bded237dc881b6ef32aeca23
                        • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                        • Instruction Fuzzy Hash: 91F0A73734820476E7105E55DC04B9B7F6DDF91750F14C027FD449A1C0D6B4995497A5
                        Function 00401F67 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 510 401f67-401f73 511 401f79-401f8f call 402a0c * 2 510->511 512 40202f-402031 510->512 521 401f91-401f9c GetModuleHandleA 511->521 522 401f9e-401fac LoadLibraryExA 511->522 513 40217a-40217f call 401423 512->513 520 4028a1-4028b0 513->520 521->522 524 401fae-401fbc GetProcAddress 521->524 522->524 525 402028-40202a 522->525 527 401ffb-402000 call 404e8d 524->527 528 401fbe-401fc4 524->528 525->513 532 402005-402008 527->532 529 401fc6-401fd2 call 401423 528->529 530 401fdd-401ff9 528->530 529->532 541 401fd4-401fdb 529->541 530->532 532->520 534 40200e-402016 call 403594 532->534 534->520 540 40201c-402023 FreeLibrary 534->540 540->520 541->532
                        APIs
                        • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F92
                          • Part of subcall function 00404E8D: lstrlenA.KERNEL32(00429898,00000000,0041B668,755723A0,?,?,?,?,?,?,?,?,?,00402FCC,00000000,?), ref: 00404EC6
                          • Part of subcall function 00404E8D: lstrlenA.KERNEL32(00402FCC,00429898,00000000,0041B668,755723A0,?,?,?,?,?,?,?,?,?,00402FCC,00000000), ref: 00404ED6
                          • Part of subcall function 00404E8D: lstrcatA.KERNEL32(00429898,00402FCC,00402FCC,00429898,00000000,0041B668,755723A0), ref: 00404EE9
                          • Part of subcall function 00404E8D: SetWindowTextA.USER32(00429898,00429898), ref: 00404EFB
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F21
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F3B
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F49
                        • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA2
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB2
                        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                        • String ID:
                        • API String ID: 2987980305-0
                        • Opcode ID: 9869af2cb92964e48e7fc90eca2e698adb7029155ee69229f50b37a2f0f1f0e7
                        • Instruction ID: c2750792bbdc63a1f1471102f5095df33ec689d5572da80d747626f78b0a8a56
                        • Opcode Fuzzy Hash: 9869af2cb92964e48e7fc90eca2e698adb7029155ee69229f50b37a2f0f1f0e7
                        • Instruction Fuzzy Hash: 86210B32904115BBDF206FA5CE8CA6E3571BF44358F20423BF901B62E1DBBC49419A5E
                        Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 542 4015b3-4015c6 call 402a0c call 405728 547 4015c8-4015e3 call 4056bf CreateDirectoryA 542->547 548 40160a-40160d 542->548 557 401600-401608 547->557 558 4015e5-4015f0 GetLastError 547->558 550 40162d-40217f call 401423 548->550 551 40160f-401628 call 401423 call 405ba1 SetCurrentDirectoryA 548->551 564 4028a1-4028b0 550->564 551->564 557->547 557->548 561 4015f2-4015fb GetFileAttributesA 558->561 562 4015fd 558->562 561->557 561->562 562->557
                        APIs
                          • Part of subcall function 00405728: CharNextA.USER32(004054DA,?,C:\,00000000,0040578C,C:\,C:\,?,?,00000000,004054DA,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405736
                          • Part of subcall function 00405728: CharNextA.USER32(00000000), ref: 0040573B
                          • Part of subcall function 00405728: CharNextA.USER32(00000000), ref: 0040574A
                        • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                        • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                        • SetCurrentDirectoryA.KERNEL32(00000000,00434800,00000000,00000000,000000F0), ref: 00401622
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                        • String ID:
                        • API String ID: 3751793516-0
                        • Opcode ID: 57533edc60f10f939fae359f78937f1c50cb0eb4b953c7c3d42e544ec839b729
                        • Instruction ID: bb8d1e4e690ad92a523629274e31cd42690718b140f669fc0321f517961e655e
                        • Opcode Fuzzy Hash: 57533edc60f10f939fae359f78937f1c50cb0eb4b953c7c3d42e544ec839b729
                        • Instruction Fuzzy Hash: AB010831908140AFDB217B795D44D6F77B49E56365B24063FF491B22E1C53C0941962E
                        Function 00405775 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 567 405775-405790 call 405ba1 call 405728 572 405792-405794 567->572 573 405796-4057a3 call 405e03 567->573 574 4057e8-4057ea 572->574 577 4057a5-4057a9 573->577 578 4057af-4057b1 573->578 577->572 579 4057ab-4057ad 577->579 580 4057c7-4057d0 lstrlenA 578->580 579->572 579->578 581 4057d2-4057e6 call 405694 GetFileAttributesA 580->581 582 4057b3-4057ba call 405e9c 580->582 581->574 587 4057c1-4057c2 call 4056db 582->587 588 4057bc-4057bf 582->588 587->580 588->572 588->587
                        APIs
                          • Part of subcall function 00405BA1: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Office C2R Update Setup,NSIS Error), ref: 00405BAE
                          • Part of subcall function 00405728: CharNextA.USER32(004054DA,?,C:\,00000000,0040578C,C:\,C:\,?,?,00000000,004054DA,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405736
                          • Part of subcall function 00405728: CharNextA.USER32(00000000), ref: 0040573B
                          • Part of subcall function 00405728: CharNextA.USER32(00000000), ref: 0040574A
                        • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,00000000,004054DA,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057C8
                        • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,00000000,004054DA,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                        • String ID: C:\
                        • API String ID: 3248276644-3404278061
                        • Opcode ID: 0125b7c87d70c91a3d1bb05a748c96933fea46ebfbf371231d4dae2570234416
                        • Instruction ID: ab519aa84a01e62adc0720e4bc647a0d22f88b68ea54c21d3d29417989d01369
                        • Opcode Fuzzy Hash: 0125b7c87d70c91a3d1bb05a748c96933fea46ebfbf371231d4dae2570234416
                        • Instruction Fuzzy Hash: 5BF02D29105E5056D622333A1C05A9F1B54CE83364F58453FF854B32D2CB3C8943EDBE
                        Function 004024D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 590 4024d4-4024d7 591 4024d9-4024e8 call 4029ef 590->591 592 4024ea-4024f2 call 402a0c lstrlenA 590->592 597 4024f7-4024f9 591->597 592->597 598 402672-4028b0 597->598 599 4024ff-402511 call 405b18 WriteFile 597->599 599->598
                        APIs
                        • lstrlenA.KERNEL32(00000000,00000011), ref: 004024F2
                        • WriteFile.KERNELBASE(00000000,?,</Configuration>,00000000,?,?,00000000,00000011), ref: 00402511
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: FileWritelstrlen
                        • String ID: </Configuration>
                        • API String ID: 427699356-1902278294
                        • Opcode ID: d5bad95f2dce5671a406481c891ccf3fd407b53e42e5be7fe4c3933360a00f69
                        • Instruction ID: 4d0466e2475190dcbeea98c473c6ee3349c22a30d2c03acad583e8792e536618
                        • Opcode Fuzzy Hash: d5bad95f2dce5671a406481c891ccf3fd407b53e42e5be7fe4c3933360a00f69
                        • Instruction Fuzzy Hash: FEF0E972A44244BFEB10FBB19E09EAB3668EB50309F14443BF142F51C2D6FC5541966E
                        Function 0040355F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 605 40355f-40356f call 403544 608 403571 605->608 609 40358b-403593 605->609 610 403572-403588 FreeLibrary GlobalFree 608->610 610->610 611 40358a 610->611 611->609
                        APIs
                        • FreeLibrary.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403537,00403340,00000000), ref: 00403579
                        • GlobalFree.KERNEL32(?), ref: 00403580
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403571
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Free$GlobalLibrary
                        • String ID: C:\Users\user\AppData\Local\Temp\
                        • API String ID: 1100898210-4083868402
                        • Opcode ID: 84b733c7cccae0041813714216a38e771799edba4f139ceaa0c0671ece6e2eb2
                        • Instruction ID: bfe74e10b2793f4584c914afcf2a54bd359ebf4cfcfa0dffde5489d6b194198f
                        • Opcode Fuzzy Hash: 84b733c7cccae0041813714216a38e771799edba4f139ceaa0c0671ece6e2eb2
                        • Instruction Fuzzy Hash: CCE08C32901030A7DA211F15BC0475ABB6C6B49B32F01456AE801772B083742D424BE8
                        Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00404E8D: lstrlenA.KERNEL32(00429898,00000000,0041B668,755723A0,?,?,?,?,?,?,?,?,?,00402FCC,00000000,?), ref: 00404EC6
                          • Part of subcall function 00404E8D: lstrlenA.KERNEL32(00402FCC,00429898,00000000,0041B668,755723A0,?,?,?,?,?,?,?,?,?,00402FCC,00000000), ref: 00404ED6
                          • Part of subcall function 00404E8D: lstrcatA.KERNEL32(00429898,00402FCC,00402FCC,00429898,00000000,0041B668,755723A0), ref: 00404EE9
                          • Part of subcall function 00404E8D: SetWindowTextA.USER32(00429898,00429898), ref: 00404EFB
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F21
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F3B
                          • Part of subcall function 00404E8D: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F49
                          • Part of subcall function 00405401: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042C0C8,Error launching installer), ref: 00405426
                          • Part of subcall function 00405401: CloseHandle.KERNEL32(?), ref: 00405433
                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E65
                        • CloseHandle.KERNELBASE(?,00000000,000000EB,00000000), ref: 00401E8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                        • String ID:
                        • API String ID: 3521207402-0
                        • Opcode ID: d68f98ac8e38744ba939e22617bac7aaa5cb11f380749ed7858b53c7bb816bf7
                        • Instruction ID: 2a50f7c186f8d6ad55db8ec4cc548a4808b9981e8607132828513abc09ff4306
                        • Opcode Fuzzy Hash: d68f98ac8e38744ba939e22617bac7aaa5cb11f380749ed7858b53c7bb816bf7
                        • Instruction Fuzzy Hash: 2A016931D04114EBDF21AFA1CD85A9E7B71EF00358F24813BF905B61E1C7B94A81DB9A
                        Function 0040243D Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00402B16: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B3E
                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040246B
                        • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247E
                        • RegCloseKey.KERNELBASE(?,?,?,x86,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402493
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Enum$CloseOpenValue
                        • String ID:
                        • API String ID: 167947723-0
                        • Opcode ID: 9059d86cf81a706e988a2d34e63008befaacff04cf89154df2823c6b0fae89b0
                        • Instruction ID: 0436b5c36fc11333dc6c1986eb2478c5361501407abe92e574cee402a10fd4cf
                        • Opcode Fuzzy Hash: 9059d86cf81a706e988a2d34e63008befaacff04cf89154df2823c6b0fae89b0
                        • Instruction Fuzzy Hash: 5FF0D172A04100AFE7119F69DE8CEBF7A6CEF80384F10443FF905A61C0DAB85E41962A
                        Function 004023C5 Relevance: 3.1, APIs: 2, Instructions: 57registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00402B16: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B3E
                        • RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000033), ref: 004023F5
                        • RegCloseKey.KERNELBASE(?,?,?,x86,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402493
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID:
                        • API String ID: 3677997916-0
                        • Opcode ID: 6632ab43ea9f6647e6ea0bae6068a8dbf9e207ba5abe3097583afe54d5a32b78
                        • Instruction ID: ab9709d6ef51d30a3b8f92b6d7ba148acb7e2cbaa2af7126ed2a4c4473bc23a0
                        • Opcode Fuzzy Hash: 6632ab43ea9f6647e6ea0bae6068a8dbf9e207ba5abe3097583afe54d5a32b78
                        • Instruction Fuzzy Hash: F8116D31D05205EFDB21CFA4C6889AE7BB4EF50345B60847FE846B72C0D6B88A41DB1A
                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                        Download Yara Rule
                        APIs
                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                        • SendMessageA.USER32(00000020,00000402,00000000), ref: 004013F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 42849ed48d919fde42c0d44f840d19e9f7e342482cf35ba8d4f2414d886d90f9
                        • Instruction ID: 86a6a9173f7d20567c8ae2bb249fddc303668c970c82e3d032b9735ebafba260
                        • Opcode Fuzzy Hash: 42849ed48d919fde42c0d44f840d19e9f7e342482cf35ba8d4f2414d886d90f9
                        • Instruction Fuzzy Hash: B30128317242209BE7195B399C05B6A369CE714328F50853BF851F72F2DA78DC039B8D
                        Function 00405F2D Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,00000000,00403179,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00405F3F
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00405F5A
                          • Part of subcall function 00405EC3: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405EDA
                          • Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405F13
                          • Part of subcall function 00405EC3: LoadLibraryA.KERNELBASE(?), ref: 00405F23
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                        • String ID:
                        • API String ID: 2547128583-0
                        • Opcode ID: 1ff86fa5640f02b1d9e100387d52f784ab4969e574a7c6b0b5bb7fb3ea5c422e
                        • Instruction ID: 5a94b1a02772503a3f00306f9b3f9683cc322e661ee482fd999d4dc3ca30496d
                        • Opcode Fuzzy Hash: 1ff86fa5640f02b1d9e100387d52f784ab4969e574a7c6b0b5bb7fb3ea5c422e
                        • Instruction Fuzzy Hash: 3AE0863260861176D6105B74AD0496B72A8DE8C7503054C7EF945F6190D738DC119AA9
                        Function 00405878 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesA.KERNELBASE(00000003,00402C78,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,80000000,00000003), ref: 0040587C
                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040589E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: File$AttributesCreate
                        • String ID:
                        • API String ID: 415043291-0
                        • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                        • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                        • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                        • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                        Function 0040351A Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNEL32(FFFFFFFF,00403340,00000000), ref: 00403525
                        Strings
                        • C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\, xrefs: 00403539
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID: C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\
                        • API String ID: 2962429428-1192553799
                        • Opcode ID: 8c26942ae0773f9dbc702252541389aaf768f8ffdabc22c98b52bd8a09ae71d5
                        • Instruction ID: d1a415a1e30e97e21d6e0245b321a96cd967b9cfe2038280d4bc5e0259fe27b2
                        • Opcode Fuzzy Hash: 8c26942ae0773f9dbc702252541389aaf768f8ffdabc22c98b52bd8a09ae71d5
                        • Instruction Fuzzy Hash: 3CC01230544A00A6C2647F7C9E0B6053A156740336FD04725B175B10F3C73C5A41552E
                        Function 00405859 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesA.KERNELBASE(?,00405664,?,?,?), ref: 0040585D
                        • SetFileAttributesA.KERNELBASE(?,00000000), ref: 0040586F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: 074f941138e9f1df105fff9ec0b177d36ae7deb3ea45ba36f2ce8c3e98632dd9
                        • Instruction ID: 15299d6900fb3f0dcfcb805ba40550cd3d393431f2dda1ea0104ff8e742be84e
                        • Opcode Fuzzy Hash: 074f941138e9f1df105fff9ec0b177d36ae7deb3ea45ba36f2ce8c3e98632dd9
                        • Instruction Fuzzy Hash: 8AC04CB1808505BBD6016B35DF4DC1F7B66EB50321B108B35F569A01F0CB319C66DA1A
                        Function 004053CC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        • CreateDirectoryA.KERNELBASE(?,00000000,00403100,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 004053D2
                        • GetLastError.KERNEL32 ref: 004053E0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CreateDirectoryErrorLast
                        • String ID:
                        • API String ID: 1375471231-0
                        • Opcode ID: 62594c709cce2f5b8fb8ca5d54e7f3286412bfa0f130784d9dc04a2d264f0cc1
                        • Instruction ID: 0a32bba0594ce4c50c7d18531d00583a5fdebb7a5bad339d624f0ac39b1a71a3
                        • Opcode Fuzzy Hash: 62594c709cce2f5b8fb8ca5d54e7f3286412bfa0f130784d9dc04a2d264f0cc1
                        • Instruction Fuzzy Hash: B0C04C30A08501EBD6105B31AE49B177AE49B547C1F1045366506E41E0D7B49411D93E
                        Function 00402B16 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B3E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Open
                        • String ID:
                        • API String ID: 71445658-0
                        • Opcode ID: 211e70c79a7e2058b7926201b6c3b5b65685f3e03713ad28e82ad9a5dc87202e
                        • Instruction ID: 29a9aa9668de30d35440c68fe64837b711205a3cbe32e62e281f729c87ede6f5
                        • Opcode Fuzzy Hash: 211e70c79a7e2058b7926201b6c3b5b65685f3e03713ad28e82ad9a5dc87202e
                        • Instruction Fuzzy Hash: 0CE08676250108BFDB00EFE9DD87FD537ECA714710F008021B908D70D2CA74E5408B58
                        Function 00403093 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                        Download Yara Rule
                        APIs
                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EC0,000000FF,00000004,00000000,00000000,00000000), ref: 004030AA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: 0be395bbe571093c8e78859d05ee89954336de5599fe3087c5eab9dc4054fae4
                        • Instruction ID: fff8dc69d300bf088447089d7068fb6aaa903b2c1760e3ba56c5ad9840b64b03
                        • Opcode Fuzzy Hash: 0be395bbe571093c8e78859d05ee89954336de5599fe3087c5eab9dc4054fae4
                        • Instruction Fuzzy Hash: BAE08C32161118BBCF215E52EC00EE73B5CEB047A2F008033BA14E62A0D670EA14DBAA
                        Function 004030C5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        APIs
                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DFF,000087E4), ref: 004030D3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: 1fe8ad6970e23be315a08abdb90e0b058f57890677f29add635e0ec7003afc6f
                        • Instruction ID: 89776e93a0172b97a38fb7948c015c90ed7fb14eba3da05579cbd58eb2c2bcc6
                        • Opcode Fuzzy Hash: 1fe8ad6970e23be315a08abdb90e0b058f57890677f29add635e0ec7003afc6f
                        • Instruction Fuzzy Hash: 87B01271644200BFDB214F00DF06F057B61A794701F108030B744380F082712830EB1E

                        Non-executed Functions

                        Function 00404FCB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,00000403), ref: 0040502A
                        • GetDlgItem.USER32(?,000003EE), ref: 00405039
                        • GetClientRect.USER32(?,?), ref: 00405076
                        • GetSystemMetrics.USER32(00000015), ref: 0040507E
                        • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 0040509F
                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050B0
                        • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050C3
                        • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050D1
                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 004050E4
                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405106
                        • ShowWindow.USER32(?,00000008), ref: 0040511A
                        • GetDlgItem.USER32(?,000003EC), ref: 0040513B
                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040514B
                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405164
                        • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405170
                        • GetDlgItem.USER32(?,000003F8), ref: 00405048
                          • Part of subcall function 00403E92: SendMessageA.USER32(00000028,?,00000001,00403CC3), ref: 00403EA0
                        • GetDlgItem.USER32(?,000003EC), ref: 0040518D
                        • CreateThread.KERNEL32(00000000,00000000,Function_00004F5F,00000000), ref: 0040519B
                        • CloseHandle.KERNEL32(00000000), ref: 004051A2
                        • ShowWindow.USER32(00000000), ref: 004051C6
                        • ShowWindow.USER32(00000000,00000008), ref: 004051CB
                        • ShowWindow.USER32(00000008), ref: 00405212
                        • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405244
                        • CreatePopupMenu.USER32 ref: 00405255
                        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040526A
                        • GetWindowRect.USER32(00000000,?), ref: 0040527D
                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052A1
                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052DC
                        • OpenClipboard.USER32(00000000), ref: 004052EC
                        • EmptyClipboard.USER32 ref: 004052F2
                        • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052FB
                        • GlobalLock.KERNEL32(00000000), ref: 00405305
                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405319
                        • GlobalUnlock.KERNEL32(00000000), ref: 00405331
                        • SetClipboardData.USER32(00000001,00000000), ref: 0040533C
                        • CloseClipboard.USER32 ref: 00405342
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                        • String ID: {
                        • API String ID: 590372296-366298937
                        • Opcode ID: 24d5f79863eab039e00deff6ffcfe7a635ba4a893b6a7c8bad5bc7ec4ae7b328
                        • Instruction ID: 9773a58430cbfeecb670b401eb949321dafbae4239e93fa01985779c5be3160a
                        • Opcode Fuzzy Hash: 24d5f79863eab039e00deff6ffcfe7a635ba4a893b6a7c8bad5bc7ec4ae7b328
                        • Instruction Fuzzy Hash: ADA14A70900208BFDB11AFA1DC89AAE7F79FB08354F40853AFA04BA1A0C7755A51DF99
                        Function 004047DC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,000003F9), ref: 004047F3
                        • GetDlgItem.USER32(?,00000408), ref: 00404800
                        • GlobalAlloc.KERNEL32(00000040,00000001), ref: 0040484C
                        • LoadBitmapA.USER32(0000006E), ref: 0040485F
                        • SetWindowLongA.USER32(?,000000FC,00404DDD), ref: 00404879
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040488D
                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004048A1
                        • SendMessageA.USER32(?,00001109,00000002), ref: 004048B6
                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048C2
                        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048D4
                        • DeleteObject.GDI32(?), ref: 004048D9
                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404904
                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404910
                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049A5
                        • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049D0
                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049E4
                        • GetWindowLongA.USER32(?,000000F0), ref: 00404A13
                        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A21
                        • ShowWindow.USER32(?,00000005), ref: 00404A32
                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B35
                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B9A
                        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BAF
                        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BD3
                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404BF9
                        • ImageList_Destroy.COMCTL32(?), ref: 00404C0E
                        • GlobalFree.KERNEL32(?), ref: 00404C1E
                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C8E
                        • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404D37
                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D46
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404D66
                        • ShowWindow.USER32(?,00000000), ref: 00404DB4
                        • GetDlgItem.USER32(?,000003FE), ref: 00404DBF
                        • ShowWindow.USER32(00000000), ref: 00404DC6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                        • String ID: $M$N
                        • API String ID: 1638840714-813528018
                        • Opcode ID: 71b8b6f4bffc85469490dd9785970581ca59a6eef214a627e944a707e06e44fc
                        • Instruction ID: 458a4472cc575749f24c7bcde6f1b2e9246033a2a8d3a9469834700d3721ba37
                        • Opcode Fuzzy Hash: 71b8b6f4bffc85469490dd9785970581ca59a6eef214a627e944a707e06e44fc
                        • Instruction Fuzzy Hash: E7028EB0A00209EFDB21DF55DD85AAE7BB5FB84314F10813AF610BA2E1C7799A41DF58
                        Function 0040429B Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 273stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,000003FB), ref: 004042EA
                        • SetWindowTextA.USER32(00000000,?), ref: 00404314
                        • SHBrowseForFolderA.SHELL32(?,00429490,?), ref: 004043C5
                        • CoTaskMemFree.OLE32(00000000), ref: 004043D0
                        • lstrcmpiA.KERNEL32(</Configuration>,0042A0C0), ref: 00404402
                        • lstrcatA.KERNEL32(?,</Configuration>), ref: 0040440E
                        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404420
                          • Part of subcall function 00405446: GetDlgItemTextA.USER32(?,?,00000400,00404457), ref: 00405459
                          • Part of subcall function 00405E03: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E8,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 00405E5B
                          • Part of subcall function 00405E03: CharNextA.USER32(?,?,?,00000000), ref: 00405E68
                          • Part of subcall function 00405E03: CharNextA.USER32(?,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E8,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 00405E6D
                          • Part of subcall function 00405E03: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E8,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 00405E7D
                        • GetDiskFreeSpaceA.KERNEL32(00429088,?,?,0000040F,?,00429088,00429088,?,00000001,00429088,?,?,000003FB,?), ref: 004044DE
                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044F9
                          • Part of subcall function 00404652: lstrlenA.KERNEL32(0042A0C0,0042A0C0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040456D,000000DF,00000000,00000400,?), ref: 004046F0
                          • Part of subcall function 00404652: wsprintfA.USER32 ref: 004046F8
                          • Part of subcall function 00404652: SetDlgItemTextA.USER32(?,0042A0C0), ref: 0040470B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                        • String ID: </Configuration>$A
                        • API String ID: 2624150263-798427816
                        • Opcode ID: f885f0f31c4282fba39027c95cf5d7278b52421c3caad3c2cc32003d823a0b3d
                        • Instruction ID: 25cf576a769d2d8a049a3aeadb65d5b4cdf4f75aeaeb5f9dd55cec19ee375662
                        • Opcode Fuzzy Hash: f885f0f31c4282fba39027c95cf5d7278b52421c3caad3c2cc32003d823a0b3d
                        • Instruction Fuzzy Hash: A6A170B1900218ABDB11AFA5DC41BAF77B8EF84315F10843BF611B62D1D77C9A418F69
                        Function 00402036 Relevance: 3.1, APIs: 2, Instructions: 134comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(004074B8,?,00000001,004074A8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402089
                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409458,00000400,?,00000001,004074A8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 9cd38c93e9514926f0fd25b4c743f4f3ed3c9203e10925d1b0a20c61676522c7
                        • Instruction ID: 191a2b8eefbfb1bddfad8f8f84b6cbb7561eb223b9fb57f38d09f1a7a57a31e1
                        • Opcode Fuzzy Hash: 9cd38c93e9514926f0fd25b4c743f4f3ed3c9203e10925d1b0a20c61676522c7
                        • Instruction Fuzzy Hash: 39413075A00104BFDB00EFA4CD89E9E7BBAEF49364B20426AF505EB2D1CA799D41CB54
                        Function 00402654 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402663
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: FileFindFirst
                        • String ID:
                        • API String ID: 1974802433-0
                        • Opcode ID: 2763ce26546f3b779dc414c7a7642b955b86bca8a804f3be05f16b9dda1f0e86
                        • Instruction ID: 4742aed74e2d5c2fbc4c68297bab01de776a4a0a464f4ce0b78a7fb1d39a8d7e
                        • Opcode Fuzzy Hash: 2763ce26546f3b779dc414c7a7642b955b86bca8a804f3be05f16b9dda1f0e86
                        • Instruction Fuzzy Hash: DAF0A032608100ABD710E7B99989AEEB368AF11324F60467BE105F21C1DAB859459B6A
                        Function 0040632A Relevance: .3, Instructions: 334COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a819559cac325912a5da870af16f2072e900c9bb0763f72fbb9437a3d348546
                        • Instruction ID: 430467d656314c7e37725f6accf0e98df37da47b2ee055c5ee71eb9d2680c55a
                        • Opcode Fuzzy Hash: 5a819559cac325912a5da870af16f2072e900c9bb0763f72fbb9437a3d348546
                        • Instruction Fuzzy Hash: 5BE18B71A00709DFDB24CF58D880BAABBF1FB45305F15852EE897A7291D738AA95CF04
                        Function 00406B01 Relevance: .3, Instructions: 300COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6271c98690b1cfc42e3136c50631b776cf05fd7e3b644bcdccc108723492fea8
                        • Instruction ID: 31e596356fdf544bef750598cd2398cea7ffcaa0c07f8aabd85cf97c85a13bdb
                        • Opcode Fuzzy Hash: 6271c98690b1cfc42e3136c50631b776cf05fd7e3b644bcdccc108723492fea8
                        • Instruction Fuzzy Hash: F6C14C71A00229CBDF14CF68D4905EEB7B2FF98314F26816AD856BB384D734A952CF94
                        Function 0040398A Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039C6
                        • ShowWindow.USER32(?), ref: 004039E3
                        • DestroyWindow.USER32 ref: 004039F7
                        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A13
                        • GetDlgItem.USER32(?,?), ref: 00403A34
                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A48
                        • IsWindowEnabled.USER32(00000000), ref: 00403A4F
                        • GetDlgItem.USER32(?,00000001), ref: 00403AFD
                        • GetDlgItem.USER32(?,00000002), ref: 00403B07
                        • SetClassLongA.USER32(?,000000F2,?), ref: 00403B21
                        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B72
                        • GetDlgItem.USER32(?,00000003), ref: 00403C18
                        • ShowWindow.USER32(00000000,?), ref: 00403C39
                        • EnableWindow.USER32(?,?), ref: 00403C4B
                        • EnableWindow.USER32(?,?), ref: 00403C66
                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C7C
                        • EnableMenuItem.USER32(00000000), ref: 00403C83
                        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C9B
                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CAE
                        • lstrlenA.KERNEL32(0042A0C0,?,0042A0C0,Office C2R Update Setup), ref: 00403CD7
                        • SetWindowTextA.USER32(?,0042A0C0), ref: 00403CE6
                        • ShowWindow.USER32(?,0000000A), ref: 00403E1A
                        Strings
                        • Office C2R Update Setup, xrefs: 00403CC8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                        • String ID: Office C2R Update Setup
                        • API String ID: 184305955-2634732830
                        • Opcode ID: 1e459521d90522915b7ecfcc4ffe9d1f6be81136fcbdd0795542fa10f0721686
                        • Instruction ID: 5f76212842cc3a2ea0064beba359403a4e9feef3dd5448b927816276c7a72de1
                        • Opcode Fuzzy Hash: 1e459521d90522915b7ecfcc4ffe9d1f6be81136fcbdd0795542fa10f0721686
                        • Instruction Fuzzy Hash: 1BC1D431604205ABDB216F62ED85D2B3EACFB49706F40053EF541B62E1C739A942DF6E
                        Function 00403FA5 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                        Download Yara Rule
                        APIs
                        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404030
                        • GetDlgItem.USER32(00000000,000003E8), ref: 00404044
                        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404062
                        • GetSysColor.USER32(?), ref: 00404073
                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404082
                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404091
                        • lstrlenA.KERNEL32(?), ref: 0040409B
                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040A9
                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040B8
                        • GetDlgItem.USER32(?,0000040A), ref: 0040411B
                        • SendMessageA.USER32(00000000), ref: 0040411E
                        • GetDlgItem.USER32(?,000003E8), ref: 00404149
                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404189
                        • LoadCursorA.USER32(00000000,00007F02), ref: 00404198
                        • SetCursor.USER32(00000000), ref: 004041A1
                        • ShellExecuteA.SHELL32(0000070B,open,0042DBE0,00000000,00000000,00000001), ref: 004041B4
                        • LoadCursorA.USER32(00000000,00007F00), ref: 004041C1
                        • SetCursor.USER32(00000000), ref: 004041C4
                        • SendMessageA.USER32(00000111,00000001,00000000), ref: 004041F0
                        • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404204
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                        • String ID: </Configuration>$N$open$q?@
                        • API String ID: 3615053054-365902778
                        • Opcode ID: 43e4b1bebc352cc37ab134c8e21d344cf3974b6da0146347b86895c6f7b453af
                        • Instruction ID: 8cc316ab489d754ba064ab1d5a66df449127ca6112c148b2bdc2fdd16cb80ba7
                        • Opcode Fuzzy Hash: 43e4b1bebc352cc37ab134c8e21d344cf3974b6da0146347b86895c6f7b453af
                        • Instruction Fuzzy Hash: 9361DFB1A40209BFEB109F60CC45F6A3B68FB54745F10853AFB04BA2D1C7B8A951CF99
                        Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                        Download Yara Rule
                        APIs
                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                        • BeginPaint.USER32(?,?), ref: 00401047
                        • GetClientRect.USER32(?,?), ref: 0040105B
                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                        • DeleteObject.GDI32(?), ref: 004010ED
                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                        • SetTextColor.GDI32(00000000,?), ref: 00401130
                        • SelectObject.GDI32(00000000,?), ref: 00401140
                        • DrawTextA.USER32(00000000,Office C2R Update Setup,000000FF,00000010,00000820), ref: 00401156
                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                        • DeleteObject.GDI32(?), ref: 00401165
                        • EndPaint.USER32(?,?), ref: 0040116E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                        • String ID: F$Office C2R Update Setup
                        • API String ID: 941294808-1094936751
                        • Opcode ID: 9ef4e76bf49e76a01cd413a5d017736c2cab636d92d5aa9aaf47e7e990c9ee05
                        • Instruction ID: 7d427dbe4d4bacd88da03279d54ab8fa369b0c74db3328ba00a5b4b95e7f032c
                        • Opcode Fuzzy Hash: 9ef4e76bf49e76a01cd413a5d017736c2cab636d92d5aa9aaf47e7e990c9ee05
                        • Instruction Fuzzy Hash: 0B41AC71804249AFCB058F95CD459BFBFB9FF44314F00802AF961AA2A0C738EA50DFA5
                        Function 004058EF Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00405F2D: GetModuleHandleA.KERNEL32(?,?,00000000,00403179,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00405F3F
                          • Part of subcall function 00405F2D: GetProcAddress.KERNEL32(00000000,?), ref: 00405F5A
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,00405684,?,00000000,000000F1,?), ref: 0040593C
                        • GetShortPathNameA.KERNEL32(?,0042C250,00000400), ref: 00405945
                        • GetShortPathNameA.KERNEL32(00000000,0042BCC8,00000400), ref: 00405962
                        • wsprintfA.USER32 ref: 00405980
                        • GetFileSize.KERNEL32(00000000,00000000,0042BCC8,C0000000,00000004,0042BCC8,?,?,?,00000000,000000F1,?), ref: 004059BB
                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059CA
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059E0
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B8C8,00000000,-0000000A,00409404,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A26
                        • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A38
                        • GlobalFree.KERNEL32(00000000), ref: 00405A3F
                        • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A46
                          • Part of subcall function 004057ED: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059FB,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057F4
                          • Part of subcall function 004057ED: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059FB,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405824
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                        • String ID: %s=%s$[Rename]
                        • API String ID: 3445103937-1727408572
                        • Opcode ID: 98de3fece22c2c5f336e397123907592c69a454d308d27e656aae89801f4cebd
                        • Instruction ID: f45ed1bdfbf8c4b03de67142e423a5701368854c8b403738f0f2c648216b24c4
                        • Opcode Fuzzy Hash: 98de3fece22c2c5f336e397123907592c69a454d308d27e656aae89801f4cebd
                        • Instruction Fuzzy Hash: D741D471B05B157BD7206B619C89F6B3B5CDF85754F040136F905F62D2EA38E8018EAD
                        Function 00405BC3 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetVersion.KERNEL32(00000000,00429898,00000000,00404EC5,00429898,00000000), ref: 00405C6B
                        • GetSystemDirectoryA.KERNEL32(</Configuration>,00000400), ref: 00405CE6
                        • GetWindowsDirectoryA.KERNEL32(</Configuration>,00000400), ref: 00405CF9
                        • SHGetSpecialFolderLocation.SHELL32(?,0041B668), ref: 00405D35
                        • SHGetPathFromIDListA.SHELL32(0041B668,</Configuration>), ref: 00405D43
                        • CoTaskMemFree.OLE32(0041B668), ref: 00405D4E
                        • lstrcatA.KERNEL32(</Configuration>,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D70
                        • lstrlenA.KERNEL32(</Configuration>,00000000,00429898,00000000,00404EC5,00429898,00000000), ref: 00405DC2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                        • String ID: </Configuration>$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                        • API String ID: 900638850-1915568039
                        • Opcode ID: 60f0a343def428824789f7b7b315240d083d7a63688ee54c3b9f77de7071f477
                        • Instruction ID: fa1e0b9f47c9474f0aa02006464afd466a30f7754b548aa089decd5b8df859b0
                        • Opcode Fuzzy Hash: 60f0a343def428824789f7b7b315240d083d7a63688ee54c3b9f77de7071f477
                        • Instruction Fuzzy Hash: B8512531A04A15ABEB205B698C88BBB3B64DF11314F54827BE511BA2D0D37C5942DF4E
                        Function 00405E03 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E8,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 00405E5B
                        • CharNextA.USER32(?,?,?,00000000), ref: 00405E68
                        • CharNextA.USER32(?,"C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E8,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 00405E6D
                        • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E8,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 00405E7D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Char$Next$Prev
                        • String ID: "C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                        • API String ID: 589700163-791374128
                        • Opcode ID: 3b5f3268fa1fae19e58d0ad2ced72642c676bfd811e2c7a6988a98807c9a22ca
                        • Instruction ID: 8c0debaa59703488c7458a94fa91a8896e4240cf3d31b331365b77cfd974a1c9
                        • Opcode Fuzzy Hash: 3b5f3268fa1fae19e58d0ad2ced72642c676bfd811e2c7a6988a98807c9a22ca
                        • Instruction Fuzzy Hash: 4E11B671804A912DEB3217289C44B777FC8CB66790F18447BD4D5723C2D67C5D428AAD
                        Function 00403EC4 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongA.USER32(?,000000EB), ref: 00403EE1
                        • GetSysColor.USER32(00000000), ref: 00403EFD
                        • SetTextColor.GDI32(?,00000000), ref: 00403F09
                        • SetBkMode.GDI32(?,?), ref: 00403F15
                        • GetSysColor.USER32(?), ref: 00403F28
                        • SetBkColor.GDI32(?,?), ref: 00403F38
                        • DeleteObject.GDI32(?), ref: 00403F52
                        • CreateBrushIndirect.GDI32(?), ref: 00403F5C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                        • String ID:
                        • API String ID: 2320649405-0
                        • Opcode ID: 244050047767258f024cc5d970fbc24e44c9485df9f09a7a1d92820c249c5868
                        • Instruction ID: 0d89a351d513fb24bb3d4bb4099581c898fc75933690e96f4850fc1bb23eeaf2
                        • Opcode Fuzzy Hash: 244050047767258f024cc5d970fbc24e44c9485df9f09a7a1d92820c249c5868
                        • Instruction Fuzzy Hash: 91214271904745ABCB219F78DD08B4B7FF8AF05715B048629F995A22E0D734E9048B65
                        Function 00402692 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GlobalAlloc.KERNEL32(00000040,00008800,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004026E6
                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402702
                        • GlobalFree.KERNEL32(?), ref: 0040273B
                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040274D
                        • GlobalFree.KERNEL32(00000000), ref: 00402754
                        • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040276C
                        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402780
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                        • String ID:
                        • API String ID: 3294113728-0
                        • Opcode ID: 9c2b519bab710da34c4f93b0ba9d6d86cd7c01b4cb3bb32b5413ac78432567f7
                        • Instruction ID: 5b53ae4c2b613e87b8af51cb2b1d5881ebc53a54f05e9f53cd44442d287e2222
                        • Opcode Fuzzy Hash: 9c2b519bab710da34c4f93b0ba9d6d86cd7c01b4cb3bb32b5413ac78432567f7
                        • Instruction Fuzzy Hash: 3131A971C00128BBCF216FA5CE88DAE7F79EF05364F10423AF920762E1C67949408FA9
                        Function 00404E8D Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenA.KERNEL32(00429898,00000000,0041B668,755723A0,?,?,?,?,?,?,?,?,?,00402FCC,00000000,?), ref: 00404EC6
                        • lstrlenA.KERNEL32(00402FCC,00429898,00000000,0041B668,755723A0,?,?,?,?,?,?,?,?,?,00402FCC,00000000), ref: 00404ED6
                        • lstrcatA.KERNEL32(00429898,00402FCC,00402FCC,00429898,00000000,0041B668,755723A0), ref: 00404EE9
                        • SetWindowTextA.USER32(00429898,00429898), ref: 00404EFB
                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F21
                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F3B
                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F49
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                        • String ID:
                        • API String ID: 2531174081-0
                        • Opcode ID: 608088ad9ffc8be51c5c0cf58f275dda30e696d1ba06748ac5dda82a5f93996a
                        • Instruction ID: d5e3cfdbeb95b60488c6f1e99959168c2d2eab17d02c72d4f5409838ea1ae410
                        • Opcode Fuzzy Hash: 608088ad9ffc8be51c5c0cf58f275dda30e696d1ba06748ac5dda82a5f93996a
                        • Instruction Fuzzy Hash: 2C21CF71900119BBDF11AFA5CD849DEBFB9EF45354F04807AF608B6290C779AE408FA8
                        Function 0040475C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404777
                        • GetMessagePos.USER32 ref: 0040477F
                        • ScreenToClient.USER32(?,?), ref: 00404799
                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 004047AB
                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Message$Send$ClientScreen
                        • String ID: f
                        • API String ID: 41195575-1993550816
                        • Opcode ID: b999d07b324019c2219c33d3107ce818a81de0efbbfc0766a2ac4245d0efef5f
                        • Instruction ID: 1287270e3ce35f4bc81f554f3193770291cde8f8b01dc106229a8c11fbd36195
                        • Opcode Fuzzy Hash: b999d07b324019c2219c33d3107ce818a81de0efbbfc0766a2ac4245d0efef5f
                        • Instruction Fuzzy Hash: 99014071D00219BADB01DBA4DD85FFEBBFCAB59711F10412BBA10B72C0D7B465018BA5
                        Function 00402B51 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                        Download Yara Rule
                        APIs
                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B6C
                        • MulDiv.KERNEL32(0001EA76,00000064,0001EA7A), ref: 00402B97
                        • wsprintfA.USER32 ref: 00402BA7
                        • SetWindowTextA.USER32(?,?), ref: 00402BB7
                        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BC9
                        Strings
                        • verifying installer: %d%%, xrefs: 00402BA1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Text$ItemTimerWindowwsprintf
                        • String ID: verifying installer: %d%%
                        • API String ID: 1451636040-82062127
                        • Opcode ID: f4b40b60170e557e8e64fd1007bdae5203f411c8eb827d09f08439ceb1717922
                        • Instruction ID: 170251b52dccb1bc1045efc101099eb7df8550efa5a7238432f4f3ca5a85e13a
                        • Opcode Fuzzy Hash: f4b40b60170e557e8e64fd1007bdae5203f411c8eb827d09f08439ceb1717922
                        • Instruction Fuzzy Hash: C501F470644209BBDB209F61DD49EED3779AB44305F008039FA06B52D0D7B599558F95
                        Function 0040534F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        • CreateDirectoryA.KERNEL32(?,?,00000000), ref: 00405392
                        • GetLastError.KERNEL32 ref: 004053A6
                        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053BB
                        • GetLastError.KERNEL32 ref: 004053C5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                        • String ID: C:\Users\user\Desktop
                        • API String ID: 3449924974-1876063424
                        • Opcode ID: 1936ad7c03f2b7d8793bf3b54e92df8b677be00562b78ee6b782fceed01fa342
                        • Instruction ID: 0f194ad754f8d2153fe6bade7a67ae4222ab15fc701b17716cfd16251ec2b406
                        • Opcode Fuzzy Hash: 1936ad7c03f2b7d8793bf3b54e92df8b677be00562b78ee6b782fceed01fa342
                        • Instruction Fuzzy Hash: C5010871D04259EBEF119BA0D904BEFBFB8EF04354F00457AE905B6180D3B89614CFAA
                        Function 00402A4C Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000100,?), ref: 00402A6D
                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AA9
                        • RegCloseKey.ADVAPI32(?), ref: 00402AB2
                        • RegCloseKey.ADVAPI32(?), ref: 00402AD7
                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AF5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Close$DeleteEnumOpen
                        • String ID:
                        • API String ID: 1912718029-0
                        • Opcode ID: 87ccbfffecd7de7467de5c73c2002d88ab1ef4389744f866cc51cf150fc0b97d
                        • Instruction ID: aab1c47b15b7d7dbd0304e6a384de86cdfdd1b9a1951722987da620561d60ced
                        • Opcode Fuzzy Hash: 87ccbfffecd7de7467de5c73c2002d88ab1ef4389744f866cc51cf150fc0b97d
                        • Instruction Fuzzy Hash: 45117F71A00009FFDF219F91DE49DAF3B69EB14394B004076FA06F00A0DBB49E52AF69
                        Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?), ref: 00401CC5
                        • GetClientRect.USER32(00000000,?), ref: 00401CD2
                        • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
                        • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                        • DeleteObject.GDI32(00000000), ref: 00401D10
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                        • String ID:
                        • API String ID: 1849352358-0
                        • Opcode ID: d57a35d3acf3fa23ca7f0a134e80dd3675420cc32dfd3ff3ad18b5652a4ae456
                        • Instruction ID: 0b6a49845d72fa48a9a579b1019c06f6c105053db178aa5042bb0eadc5b1df39
                        • Opcode Fuzzy Hash: d57a35d3acf3fa23ca7f0a134e80dd3675420cc32dfd3ff3ad18b5652a4ae456
                        • Instruction Fuzzy Hash: 2DF0EC72A04114AFEB00EBA4DD88DAFB77CFB44305B044536F501F6191C678AD419B79
                        Function 00404652 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenA.KERNEL32(0042A0C0,0042A0C0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040456D,000000DF,00000000,00000400,?), ref: 004046F0
                        • wsprintfA.USER32 ref: 004046F8
                        • SetDlgItemTextA.USER32(?,0042A0C0), ref: 0040470B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: ItemTextlstrlenwsprintf
                        • String ID: %u.%u%s%s
                        • API String ID: 3540041739-3551169577
                        • Opcode ID: d983c73ecadd4704cc9d524db0130b413f0ba163b4f455c9b7d3e0c477023978
                        • Instruction ID: cfc8e6c3a4af003209a53fcdfac8cba24e816d3e629d82a7997265ded69b8fd0
                        • Opcode Fuzzy Hash: d983c73ecadd4704cc9d524db0130b413f0ba163b4f455c9b7d3e0c477023978
                        • Instruction Fuzzy Hash: A0112773A0412827EB0065699C45EAF3298DB86334F254637FE25F71D1E9799C1285EC
                        Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: MessageSend$Timeout
                        • String ID: !
                        • API String ID: 1777923405-2657877971
                        • Opcode ID: e392da7139347f63c408211002f75456f017542e4151f627b34d3607e76d39d5
                        • Instruction ID: e2d4d96ca7e059e12ef29128c845d67dbcf5a6688523181a8ec59df7cc8b106d
                        • Opcode Fuzzy Hash: e392da7139347f63c408211002f75456f017542e4151f627b34d3607e76d39d5
                        • Instruction Fuzzy Hash: B021A171A44208BFEF01AFB5CD8AAAE7B75EF44344F14407AF501BA1D1D6B88A40DB29
                        Function 004038BD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                        • SetWindowTextA.USER32(00000000,Office C2R Update Setup), ref: 00403955
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: TextWindow
                        • String ID: "C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe"$1033$Office C2R Update Setup
                        • API String ID: 530164218-3598681501
                        • Opcode ID: 955c230c1abd7d31e01fa39c2c33e1942ba3e2693a8a1108e72f80aea9af70c5
                        • Instruction ID: 93100a74eb761491cad5589d5ba72450eee8ba09b7e289b8bdcf135b4c9a781b
                        • Opcode Fuzzy Hash: 955c230c1abd7d31e01fa39c2c33e1942ba3e2693a8a1108e72f80aea9af70c5
                        • Instruction Fuzzy Hash: A611F071B006108BC730EF56DC80A773BACEB85715368813BA801A73A0CA39AD028B9C
                        Function 00405694 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 0040569A
                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403299), ref: 004056A3
                        • lstrcatA.KERNEL32(?,00409010), ref: 004056B4
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405694
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CharPrevlstrcatlstrlen
                        • String ID: C:\Users\user\AppData\Local\Temp\
                        • API String ID: 2659869361-4083868402
                        • Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                        • Instruction ID: 3169b85a74bfaa55460b422d3e3fbca7e168afda588c61a1877893bbaf19970e
                        • Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                        • Instruction Fuzzy Hash: 25D0A972606A302EE20226158C05F8B3A28CF52301B0448A2F640B22D2C7BC7E818FFE
                        Function 00405728 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        • CharNextA.USER32(004054DA,?,C:\,00000000,0040578C,C:\,C:\,?,?,00000000,004054DA,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405736
                        • CharNextA.USER32(00000000), ref: 0040573B
                        • CharNextA.USER32(00000000), ref: 0040574A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CharNext
                        • String ID: C:\
                        • API String ID: 3213498283-3404278061
                        • Opcode ID: 2a9caa78ea5ad24ed31709241e3ad5854e0d2865484118cf7a19592bf420cc00
                        • Instruction ID: a054648e037d2dc9b414c06332908f1e3c0a092ae6d4a81e5674b26f1e0c7c07
                        • Opcode Fuzzy Hash: 2a9caa78ea5ad24ed31709241e3ad5854e0d2865484118cf7a19592bf420cc00
                        • Instruction Fuzzy Hash: B2F02751E00B609AE73232740C44B2B579CEB54720F184433E101B71D087BC4C82AFAA
                        Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(?), ref: 00401D22
                        • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                        • CreateFontIndirectA.GDI32(0040B064), ref: 00401D8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CapsCreateDeviceFontIndirect
                        • String ID:
                        • API String ID: 3272661963-0
                        • Opcode ID: accc13d48f6054b699412ffc7b69af88873056f9434b3b193c5cf8f27c425f12
                        • Instruction ID: 5e6b0a242ffc9277152ed6cf63edc70abaf129c53bcded44f01e7363494148ce
                        • Opcode Fuzzy Hash: accc13d48f6054b699412ffc7b69af88873056f9434b3b193c5cf8f27c425f12
                        • Instruction Fuzzy Hash: 0BF04471E89240AEE7016770AF1AB9B7F64D715305F104475F651B62E2C77914048BAE
                        Function 00402BD4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(00000000,00000000,00402DB4,00000001), ref: 00402BE7
                        • GetTickCount.KERNEL32 ref: 00402C05
                        • CreateDialogParamA.USER32(0000006F,00000000,00402B51,00000000), ref: 00402C22
                        • ShowWindow.USER32(00000000,00000005), ref: 00402C30
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                        • String ID:
                        • API String ID: 2102729457-0
                        • Opcode ID: b254695f6d3024de6991e78bd902d51a9eabd2695cbf76f56ec73d281620ca3d
                        • Instruction ID: fe7f2a60441318f0c2a90f6d59b101c1e11520174a0dcb1e75ef42172c75ba50
                        • Opcode Fuzzy Hash: b254695f6d3024de6991e78bd902d51a9eabd2695cbf76f56ec73d281620ca3d
                        • Instruction Fuzzy Hash: 7FF05470A0D121ABD6746F55FE8CD8B7BA4F744B017540576F000B11A4DA785882CFAD
                        Function 00404DDD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowVisible.USER32(?), ref: 00404E13
                        • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404E81
                          • Part of subcall function 00403EA9: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403EBB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: Window$CallMessageProcSendVisible
                        • String ID:
                        • API String ID: 3748168415-3916222277
                        • Opcode ID: 284444f2568d96eb5f499d391233f43a2f88d41ae364e0567807da02f849ec1b
                        • Instruction ID: 765017f4a7fe1763b93213a0743e5224a7b8bf10e0e2635d7465f91e9f3f1348
                        • Opcode Fuzzy Hash: 284444f2568d96eb5f499d391233f43a2f88d41ae364e0567807da02f849ec1b
                        • Instruction Fuzzy Hash: C5116D71500218BFDF215F51DC81E9B7669BB84365F00803AFA08792A1C37C49518BEE
                        Function 00405401 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042C0C8,Error launching installer), ref: 00405426
                        • CloseHandle.KERNEL32(?), ref: 00405433
                        Strings
                        • Error launching installer, xrefs: 00405414
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CloseCreateHandleProcess
                        • String ID: Error launching installer
                        • API String ID: 3712363035-66219284
                        • Opcode ID: 0925aebfc32c6642fbbb941080814cd4d7ece6f22c8f43fc911f16656fd02ce2
                        • Instruction ID: 8ba2d39aa234bef1b68f753dd4085f5a0355ab0b72bc814b33162f1b9dafcc5c
                        • Opcode Fuzzy Hash: 0925aebfc32c6642fbbb941080814cd4d7ece6f22c8f43fc911f16656fd02ce2
                        • Instruction Fuzzy Hash: 40E0E675A00209ABDB109FA4DC45A6F7B7CFF10305B404521E914F3151D774D5148A6D
                        Function 004056DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CA4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,80000000,00000003), ref: 004056E1
                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CA4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe,80000000,00000003), ref: 004056EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: CharPrevlstrlen
                        • String ID: C:\Users\user\Desktop
                        • API String ID: 2709904686-1876063424
                        • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                        • Instruction ID: 3f11d7040b39dee88ccc87d096f3af91d58a3172f7b65643d8c2c66232cec6f3
                        • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                        • Instruction Fuzzy Hash: ADD0A76280ADB01EF30352108C04B8F7A58CF13300F0948A2E040A21D1C6B85C418FFD
                        Function 004057ED Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059FB,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057F4
                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040580D
                        • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040581B
                        • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059FB,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405824
                        Memory Dump Source
                        • Source File: 00000000.00000002.1417071466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1416976336.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417086329.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417099944.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1417205626.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_V2-Office-C2R-Update-16.jbxd
                        Similarity
                        • API ID: lstrlen$CharNextlstrcmpi
                        • String ID:
                        • API String ID: 190613189-0
                        • Opcode ID: b9005c049e247e33e5549b3e141599c62d2a38fed0f6fd2d3c1464f89547bebd
                        • Instruction ID: 9d1965df737bf6a3caf75c2c412474092f11d9bf319c7f7f540ae1764f3f27e9
                        • Opcode Fuzzy Hash: b9005c049e247e33e5549b3e141599c62d2a38fed0f6fd2d3c1464f89547bebd
                        • Instruction Fuzzy Hash: 69F0A737209D51ABD202AB255C04D6B7FA4EF91314B14447AF840F2280D779A925DBBB