Edit tour

Windows Analysis Report
SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Overview

General Information

Sample name:	SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
Analysis ID:	1430577
MD5:	a3bd864b819f0dc53482b5e06ffef509
SHA1:	9a2594c8af8a053d698c1d96bf828286846cc066
SHA256:	a7b222438781b93d33725b049c45112df2f76e267af62406098613e635dc3c31
Tags:	exe
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	47
Range:	0 - 100

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe (PID: 5840 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe" MD5: A3BD864B819F0DC53482B5E06FFEF509)

setup.exe (PID: 5424 cmdline: .\setup.exe MD5: 51F4C23DB5D7F30E4F2B50AED1851339)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

Uses 32bit PE files

Source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\license.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\Readme.txt			Jump to behavior

PE / OLE file has a valid certificate

Source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: X:\zoc\v5\showem\showem.pdb source: showem.dll.2.dr
Source:	Binary string: X:\zoc\v5\devmodem\devmodem.pdb source: devmodem.dll.2.dr
Source:	Binary string: X:\zoc\v5\devssh\sshdll\sshdll.pdb source: sshdll.dll.2.dr
Source:	Binary string: X:\zoc\v5\devtlnet\devtlnet.pdb source: devtlnet.dll.2.dr
Source:	Binary string: X:\zoc\v5\devrcmd\devrcmd.pdb source: devrcmd.dll.2.dr
Source:	Binary string: w:\setup\sfxmake\Release\sfxmakeheader.pdb source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
Source:	Binary string: X:\zoc\v5\devisdn2\devisdn2.pdb source: devisdn2.dll.2.dr
Source:	Binary string: X:\zoc\v5\emuqnx\emuqnx.pdb source: emuqnx.dll.2.dr
Source:	Binary string: X:\ZOC\V5\zocdll.pdb source: setup.exe, 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmp, zocdll.dll.2.dr
Source:	Binary string: X:\ZOC\V5\zocdll.pdb3 source: setup.exe, 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmp
Source:	Binary string: X:\zoc\v5\devnpipe\devnpipe.pdb source: devnpipe.dll.2.dr
Source:	Binary string: X:\ZOC\V5\phimport\phimport.pdb source: phimport.dll.2.dr
Source:	Binary string: X:\zoc\v5\emuansi\emuansi.pdb source: emuansi.dll.2.dr
Source:	Binary string: X:\zoc\v5\emuvt\emuvt.pdb source: emuvt.dll.2.dr
Source:	Binary string: X:\zoc\v5\xfrsealink\xfrsealink.pdb source: xfrsealink.dll.2.dr
Source:	Binary string: w:\setup\release\setup.pdb source: setup.exe
Source:	Binary string: X:\zoc\v5\emu5250\emu5250.pdb source: emu5250.dll.2.dr
Source:	Binary string: X:\zoc\v5\emu3270\emu3270.pdb source: emu3270.dll.2.dr
Source:	Binary string: X:\zoc\v5\xfrxyz\xfrxyz.pdb source: xfrxyz.dll.2.dr
Source:	Binary string: X:\zoc\v5\xfrkerm\xfrkerm.pdb source: xfrkerm.dll.2.dr
Source:	Binary string: X:\zoc\v5\emutty\emutty.pdb source: emutty.dll.2.dr
Source:	Binary string: X:\zoc\v5\devssh\devssh.pdb source: devssh.dll.2.dr
Source:	Binary string: X:\zoc\v5\osys\osyswin.pdb source: osyswin.dll.2.dr
Source:	Binary string: X:\zoc\v5\emuwyse\emuwyse.pdb source: emuwyse.dll.2.dr
Source:	Binary string: w:\setup\Release\order.pdb source: order.exe.2.dr
Source:	Binary string: X:\zoc\v5\devtapi\devtapi.pdb source: devtapi.dll.2.dr

Spreading

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004381D7 __getdrive,FindFirstFileA,_strlen,_IsRootUNCName,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_004381D7
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004311A5 _malloc,_strlen,_malloc,_strcat,FindFirstFileA,_strcat,	2_2_004311A5
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00436D80 __getdrive,FindFirstFileA,_strlen,_IsRootUNCName,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_00436D80
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00411C5B __EH_prolog3,_calloc,FindFirstFileA,	2_2_00411C5B

Networking

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Code function: 2_2_00421CF7 recv,

2_2_00421CF7

Source: setup.exe	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: setup.exe	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: setup.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: The REXX Language (3rd Party Tutorial).url.2.dr	String found in binary or memory: http://www.borg.com/~jglatt/rexx/scripts/language/language.htm
Source: Introduction to REXX.PDF.2.dr	String found in binary or memory: http://www.borg.com/~jglatt/rexx/scripts/language/language.htm.)
Source: setup.cfg, setup.exe, setupenglish.dll	String found in binary or memory: http://www.emtec.com
Source: setup.exe, 00000002.00000003.2307631408.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, Homepage EmTec.URL.2.dr	String found in binary or memory: http://www.emtec.com/
Source: Readme.txt.2.dr	String found in binary or memory: http://www.emtec.com/common/contact.html
Source: order.exe.2.dr	String found in binary or memory: http://www.emtec.com/common/order.htm
Source: order.exe.2.dr	String found in binary or memory: http://www.emtec.com/common/order.html
Source: order.exe.2.dr	String found in binary or memory: http://www.emtec.com/common/order.htmlhttp://www.emtec.com/common/order.htm
Source: Readme.txt.2.dr	String found in binary or memory: http://www.emtec.com/common/support.html
Source: advertise_pyrotrans.cfg	String found in binary or memory: http://www.emtec.com/pyrotrans/index.htm
Source: setup.exe, 00000002.00000002.3264393540.0000000001FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.emtec.com/pyrotrans/index.htmS
Source: advertise_pyrotrans.cfg	String found in binary or memory: http://www.emtec.com/pyrotrans/index.html
Source: setup.exe, 00000002.00000002.3264059138.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.emtec.com/pyrotrans/index.html.1
Source: setup.exe, 00000002.00000002.3264059138.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.emtec.com/pyrotrans/index.htmlV
Source: setup.exe, 00000002.00000002.3264474052.0000000002350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.emtec.com/pyrotrans/index.htmlnn
Source: setup.exe, 00000002.00000002.3264059138.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.emtec.com/pyrotrans/index.htmls
Source: setup.cfg	String found in binary or memory: http://www.emtec.com/zoc/index.htm
Source: setup.cfg	String found in binary or memory: http://www.emtec.com/zoc/index.html
Source: Register.txt.2.dr	String found in binary or memory: http://www.emtec.com/zoc/order.html
Source: setup.exe	String found in binary or memory: http://www.emtec.comPublisherEmTec
Source: zocdll.dll.2.dr	String found in binary or memory: http://www.emtec.comStandbyvalue
Source: Another Rexx Tutorial.url.2.dr	String found in binary or memory: http://www.kilowattsoftware.com/tutorial/rexx/
Source: sshdll.dll.2.dr, zocdll.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: zocdll.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: Introduction to REXX.PDF.2.dr	String found in binary or memory: http://www.pdfpdf.com)
Source: setup.exe	String found in binary or memory: https://http://;setup.exe:1;setup.exe;-remove

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Code function: 2_2_0041493A GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,Beep,Beep,Sleep,Sleep,Beep,Sleep,Beep,Sleep,Beep,Sleep,Beep,Beep,Beep,Sleep,Sleep,Beep,Sleep,Beep,Beep,Sleep,Sleep,Beep,Sleep,Beep,Sleep,Beep,Sleep,Beep,Beep,Sleep,Sleep,Beep,Sleep,Beep,Beep,Sleep,Sleep,Beep,Sleep,Beep,

2_2_0041493A

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_00402C68	0_2_00402C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_00405AF0	0_2_00405AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_00402A88	0_2_00402A88
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_00407547	0_2_00407547
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_0040411E	0_2_0040411E
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_3_02356731	2_3_02356731
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0043E237	2_2_0043E237
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00432BAB	2_2_00432BAB
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00434279	2_2_00434279
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004422D1	2_2_004422D1
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004493F8	2_2_004493F8
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0041056C	2_2_0041056C
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004395C1	2_2_004395C1
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004326FB	2_2_004326FB
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00434791	2_2_00434791
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00433876	2_2_00433876
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00436820	2_2_00436820
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0042A8DE	2_2_0042A8DE
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0044993A	2_2_0044993A
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0041FA67	2_2_0041FA67
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0044CADB	2_2_0044CADB
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0043AB2A	2_2_0043AB2A
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00440BD8	2_2_00440BD8
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0044BC05	2_2_0044BC05
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00434C05	2_2_00434C05
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00433D61	2_2_00433D61
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00448EB6	2_2_00448EB6
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00442FE0	2_2_00442FE0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 004433AC appears 33 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 0043B677 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 00435A4F appears 53 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 0041B378 appears 185 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 0041B3FE appears 129 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 00419640 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 0041B3A0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 00435791 appears 147 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 00401071 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 00411530 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 00413C7C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: String function: 00442F7C appears 67 times

PE file does not import any functions

Source: setupenglish.dll.0.dr	Static PE information: No import functions for PE file found
Source: SetupGerman.Dll.2.dr	Static PE information: No import functions for PE file found
Source: setupgerman.dll.0.dr	Static PE information: No import functions for PE file found
Source: SetupEnglish.Dll.2.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean6.winEXE@3/174@0/0

Source: Introduction to REXX.PDF.2.dr	Initial sample: http://www.borg.com/~jglatt/rexx/scripts/language/language.htm.
Source: Introduction to REXX.PDF.2.dr	Initial sample: http://www.pdfpdf.com

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Code function: 0_2_00401039 ReadFile,GetLastError,SetFilePointer,GetLastError,GetLastError,FormatMessageA,wsprintfA,MessageBoxA,

0_2_00401039

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Code function: 2_2_0040459C __EH_prolog3,CoInitialize,_memset,LoadLibraryA,GetModuleFileNameA,FreeLibrary,CoCreateInstance,_sprintf,MultiByteToWideChar,CoCreateInstance,_sprintf,MultiByteToWideChar,CoUninitialize,

2_2_0040459C

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

File created: C:\Program Files (x86)\ZOC5

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

File created: C:\Users\user\AppData\Local\Temp\FEA0B4.tmp

Jump to behavior

Source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

File read: C:\Users\user\AppData\Local\Temp\~emtec~354033\commandline.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe	String found in binary or memory: /STOP
Source: setup.exe	String found in binary or memory: /STOP
Source: setup.exe	String found in binary or memory: /STOP
Source: setup.exe	String found in binary or memory: /STOP
Source: setup.exe	String found in binary or memory: /STOPEmtec Service-Controlservice.exeUninstallDesktopFilesUninstallStartmenuFiles%s\%s.URLProgramgroup entry or desktop icon%s\%s.LNKSUCCEEDED(hres)*#%PATH%\:https://http://;setup.exe:1;setup.exe;-remove StartmenuUninstallUninstallStartmenu;#DesktopIconStartmenuOpts\pcinstall.ini"openNoFinalPopupDeleteAfterExtractEmTecIdBmpInstallPathffffff
Source: setup.exe	String found in binary or memory: /STOPEmtec Service-Controlservice.exeUninstallDesktopFilesUninstallStartmenuFiles%s\%s.URLProgramgroup entry or desktop icon%s\%s.LNKSUCCEEDED(hres)*#%PATH%\:https://http://;setup.exe:1;setup.exe;-remove StartmenuUninstallUninstallStartmenu;#DesktopIconStartmenuOpts\pcinstall.ini"openNoFinalPopupDeleteAfterExtractEmTecIdBmpInstallPathffffff

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe "C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Process created: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe .\setup.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Process created: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe .\setup.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: setuphook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Section loaded: msiso.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: ZOC V5.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ZOC5\zoc.exe
Source: Readme.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ZOC5\Readme.txt
Source: Order ZOC.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ZOC5\order.exe
Source: Feature List.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ZOC5\Features.txt
Source: Order Info.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ZOC5\Register.txt
Source: Developers Readme.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ZOC5\Develop.txt
Source: Version History.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ZOC5\Versions.txt
Source: ZOC Help File.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Windows\System32\hh.exe
Source: ZOC Command Line Parameters.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Windows\System32\hh.exe
Source: ZOC Quick Start Guides.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Windows\System32\hh.exe
Source: Uninstall ZOC.LNK.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ZOC5\Setup.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

File written: C:\Users\user\AppData\Local\Temp\~emtec~354033\commandline.ini

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Accept end user license agreement
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Automated click: Next >

PE / OLE file has a valid certificate

Source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Static file information: File size 3113216 > 1048576

PE file contains a debug data directory

Source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: X:\zoc\v5\showem\showem.pdb source: showem.dll.2.dr
Source:	Binary string: X:\zoc\v5\devmodem\devmodem.pdb source: devmodem.dll.2.dr
Source:	Binary string: X:\zoc\v5\devssh\sshdll\sshdll.pdb source: sshdll.dll.2.dr
Source:	Binary string: X:\zoc\v5\devtlnet\devtlnet.pdb source: devtlnet.dll.2.dr
Source:	Binary string: X:\zoc\v5\devrcmd\devrcmd.pdb source: devrcmd.dll.2.dr
Source:	Binary string: w:\setup\sfxmake\Release\sfxmakeheader.pdb source: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
Source:	Binary string: X:\zoc\v5\devisdn2\devisdn2.pdb source: devisdn2.dll.2.dr
Source:	Binary string: X:\zoc\v5\emuqnx\emuqnx.pdb source: emuqnx.dll.2.dr
Source:	Binary string: X:\ZOC\V5\zocdll.pdb source: setup.exe, 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmp, zocdll.dll.2.dr
Source:	Binary string: X:\ZOC\V5\zocdll.pdb3 source: setup.exe, 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmp
Source:	Binary string: X:\zoc\v5\devnpipe\devnpipe.pdb source: devnpipe.dll.2.dr
Source:	Binary string: X:\ZOC\V5\phimport\phimport.pdb source: phimport.dll.2.dr
Source:	Binary string: X:\zoc\v5\emuansi\emuansi.pdb source: emuansi.dll.2.dr
Source:	Binary string: X:\zoc\v5\emuvt\emuvt.pdb source: emuvt.dll.2.dr
Source:	Binary string: X:\zoc\v5\xfrsealink\xfrsealink.pdb source: xfrsealink.dll.2.dr
Source:	Binary string: w:\setup\release\setup.pdb source: setup.exe
Source:	Binary string: X:\zoc\v5\emu5250\emu5250.pdb source: emu5250.dll.2.dr
Source:	Binary string: X:\zoc\v5\emu3270\emu3270.pdb source: emu3270.dll.2.dr
Source:	Binary string: X:\zoc\v5\xfrxyz\xfrxyz.pdb source: xfrxyz.dll.2.dr
Source:	Binary string: X:\zoc\v5\xfrkerm\xfrkerm.pdb source: xfrkerm.dll.2.dr
Source:	Binary string: X:\zoc\v5\emutty\emutty.pdb source: emutty.dll.2.dr
Source:	Binary string: X:\zoc\v5\devssh\devssh.pdb source: devssh.dll.2.dr
Source:	Binary string: X:\zoc\v5\osys\osyswin.pdb source: osyswin.dll.2.dr
Source:	Binary string: X:\zoc\v5\emuwyse\emuwyse.pdb source: emuwyse.dll.2.dr
Source:	Binary string: w:\setup\Release\order.pdb source: order.exe.2.dr
Source:	Binary string: X:\zoc\v5\devtapi\devtapi.pdb source: devtapi.dll.2.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Code function: 0_2_0040A2BD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_0040A2BD

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_00405AD5 push ecx; ret	0_2_00405AE8
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004271D9 push ss; iretd	2_2_004271DA
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004455E7 push 33000001h; retf	2_2_004455EC
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004456E9 push ebp; ret	2_2_004456EA
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00435830 push ecx; ret	2_2_00435843
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00442FC1 push ecx; ret	2_2_00442FD4

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	File created: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\devssh.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\devmodem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\emuansi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\order.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\sshdll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\phimport.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\SetupEnglish.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\emuvt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\devisdn2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\emu5250.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\devtapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\devrcmd.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\devnpipe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\xfrsealink.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	File created: C:\Users\user\AppData\Local\Temp\~emtec~354033\setupgerman.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\SetupGerman.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\osyswin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\xfrxyz.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\xfrkerm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\zoc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	File created: C:\Users\user\AppData\Local\Temp\~emtec~354033\setupenglish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\devtlnet.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\emtecrt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\emuqnx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\emutty.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\shellicons.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\showem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\RxREXX.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\ssh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\emuwyse.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\telnet.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\zocdll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\emu3270.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\zaphoddll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\Setup.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Code function: 0_2_00401E6C _memset,_memset,_memset,lstrlenA,GetTempPathA,GetCurrentDirectoryA,GetCurrentProcess,GetModuleFileNameA,CreateFileA,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,VirtualAlloc,ReadFile,GetTempPathA,GetTempFileNameA,CreateFileA,WriteFile,CloseHandle,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrlenA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,VirtualFree,DeleteFileA,

0_2_00401E6C

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\license.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Program Files (x86)\ZOC5\Readme.txt			Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\ZOC V5.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Readme.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Order ZOC.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Feature List.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Order Info.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Developers Readme.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Version History.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\ZOC Help File.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Homepage ZOC.URL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Homepage EmTec.URL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\ZOC Command Line Parameters.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\ZOC Quick Start Guides.LNK	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Uninstall ZOC.LNK	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\devssh.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\devmodem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\emuansi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\order.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\sshdll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\SetupEnglish.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\phimport.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\emuvt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\devisdn2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\emu5250.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\devtapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\devrcmd.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\devnpipe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\xfrsealink.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\~emtec~354033\setupgerman.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\SetupGerman.Dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\xfrxyz.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\osyswin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\xfrkerm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\zoc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\~emtec~354033\setupenglish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\emtecrt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\devtlnet.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\emuqnx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\emutty.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\shellicons.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\showem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\ssh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\RxREXX.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\emuwyse.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\telnet.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\zocdll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\emu3270.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ZOC5\zaphoddll.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004381D7 __getdrive,FindFirstFileA,_strlen,_IsRootUNCName,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_004381D7
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_004311A5 _malloc,_strlen,_malloc,_strcat,FindFirstFileA,_strcat,	2_2_004311A5
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00436D80 __getdrive,FindFirstFileA,_strlen,_IsRootUNCName,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	2_2_00436D80
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00411C5B __EH_prolog3,_calloc,FindFirstFileA,	2_2_00411C5B

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	API call chain: ExitProcess graph end node			graph_0-4536
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	API call chain: ExitProcess graph end node			graph_0-4543

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Code function: 0_2_004058C2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004058C2

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Code function: 0_2_0040A2BD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_0040A2BD

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Code function: 2_2_004364AA GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

2_2_004364AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_0040A4C0 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040A4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_004058C2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004058C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_0040A75A SetUnhandledExceptionFilter,	0_2_0040A75A
Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: 0_2_00405320 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00405320
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0044731E _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0044731E
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00415521 _malloc,SetUnhandledExceptionFilter,	2_2_00415521
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00443676 SetUnhandledExceptionFilter,	2_2_00443676
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00435782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00435782
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00440AB8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00440AB8

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Code function: 0_2_00406662 cpuid

0_2_00406662

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	Code function: GetLocaleInfoA,	0_2_0040A7B4
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: GetLocaleInfoA,	2_2_0044B5B9
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: GetLocalTime,_memset,GetLocaleInfoA,GetTimeFormatA,	2_2_00412BBC

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Code function: 2_2_0043A1AD GetSystemTimeAsFileTime,__aulldiv,

2_2_0043A1AD

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Code function: 2_2_00412278 __EH_prolog3,GetUserNameA,

2_2_00412278

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Code function: 2_2_00446706 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,SetOaNoCache,__invoke_watson,

2_2_00446706

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

2_2_004364AA

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_0042394D __EH_prolog3,_memset,_memset,_strcat,_strcat,_strlen,_strlen,_memset,htons,inet_ntoa,bind,getsockname,htons,		2_2_0042394D
Source: C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	Code function: 2_2_00423BF8 __EH_prolog3,socket,listen,		2_2_00423BF8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Process Injection	2 Masquerading	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\ZOC5\RxREXX.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\Setup.exe	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\SetupEnglish.Dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\SetupGerman.Dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\devisdn2.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\devmodem.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\devnpipe.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\devrcmd.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\devssh.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\devtapi.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\devtlnet.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\emtecrt.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\emu3270.dll	3%	ReversingLabs
C:\Program Files (x86)\ZOC5\emu5250.dll	3%	ReversingLabs
C:\Program Files (x86)\ZOC5\emuansi.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\emuqnx.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\emutty.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\emuvt.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\emuwyse.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\order.exe	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\osyswin.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\phimport.dll	3%	ReversingLabs
C:\Program Files (x86)\ZOC5\shellicons.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\showem.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\ssh.exe	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\sshdll.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\telnet.exe	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\xfrkerm.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\xfrsealink.dll	2%	ReversingLabs
C:\Program Files (x86)\ZOC5\xfrxyz.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\zaphoddll.dll	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\zoc.exe	0%	ReversingLabs
C:\Program Files (x86)\ZOC5\zocdll.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\~emtec~354033\setupenglish.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\~emtec~354033\setupgerman.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.borg.com/~jglatt/rexx/scripts/language/language.htm	0%	Avira URL Cloud	safe
http://www.borg.com/~jglatt/rexx/scripts/language/language.htm.)	0%	Avira URL Cloud	safe
http://www.emtec.comPublisherEmTec	0%	Avira URL Cloud	safe
http://www.pdfpdf.com)	0%	Avira URL Cloud	safe
http://www.emtec.comStandbyvalue	0%	Avira URL Cloud	safe
http://www.kilowattsoftware.com/tutorial/rexx/	0%	Avira URL Cloud	safe
https://http://;setup.exe:1;setup.exe;-remove	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.emtec.com/	setup.exe, 00000002.00000003.2307631408.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, Homepage EmTec.URL.2.dr	false		high
http://www.emtec.com/common/order.htm	order.exe.2.dr	false		high
http://www.emtec.comStandbyvalue	zocdll.dll.2.dr	false	Avira URL Cloud: safe	unknown
http://www.emtec.com/pyrotrans/index.htmS	setup.exe, 00000002.00000002.3264393540.0000000001FB5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.emtec.com/pyrotrans/index.htmls	setup.exe, 00000002.00000002.3264059138.000000000066B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.emtec.com/common/order.htmlhttp://www.emtec.com/common/order.htm	order.exe.2.dr	false		high
http://www.borg.com/~jglatt/rexx/scripts/language/language.htm.)	Introduction to REXX.PDF.2.dr	false	Avira URL Cloud: safe	unknown
http://www.emtec.com/common/support.html	Readme.txt.2.dr	false		high
http://www.emtec.com/zoc/index.htm	setup.cfg	false		high
http://ocsp.thawte.com0	setup.exe	false	URL Reputation: safe	unknown
http://www.emtec.com/zoc/index.html	setup.cfg	false		high
http://www.borg.com/~jglatt/rexx/scripts/language/language.htm	The REXX Language (3rd Party Tutorial).url.2.dr	false	Avira URL Cloud: safe	unknown
https://http://;setup.exe:1;setup.exe;-remove	setup.exe	false	Avira URL Cloud: safe	low
http://www.emtec.com/zoc/order.html	Register.txt.2.dr	false		high
http://www.emtec.comPublisherEmTec	setup.exe	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteCodeSigningCA.crl0	setup.exe	false		high
http://www.openssl.org/support/faq.html	sshdll.dll.2.dr, zocdll.dll.2.dr	false		high
http://www.emtec.com/pyrotrans/index.htmlV	setup.exe, 00000002.00000002.3264059138.000000000066B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pdfpdf.com)	Introduction to REXX.PDF.2.dr	false	Avira URL Cloud: safe	low
http://www.emtec.com/common/order.html	order.exe.2.dr	false		high
http://www.emtec.com/pyrotrans/index.html.1	setup.exe, 00000002.00000002.3264059138.000000000066B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html....................	zocdll.dll.2.dr	false		high
http://www.emtec.com	setup.cfg, setup.exe, setupenglish.dll	false		high
http://www.kilowattsoftware.com/tutorial/rexx/	Another Rexx Tutorial.url.2.dr	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawtePremiumServerCA.crl0	setup.exe	false		high
http://www.emtec.com/common/contact.html	Readme.txt.2.dr	false		high
http://www.emtec.com/pyrotrans/index.html	advertise_pyrotrans.cfg	false		high
http://www.emtec.com/pyrotrans/index.htmlnn	setup.exe, 00000002.00000002.3264474052.0000000002350000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.emtec.com/pyrotrans/index.htm	advertise_pyrotrans.cfg	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430577
Start date and time:	2024-04-23 22:26:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
Detection:	CLEAN
Classification:	clean6.winEXE@3/174@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 130 Number of non-executed functions: 223
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1443
Entropy (8bit):	4.623068410416077
Encrypted:	false
SSDEEP:	24:+auTmQ8/W+Ru39AEAY9CZHlvbdwoIMEZZa:5GRRAYYZbsZZa
MD5:	A5445EAA315EE0F49D8E63832D2FDE89
SHA1:	C3ABA4B19430D0EEFFDBACD2D4A48E5216458572
SHA-256:	92524ABC7E7E5205EA98CCCDED484D82669258B599128823C3CAF0020964B18F
SHA-512:	195ADE0D3A3BEF3F03E0E37CFF34F0E297B612F20D578597EDFD94ACDD9D22C359FFE8C6AA0F6EA55AA7372CBE3A5537547E3ACE630D4E566FD634BBDF184D3E
Malicious:	false
Reputation:	low
Preview:	.. ------------------------------------------------------------------------.. DEVELOPER INFOMATION.. ------------------------------------------------------------------------.... If you are a developer, there are several points for you to.. hook in. .... The most obvious area where a programmer could control ZOC is.. the REXX programming language. It is very powerful and allows.. access to many areas of ZOC. .... The REXX processor was licensed from Enterprise Alternatives, Inc. .. and is included with ZOC. If you want to use a different REXX.. processor (e.g. IBM's Object REXX or the freeware Reginald .. REXX) you can use Options, Program Settings, Special Files to .. sepcify a different REXX processor DLL..... If you want ZOC to act as a background communication server you.. can use DDE. DDE is described in the Online Help (Help->Contents->.. Programming ZOC) and you can get a sample DDE client (C source.. code) from EmTec's ftp ser

C:\Program Files (x86)\ZOC5\Features.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2241
Entropy (8bit):	4.912840591139236
Encrypted:	false
SSDEEP:	48:Wo2DV9v2GRhsBhQiauGRfEOlWLFap6HSLFEez:+DvpMTQL5tlWpzez
MD5:	7D2D7011A27E6B94921E6C796A09ABE7
SHA1:	E283887498798FCF13038765DFEAC9FB4B49279E
SHA-256:	684E39072A1824487B483603303CB91ED96F20123ABEF2025C482CB9056644B8
SHA-512:	649563A9479148B08D8B7F14B0A5C84111DD6F274064BFAC8B4407DEF5C28B203749BA3ED61639272D2C6C066E5F28A9C4C262A213A1AB2267811CEFB802521B
Malicious:	false
Reputation:	low
Preview:	.. ------------------------------------------------------------------------.. LIST OF FEATURES.. ------------------------------------------------------------------------...... COMMUNICATIONS.... * Telnet, Rlogin.... * Secure Shell (SSH V1/V2) with public/private key .... * Modem via serial port and TAPI (Windows modem).... * ISDN via CAPI V2.0 (including X.25 and X.31 support).... * File transfer via Ascii, Xmodem, Ymodem, Zmodem, Kermit .... * Data trace on device level (user dump and binary mode)........ EMULATION .... * LINUX console-like xterm including colors and full keyboard.... * VT52, VT100, VT102, VT220 (complete implementation incl... print through, keyboard and ANSI colors).... * ANSI-BBS, ANSI-SCO, Avatar.... * IBM-3270, IBM-5250.... * Sun-CDE.... * Wyse 30, 50, 60.... * TVI9xx.... * QNX V4.... * TTY........ USER INTERFACE.... * Host directory (with full option set for each entry and.. automatic logi

C:\Program Files (x86)\ZOC5\Problems.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2991
Entropy (8bit):	4.2533442234184475
Encrypted:	false
SSDEEP:	48:+Rk4EnN0uJofOcy6kR0dETmEkMfV71griZh6T5lDi5w6vC/lq4n:+ezN0uJofzy6dCmEkMN5grkfw66/k4n
MD5:	86841177443D82B0A3347DD871AA19D4
SHA1:	67916E65F35FA5519E9A2B8CFC906264E573C83C
SHA-256:	0789809A277346C8D10CFFA7A7A6E84BF9B78C4C8A0F7EBCAE2EBF96F8B73353
SHA-512:	09DB1CD1D6B39BB4896F2894F9C0E9811ABAED7C937279064F9998479EA9D48DC97270FFA9B041F76C3BA9A6ED023F050F09AE760A00E99F8D46370588C00D81
Malicious:	false
Reputation:	low
Preview:	.. ------------------------------------------------------------------------.. WHAT TO DO IN CASE OF PROBLEMS.. ------------------------------------------------------------------------........ ------------------------------------------------------------------------.. 1. FIRST OF ALL.. ------------------------------------------------------------------------.... RELAX!........ ------------------------------------------------------------------------.. 2. IF YOU CAN'T INSTALL OR START ZOC.. ------------------------------------------------------------------------.... * Please try installation into a fresh directory on your hard disk. .. Do not convert files from an existing version..... * Try to start ZOC from the command line instead of using the desktop.. icon, eg. CD ZOC.. ZOC.... * It is possible to unpack the SETUP.FIL file with a standard UNZIP... However, this is only an emergency method..... * You can view the help file wi

C:\Program Files (x86)\ZOC5\Readme.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4520
Entropy (8bit):	4.520829187694182
Encrypted:	false
SSDEEP:	48:AcGD9+6kh1Hpjt3HcOql43yZWNGaDbrka0xpb+yljAxboLgpWAcISAbptidIn/RL:C+DjcDLZWN99aHWttSSj/OliJOw
MD5:	869777FCAB4E75F1B60397E42147D2C7
SHA1:	0239E72F211A341C7B571610913B13592B70036D
SHA-256:	A6F8BBBE7BAC325ABEB2A282D8BAFDED6481057CE1252EBEF4FE75B8188354CB
SHA-512:	7BFC50FA073686230A7C5A2D61FC56A3D206605FA18942A6AF19A6F878C72F90A890FC7E40E4054854509AF6B6E8895F2CD41563A2ED1F8B3271681ECEDA6984
Malicious:	false
Reputation:	low
Preview:	.. ------------------------------------------------------------------------.... CONTENTS .... 1. ABOUT ZOC.. 2. DISTRIBUTION, COPYRIGHT.. 3. INSTALLATION.. 4. CONTACTING THE AUTHOR.... ------------------------------------------------------------------------........ ------------------------------------------------------------------------.. 1. ABOUT ZOC for Windows 9X/ME/NT/2000/XP/2003/Vista and higher.. ------------------------------------------------------------------------.... This is V5.x of ZOC. ZOC is a high power terminal client for telnet,.. SSH, modem, ISDN, and more. ZOC has a reputation of being one of.. the best telnet and SSH clients around. Have a look at the feature .. list and the screenshots at www.emtec.com and you will see why..... The program is available from many online sources (www, ftp, etc.). .. However, your main source of download and information will be .. the EmTec website: .... http://www.em

C:\Program Files (x86)\ZOC5\Register.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1989
Entropy (8bit):	4.570849514395709
Encrypted:	false
SSDEEP:	48:dyO+2cMan0bzBavbkJQMM8jaz6faGU+CIvxcO9r:dyOAMa0jWbGU+btr
MD5:	71A23F49F1AEB6AB80D23AF3936A690C
SHA1:	547D817A37F7BB2B6837A75748A0131CE99502E3
SHA-256:	A5F3BD0BA8A3E635284EE2EE8FD95190BC8342D5F55049E00EAAEFFA38027AF5
SHA-512:	CD7988B38B363F9EA9B68FC1EE5B04D0EBD673356490EF94D9B9EBB2A861B6D7B29C4F593986117345B256B1AB8973E3CBDC8D6FA3F4730409EDC72B73CDBC15
Malicious:	false
Reputation:	low
Preview:	.. ------------------------------------------------------------------------.. PURCHASING/ORDERS .. ------------------------------------------------------------------------.... This is a summary -- see please see http://www.emtec.com/zoc/order.html .. for more details. .... To actually order, please visit the our website (see above link) or .. select "Order ZOC" from the ZOC Program group in the Windows Start menu..... The shareware version of ZOC is fully functional in every way. Compared.. to the licensed version, the only difference is that it shows occasional.. windows to remind you of the evaluation. The are no hidden or built in .. problems that go away when you order a software license, everything that .. happens due to the evaluation mode is clearly marked to do so..... When you order a license code you will receive a software code, that .. unlocks all evaluation versions of ZOC with a certain version number .. (eg. all V5.xx). The li

C:\Program Files (x86)\ZOC5\RxREXX.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	248832
Entropy (8bit):	6.4448639083649395
Encrypted:	false
SSDEEP:	6144:85soBLHHNcxy1p68V5UTXzkELTSNpexX1p:85rLnOy1Y8r+XZKpenp
MD5:	30E0E4DC13E3307D2D60F3CA0E22C3E0
SHA1:	D1736D840393B41EDDF150AD0C615F179F38FB31
SHA-256:	876703E0E34AF3125C4E22FCDA6B463411F4A92713456E30CF4BA9236AB9C5A0
SHA-512:	AA73D33EAA91C0C0E9825B88495D1D7A1C5C2E538E01CC4E5D096A8E110301DD9B2A2FC4EDE1C984D5106714EF6AAADD89A84490425106E9E58932937256EA4A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\4...........!......... ......0x.......................................0..................................................d................................7..................................................................................text...p........................... ..`.rdata..............................@..@.data...D........z..................@....idata..l............f..............@....rsrc................x..............@..@.reloc..L<.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\Setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	632248
Entropy (8bit):	6.449097954904934
Encrypted:	false
SSDEEP:	6144:1AnAlC5W1ZUfb3OZFpMwDZi2aZW2ENFsypo4xhTGjL1bEfNMDUqTWlpb225NPaoz:1uw8b3OZ3zloWTHgNgFM6b2eUA/
MD5:	51F4C23DB5D7F30E4F2B50AED1851339
SHA1:	43D30BB2CB683CED13BDE7B95976F0562EDF77AC
SHA-256:	9EC8FD7D1C01783F653A49BFA885B0A2DC9882BD068FD5F4A8489A0216635F11
SHA-512:	9E04389378D34E87CAB0C5FC67E719BC45C991CF02AD149C908FD3B816CE235D0AC6AC5E2E493671D1F60000B6FC3D4D03DA5740F7D9A4600EB4F884CD6A58FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<...RQ..RQ..RQ.(/Q..RQV..Q..RQ.,Q..RQV.2Q..RQ..SQ..RQV..Q..RQ.(?Q\.RQ.(<Q..RQ.(.Q..RQ.(Q..RQRich..RQ........................PE..L......I.................0...........f.......@....@..................................r...............................................@..............................pE...............................B..@............@..t............................text...!%.......0.................. ..`.rdata...x...@.......@..............@..@.data....{.......@..................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\SetupEnglish.Dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.596786790402431
Encrypted:	false
SSDEEP:	1536:FnoitMmU499/Mh9muec5Dnz9hwY3JbScGPaVLHO4:p7tO4WmYzbwY3FnGPaU4
MD5:	0AD002F80572C02A9F746E8420D8084F
SHA1:	AF1921A44FDBE9A2E640782B38CF49B4B19C6B5A
SHA-256:	5D3A66975C924437CFCFD75F4D5129C17BFAC8917BD58D5620D92718F556B662
SHA-512:	38AC70A30AA67948CC59B0B0410056F59FDA18E3928A1BB6A9CE5197ACE30B31C10228F7F138B3632825C2F3B4F01B912C4C572A6DEAE884EFBB65BD5571A00E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L....z.I...........!.........p...........................................................................................................^...................p.......................................................................................rsrc....^.......`..................@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\SetupGerman.Dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	4.445942285482228
Encrypted:	false
SSDEEP:	3072:u+7tO4R3odQuMV/ejSX7p99mymYzbwY3FnGPhREP7jdIMrbMKiwssMSIcrqQGvX5:xpbp1T31GP
MD5:	360E58DD2B63F5C097E228268272349C
SHA1:	A1EA8CECC3155227B89B0001D3EB8730D2906A64
SHA-256:	F1A99F390734DE85EF6FF7ED8A50A6BB268BA7A07D781E837743883695B36226
SHA-512:	465084056F9F08F0589D11D1A7A1F92D580CF84A582F7F39DFD2D7321124C4F7349DDB319BD9747AC7ACC13644D6C35A5CA2076D994494B1784BE647D273A7E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L....z.I...........!....................................................................................................................x`...........................................................................................................rsrc...x`.......p..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\Versions.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	Nim source code, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24806
Entropy (8bit):	5.0356974885609125
Encrypted:	false
SSDEEP:	192:8e7FMEpTRmoXoFDYV8CADHWGjc17IZX3XpOuNo6QiEnqulzxByeHX3JDWNUAYu9m:FPTGCADIhIuio6QnqOxvqVZsdzQFHUZ
MD5:	B3BF22F6F9934099AAAB62B6CD01866F
SHA1:	EAA067FA30BF06D92289F2C2C7CEA66374C2985A
SHA-256:	859220BC7A24F0D9929A5D5D322837E054ED04147CB58320A37B7BA5A37D9DA3
SHA-512:	A918FED72CF9BF29B53B9F4E751980F6A652E85DDD2CED1E5A6D0B4DE63F4A225F118238EF5CB03ABCC0571EF240AD8355B5888EF5F165ED750028544835762E
Malicious:	false
Reputation:	low
Preview:	..History of changes....-------- ---------------------------------------------------------------------------------.. DATE TEXT..-------- ---------------------------------------------------------------------------------......-------- ---------------------------------------------------------------------------------..02.12.08 REL: VERSION 5.12..-------- ---------------------------------------------------------------------------------..09.11.08 FIX: file-request windows were not sizable..04.09.08 FIX: could not connect to serial device directly with empty 'Connect To'..04.09.08 FIX: folders (program settings) now uses the most relevant macro for paths..01.09.08 FIX: problem with Local Typing when the scroll-lock=LT option was on..30.09.08 FIX: automatically fix host directory entries with wrong section..-------- ---------------------------------------------------------------------------------..22.09.08 REL: VERSION 5.11..-------- ------------------------------------

C:\Program Files (x86)\ZOC5\ZOC.chm

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	248276
Entropy (8bit):	7.913808491167825
Encrypted:	false
SSDEEP:	6144:UmO5lf1dEW+iPd/QHAj5030bIvA2CVOxUD6CpPrg3Q3pplhmTD9e:nO5fr+iOcm3PvHIOxU+CBr/3ppzm/s
MD5:	5323FA5C6BD0D59B6FF0469011C895F6
SHA1:	9244590B35CD572EB8F764951BB4B144C8305665
SHA-256:	9B98154923105A3F13B356DEAAE84335ED7C532E8796AACFC1BCA16EB398322C
SHA-512:	7AF85943E7ECA89681ECA2A12075CBDF47F1654A488EE36F2F25DF14B596DE5B5966E9944CDD890EBD01100C19BD12859D4FA3EA28121410F575885117EB8EFD
Malicious:	false
Reputation:	low
Preview:	ITSF....`.........I........\|.{.......".....\|.{......."..`...............x.......T0.......0..............................ITSP....T...........................................j..].!......."..T...............PMGLR................/..../#IDXHDR...V.../#ITBITS..../#STRINGS..._.9./#SYSTEM..v.../#TOPICS...V.@./#URLSTR.....Y./#URLTBL.....p./#WINDOWS.....L./$FIftiMain...!..5./$OBJINST...b.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...^../$WWKeywordLinks/..../$WWKeywordLinks/Property...Z../html/..../html/topic-100.html...p.../html/topic-10200.html...y.#./html/topic-10220.html.....u./html/topic-10221.html.....}./html/topic-10222.html...d.q./html/topic-10223.html...U.*./html/topic-10224.html.....2./html/topic-10225.html...1.../html/topic-10226.html...1.w./html/topic-10230.html.....V./html/topic-10240.html...(.=./html/topic-10241.html...e..`./html/topic-10242.html.....\|./html/topic-10243.html...X.H./html/topic-10244.html.....(./html/topic-10245.html...E.../html/topic-10250.html...@.9./ht

C:\Program Files (x86)\ZOC5\ZOC.cnt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1020
Entropy (8bit):	3.2763416949440325
Encrypted:	false
SSDEEP:	24:Mi+8kVM8yYJ4VAthaBulxVXc8VHOIOG/C6Za3P/XD:l+8kpJ4VAthtlxRzOV4yP/z
MD5:	206563E1375E1FFC16F83B160E68DD9D
SHA1:	37F83ADDF575E4203A5DA58BD46F581AC37C5212
SHA-256:	88C2DE98660AD031321212136E2AEA9C39879DAC4D6CA85754F52BD7AAB2BF63
SHA-512:	C04DD3AED8A1CDEE54150B998814E81E81B2FDAA39D4341BA1EC13460A66E5E74AFD9AF33BA0F907C5AB335E3AA46F434A144530DDFD73E4DFC81D77CA7DADC8
Malicious:	false
Reputation:	low
Preview:	100..10200..10220..10221..10230..10222..10223..10224..10225..10226..10240..10241..10245..10243..19282..10242..10244..10250..10254..10253..10256..10255..10252..10251..10300..10860..10830..10835..10820..10840..10870..10373..10850..19275..19230..19231..19235..19236..19237..19241..19240..19238..19239..19284..19283..19249..19247..10370..12110..19252..10375..10400..10430..19330..19335..19329..19326..19331..19321..19328..19327..19325..19322..19323..19333..19324..19332..10420..19300..19301..19302..19246..10410..19002..19013..19014..19005..19012..19020..19017..19010..19016..10530..19029..10439..10449..10450..10451..10452..10453..10441..10442..10443..10444..10446..10445..10470..10471..10472..10473..10460..10461..10462..10463..10480..10481..10482..19504..10483..10484..19500..19501..19502..19503..10456..10457..10458..10459..10475..10476..10478..10500..10510..10518..10521..10519..10600..10640..10620..10627..10625..10650..10610..10670..10700..10748..10710..10720..10722..10724..10721..10730..10755..1

C:\Program Files (x86)\ZOC5\admin$$$.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3202
Entropy (8bit):	5.061039262509073
Encrypted:	false
SSDEEP:	48:3lE4CE0egmbKgrcTR3hs9/MmSfUKB6CxF9OhDpLMndq/mtpGuFVoosXq+A4RAtyt:yW0e8RW9/pvE6+F9Of4hFmo8/EJc
MD5:	6D2BA7DE970881ED5962FD40107F2423
SHA1:	BC9D7529EB0D340782B4A09127447B6411AC94AD
SHA-256:	D464A7561E5815E54F5288E3C313ABCD30FFA06CE30AF22FDD0BFC49F182F41F
SHA-512:	EA91294613CE94554490DB447259701BEA10046D47F44ED8E3EA8C79E703F706C94B136F27618142D67B51F036AA14C44FABCA9C0A037E4C82A4BFBE4807CB1E
Malicious:	false
Reputation:	low
Preview:	// config file for administrative magic....// this file (in conjunction with the program settings file) allows ..// the configuration of shared installations, partially shared installation, ..// per user installations etc. If you have questions on how to achieve ..// a specific result, please conact us for support.....// suported environment strings:..// %ZOCFILES% (ConfigDataFolder), %ZOC% (program folder), %APPDATA%, ..// %ALLUSERAPPDATA%, %USERNAME%, %USERDESKTOP%, %USERPROFILE% (My Documents), ..// %USERPICTURES% (My Pictures), %ALLUSERPROFILE% (Shared Documents)......// user data folder (if this folder does not exist it will ..// be created and %ZOC%\newuserprofile will be copied ..// into it). This folder is then referenced as %ZOCFILES%...// Later on the folder can be relocated by the individual user..// and HKCU\Software\ZOC\ConfigDataFolder will override it...ConfigDataFolder=""....// set SharedInstall to yes if this is a shared installation..// (XP/NT/2000 for all user

C:\Program Files (x86)\ZOC5\admin.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	127
Entropy (8bit):	5.041262672840127
Encrypted:	false
SSDEEP:	3:t9JjWcgNBOA5FF88vdARDGDY23MH2D7OVdxFH:tPUOcFhVA5GD73a2P6/9
MD5:	BB108694D4E738D6109C38CAF1FE561E
SHA1:	B26E962890C7C6DF0225C83D2D05EE95A3024964
SHA-256:	9EDC0CA328559C2058AD41E1B02EE103F6ECEF3A7CA3A6157824306AAB204053
SHA-512:	35EF405AF026524A4D225297A2904365FC144A77B2D3D24498B2A2D1B410E25B413520E532AFA0080A0C91E79843675B4B6A27DAA8F8D7F6DA44A726039CB03E
Malicious:	false
Preview:	ConfigDataFolder="%USERPROFILE%\ZOC Files"..SetupCreatedConfig=yes..SetupDefaultConfig="5"..SetupSubsystems="11200000.11200000"

C:\Program Files (x86)\ZOC5\admin_sample.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3131
Entropy (8bit):	5.082011504461222
Encrypted:	false
SSDEEP:	48:3lE4CE0egmbKgrcTgVhs9/MmSfUKB6CxF9OhDpLMndq/VFVoosXq+A4RAtyp/tGq:yW0e8B9/pvE6+F9OfrFmo8/nsi
MD5:	99C2EE2047811118C6FE19D7846B295B
SHA1:	898C4FE89A59C64151370DE673CFF340093FB8BB
SHA-256:	6893B91C7AA592E83B75CE7184DC440ABFCD72EEF44457E327D0D40F8A31EC99
SHA-512:	20620E78C0C56494BAC57EFC65677616306E82183051D2FDB62AAA01845800AB850A61A5CB46845FDFB715A1A4EFDCC2C152715BA85DFEF236319F2E9587DD0F
Malicious:	false
Preview:	// config file for administrative magic....// this file (in conjunction with the program settings file) allows ..// the configuration of shared installations, partially shared installation, ..// per user installations etc. If you have questions on how to achieve ..// a specific result, please conact us for support.....// suported environment strings:..// %ZOCFILES% (ConfigDataFolder), %ZOC% (program folder), %APPDATA%, ..// %ALLUSERAPPDATA%, %USERNAME%, %USERDESKTOP%, %USERPROFILE% (My Documents), ..// %USERPICTURES% (My Pictures), %ALLUSERPROFILE% (Shared Documents)......// user data folder (if this folder does not exist it will ..// be created and %ZOC%\newuserprofile will be copied ..// into it). This folder is then referenced as %ZOCFILES%...// Later on the folder can be relocated by the individual user..// and HKCU\Software\ZOC\ConfigDataFolder will override it...ConfigDataFolder="%USERPROFILE%\ZOC Files"....// set SharedInstall to yes if this is a shared installation..// (

C:\Program Files (x86)\ZOC5\devisdn2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65584
Entropy (8bit):	4.526486337233923
Encrypted:	false
SSDEEP:	768:ntq6LXiMo0xf94MlxH26A8Lp6B/Wm9Yddo6fExVVo5:ntq6L3vxf94MlxHdA8Lp6B/79YdAHVo5
MD5:	F65AD9E2B5B36F5528874143237409B7
SHA1:	87C97A78050FA2636BDB37D071EB68B6BFE0FA24
SHA-256:	797FA0F7D9BB027DBEF92D2858C92F1652421DBC4B726F24DBDF9EDE1E869D7B
SHA-512:	093D01AEAFC25BEE87B3EF1D1C0B1AB07D82B5DA8AE1092A77E3AD31BCCF7E9CE2FA06014717E295BCA6E523A2F4594D0CEF2BAFFC36035890955E881B1305E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ur......................7.......4......................U...............Rich....................PE..L...V^5I...........!.....`..........!T.......p......................................................................pr..u.......x....................................p..................................................(............................text...\|U.......`.................. ..`.rdata.......p.......p..............@..@.data....D.......P..................@....idata..............................@....rsrc...............................@..@.reloc..f...........................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\devmodem.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53296
Entropy (8bit):	4.0522792142968465
Encrypted:	false
SSDEEP:	768:L+53Cv6KRUU81m3h0oD60GYGqY8LSKSIK:L+Av6KRUn1mxTD60kT8y
MD5:	32FEDB697310E7EDF9C0A0FBAAD86EE8
SHA1:	67D859508262498195BB6B6CC8A0AF650A2BC6DF
SHA-256:	C87C577F613B496E502BC94EF949C03493FE6D1E9162C79AEE159F6557FE5FCC
SHA-512:	8EDEAA55069BB6ACCD5D8882283DF9E6DED720ACFC6C0C571AF89CFBD67B21E8037D364CFBED1147B013181AA6FF67642C23FD82508EDE10B130577C769605E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b.....................................:...............-.......}.......-.......Rich....................PE..L...X^5I...........!.....`...p.......O.......p......................................................................pr..u.......x...............................8....p..............................................,................................text....Q.......`.................. ..`.rdata.......p.......p..............@..@.data...............................@....idata..............................@....rsrc............ ..................@..@.reloc..e...........................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\devnpipe.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36912
Entropy (8bit):	2.6404835102374324
Encrypted:	false
SSDEEP:	192:GQThUkx5L+GFnSy9Fl+i5qiMU8JvnwAJdzpziS/Sk+0ZqwcXgjRV2a:GxkLP8y9r+i5qiZ8VnLJ+oSYcXgXV
MD5:	5502E3DFA38F99D96844FF7DF95041DB
SHA1:	7E2168835FC3BA4E9BF4F78209E41086B83B8BF1
SHA-256:	4F351B04B1AEE3086D9272BD8F73A074B36B46838E6D453A1D95ED22094BD64B
SHA-512:	518A7431410F646BB7321F4CCDF434F5ECC91D32940CC92D317C969EAF95943A3C8F28C4C05187319A5BC91A35C5251E2313EF95EB36E2E9DDE2774303F1C636
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.a.c.a.c.a...m.a.a...r.a.a.e.k.f.a...e.a.a.c.`.R.a...j.a.a..g.b.a...e.e.a.Richc.a.........................PE..L...X^5I...........!.....0...P......{$.......@......................................................................pB..u....`..d....p..........................H....@...............................................a...............................text....%.......0.................. ..`.rdata.......@.......@..............@..@.data........P.......P..............@....idata.......`.......`..............@....rsrc........p.......p..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\devrcmd.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36910
Entropy (8bit):	2.8284940764777797
Encrypted:	false
SSDEEP:	192:UOlZj7apMoD+A18E2jRjGRtYJGyFdk+ZaWeYyDAT9xoTIxuxSrne5rS+S:TGpzDGlGxodpZaUyDgkN5rSB
MD5:	3FFC6CFE8615E87FEC57A320AB381DA8
SHA1:	71C78B3A92FA71A6774885CE53DBE4B9988C53AF
SHA-256:	6D218B9C92752F9A312068243B81910023284B31D2D95F2791E868E5A56E3C33
SHA-512:	4A6241D0EF1405B9DC06060B49AF98BDE58C80E90F5B75EFDEC86B713741236C7365FE8451F1AFD9B7E3EF61109FDD3F37CF300541E018F4539A10EF0A16DEF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.@.............p.".....i.=.......$............../.8.....%.......(............Rich............PE..L...Y^5I...........!.....0...P.......(.......@......................................................................pB..t....`..x....p..........................,....@..............................................@b...............................text....*.......0.................. ..`.rdata.......@.......@..............@..@.data........P.......P..............@....idata..t....`.......`..............@....rsrc........p.......p..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\devssh.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69676
Entropy (8bit):	4.2668195897768
Encrypted:	false
SSDEEP:	768:4ItuFrhb6lHO49Eblhm3SpTzKrJ7HEsgoNj3o:3tuFVWHx9EbHmipWLEsgoNj3o
MD5:	0514D4B46B7BFE9655ADDBE99518262B
SHA1:	10FC3147FC393A239C324594B550D7CA9D6C95B9
SHA-256:	2AFDCFF0C7CC13E2FC4AC0FA591FA65E81CF209BBE7DC1D645076FE0F40BB05C
SHA-512:	2868F4C0E0F35B742FBA9E77AAA839372BEC632AB4D88DF2D4E92E3BBD855FF18F89FC1DA660714E59F00F0709ED6FFEAE4EBCB9BAC63FBC254721907A21DF86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GgF...(...(...(.x.$...(.a.;...(...&...(..%"...(..&,...(...).~.(...#...(.......(...,...(.Rich..(.................PE..L...\^5I...........!.....p...........g..............................................................................p...s...............C......................x................................................... ................................text....j.......p.................. ..`.rdata..............................@..@.data...l........ ..................@....idata........... ..................@....rsrc...C.......0..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\devtapi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73774
Entropy (8bit):	4.786531851506525
Encrypted:	false
SSDEEP:	384:c3QS8iD/HXPNEuSaL+3dNfQubYqBPbmN//aGdBV/GLNwSpKoe92wOVf5R9f57A5k:EBDDP1EJvQ3//GLuSpKABokX3
MD5:	8AB56C9F790B16E4CB5F221BD8FEC6C6
SHA1:	891EB6B43BB76657B028E0CCCD88DA8E0B721DD3
SHA-256:	05CD8A739D20A9A033EC4DF0BE5611E303FE67553B65805674537C68C6CCC24C
SHA-512:	B3699E2E6C149ADAC10D45C57B2E3D37974CE00B152A5974351B2BE055FCE16E1697FC2932BF1CC1B6D3BEE4156E1177F960D72BA241CD927A8DE473291FBC40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.G...G...G...%...E...<...E...G...F......F...A...B.......E...G...y.......C.......F.......A...RichG...........PE..L...W^5I...........!.........p......59....................................... ..........................................t.......d...............................(...................................................8................................text...4........................... ..`.rdata........... ..................@..@.data............ ..................@....idata..............................@....rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\devtlnet.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57392
Entropy (8bit):	3.773738549405251
Encrypted:	false
SSDEEP:	384:Ym3k3Xw9jB8NgVNsrPUNrd/cdd30AlVka/9QfoEL6FPQwr7PfKD:63A9V8SYoNSv37nbibC/CD
MD5:	2593E82FF9BD1E732073FA61C9443C58
SHA1:	ECFC317E6EBB9895456EC83913A6025A69671AFD
SHA-256:	B70F8F953BF846E900DDABBBEAC34785578608FAE2AA96B8BCB35EEE6C261F44
SHA-512:	21BBDB8BC827054EC83723B78408D7DE8EB0B1E16D3BD63609F15045886100ECAF6BA55CEF20F8882097BA02B45B0CA93AB8A76C4BA8F4DFDE4788F4B712CD95
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W.K.9.K.9.K.9.0.5.H.9.).*.M.9..7.J.9.M.3.N.9...=.I.9.K.8./.9...2.I.9..?.J.9...=.M.9.RichK.9.........PE..L...Y^5I...........!.....`...p......QO.......p......................................................................pr..u............................................p..............................................l................................text....Q.......`.................. ..`.rdata.......p.......p..............@..@.data............ ..................@....idata..............................@....rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\emtecrt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.482748071127331
Encrypted:	false
SSDEEP:	6144:dRMW7+AlcUD8tbALEkPnvJMlr11RqQtCH9FMWiFaNF7R5LK61hKm:dZDcUyAl/k5tCV5BBx
MD5:	AE1C7BB7A3C4DB5DC6FFD58AD13C47D1
SHA1:	AC0851C6278C572A96BB15AA81122C162DBC8E43
SHA-256:	7C80667337192BF301F6A2368841B0EE86732E3B489A922325EF116BAD29F000
SHA-512:	808224F8BC8477833C00C937D64C96ACA38F60E7CD676ACD8AD6C199F23FCA9282FDA35E1BB0A7C3C1154373EDBAB24E189F4C23495B425C78FCC670757FD537
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z~..z~..z~...a..y~..z~...~..\|]...~..a..w~..a..Z~..x..{~...b..;~..\|].....^..{~..Richz~..........PE..L....$.?...........!......... ......tp.............x.................................$..................................Q<......(................................"......................................................D............................text.............................. ..`.rdata..!m.......p..................@..@.data...(h...0...P...0..............@....rsrc...............................@..@.reloc..J%.......0..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\emu3270.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53294
Entropy (8bit):	4.351503374256036
Encrypted:	false
SSDEEP:	384:oBU9EbAmyRjHVPjFA8IbT/gTlD4G3TU7pYiQwOvZmoxZF6wZcT9295/1fKrf47:oLCRjHhjicTOGo2fR7ZF6+ag
MD5:	79A8C1025828A34C858DFB4130994F4F
SHA1:	040FB1BF157E7FBDC152270C4ED4E6CD37B30CBD
SHA-256:	0345CA114FCE2BC1055C4B5903078FF75A76A2175D69A897300A654F8BEAD00A
SHA-512:	2AECB204E5901CDB53EA27E86226E67EB9B6CAEEC60C33E7F179BD3BC97D3BB7EB00BA105462A62D243C2B338347A386E28970926870A7405CE0F049F204281B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&m.GG..GG..GG..<[..EG..%X..EG...[..FG..Ad..BG...g..EG..GG..oG...X..CG...A..FG...X..AG..RichGG..........PE..L...]^5I...........!.....`..........ZU.......p............................... .......................................r..t.......d....................................p..................................................h............................text....U.......`.................. ..`.rdata.......p.......p..............@..@.data...<j....... ..................@....idata.."...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\emu5250.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98350
Entropy (8bit):	5.60607986767422
Encrypted:	false
SSDEEP:	1536:qpgoG3ubMwBrZT9TAIzdhQDJK8U61BuDSdUc44Mv8PWLvCZjQ:qToubMg9TA4Ul5yGWL6Q
MD5:	DDE06E0CE5569E5D349FAEF43B397B81
SHA1:	944D5BC18B2C60AA535BEF51339CCAFDA435783A
SHA-256:	3C83FC50809DC731C39F6858AEADDFD0C07CEA18C5D48399EFF025C06E9C3F38
SHA-512:	132EBF51D792962453B09C059FC84C99221E3DB8C03F2256A1A50DA22BD0B5B886850855E25B82429946D86C4CA0485922B1180630FCC0BEF04797C962723C62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n...........................Q........,......-/.............:.......j.......:.......Rich............................PE..L...]^5I...........!................+...............................................................................0...t....P..d....`.......................p..@...................................................dR...............................text............................... ..`.rdata...1.......@..................@..@.data....9.......@..................@....idata.......P.......P..............@....rsrc........`.......`..............@..@.reloc../....p.......p..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\emuansi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	45102
Entropy (8bit):	3.9544505323892722
Encrypted:	false
SSDEEP:	384:igMT3/pJrEH3Lt+RiV7K47S/dxSnEzXsKL5KP2xL7tT22wg2C9RSwO7:ij3r+u+qx02XDNu2Bx22zVbO7
MD5:	749DCD72564475D9B75394937507CF80
SHA1:	B6E24DBC4425524C5987D0E54FABE37CDD9CB76D
SHA-256:	D9BB7413A3B21156E0186D25CDAA7BA6FC89096783EA64FB3A4BA34CB1EEE553
SHA-512:	98049887BEAE10733D5D3A166390E5181D4A1271596975FD5218A42CE7C9F65275B3BD1829A5A77C9389242A4F0A1929D0AD5249235B8BBC04106C206070FF24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.....u...u...u.v.y...u.o.f...u.......u...q...u...t.<.u...~...u...s...u...q...u.Rich..u.................PE..L...^^5I...........!.....P...P.......L.......`.......................................................................b..t.......d....................................`...............................................................................text....N.......P.................. ..`.rdata.......`.......`..............@..@.data........p.......p..............@....idata..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\emuqnx.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41004
Entropy (8bit):	2.7027385698206
Encrypted:	false
SSDEEP:	192:bouceMonmCUXO+bBCa8XL7heyvVrs+1aBGvujVw8wtp/OlZ1S9mu:boSmCwtbs5dVQMEhw8wvV9mu
MD5:	5BEE6A7F6338F3524DC0F84801C865CE
SHA1:	E47BB33F0D4726DCE439C282815111D4CE606627
SHA-256:	79C82549649EADC953476181057AD8C54B1D4E31AD799AA104598814CA7F9309
SHA-512:	21B34B018500854157E779C0CE679A375AA54A8E8F8EECB948CC2694405CEB4EB4E163269350A9B81EFB2DD8FE679BB8C50EB91E980130AE7C39106CC05E5247
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1\_.u=1.u=1.u=1.."".w=1.s.;.p=1...5.w=1.u=0.h=1..":.w=1..;7.t=1.."5.s=1.Richu=1.........PE..L...^^5I...........!.....@...P.......0.......P.......................................................................R..s....p..d.......c............................P...............................................q..4............................text....2.......@.................. ..`.rdata.......P.......P..............@..@.data........`.......`..............@....idata.......p.......p..............@....rsrc...c...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\emutty.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32812
Entropy (8bit):	1.6862333581582454
Encrypted:	false
SSDEEP:	96:EDcDAWOlyzUP98mJU5DgWV+pQpKWhS98/c2i:EDcDAlyzUP98mJU5DaUK8S98c/
MD5:	16433D8569BA6E5DB11DCB7705FFCCD7
SHA1:	AB4B21BFA1C1B8D62B64901BB83184074EB0E014
SHA-256:	98101AD3FE9C19A14AE46736680F06BF3B5FC66C713AB99D24CCB5AB13239C29
SHA-512:	A7743DB5AE0E34AA6F29C1A16261EBC5F1CC450838D26FF08415F2D73CEBA41DEFD40579D651B4F14F8291624B10AF483639D9649388AB2E8FE87083B24715AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t............................J...............]...............].......Rich............PE..L..._^5I...........!..... ...P...............0.......................................................................2..s....P..d....`..F....................p..4....0..............................................lQ...............................text...6........ .................. ..`.rdata.......0.......0..............@..@.data...`....@.......@..............@....idata.......P.......P..............@....rsrc...F....`.......`..............@..@.reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\emuvt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61482
Entropy (8bit):	4.415492076383275
Encrypted:	false
SSDEEP:	384:WNMqmbG+MTVy8yzkL6Fdw/DM59xgXjv/yoc/zS7hL9Zu7+pi0HP3txo2D1Q56+sF:xkVj56ftAVc/z4PZ3pv3k5dsIQmZex
MD5:	E4D5C13B15A40B4B7E18686E73B3AE4A
SHA1:	08877943CFE7058E40415F3AA32B9DE7CC71DEBE
SHA-256:	64B4976E7F511A0893C7DDE50D500329B2B2780377579B8BF06CD834C29423AC
SHA-512:	5AFADA6AECF6A6430CD92803D60E9C4E83FFF0FC272A8644A73B3EDA899EB9FA9EFE29FBF860D3364AE67CC4445257227A981485811BD68E4C0E7CE79E8065A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......en..!...!...!...Z... ...C...#....... ...',..$..../..#...!..........."....... .......'...Rich!...................PE..L..._^5I...........!.....p...p.......k..................................................................................r.......d.......&.......................P....................................................................................text...Wm.......p.................. ..`.rdata..............................@..@.data...t........ ..................@....idata..............................@....rsrc...&........ ..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\emuwyse.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53294
Entropy (8bit):	4.246433740888109
Encrypted:	false
SSDEEP:	384:bUJmI8bd6AtBZb4gsZSsmraopfhzXUBh+pvuynKCGsT0ZPXGe5RnbYLNhBgUhYqK:z/B5kgnraoHXghivucelZ+e556vgL4w
MD5:	E3559327F44EF076D8AE871E78E793B6
SHA1:	19F62637613E365E67D3A81768D8ED8F5E728E08
SHA-256:	2BFF04532CE2B94A37040527F7E43C3C957764B3001858771C90A822645FD17B
SHA-512:	9BF1F71002168BF8DE6FBFC2E5B84B578275C40FB8A0F2D24B95AF5B34C9EE8E514BEC66546515AC90F6EAA09E30050D951C7C61DABC9279A769BE774F4D144A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o..Y..Y..Y.."..X..;...[.....X.._-.\....[..Y..j.....].....X...._..RichY..................PE..L...`^5I...........!.....p...P.......c..................................................................................t.......d....................................................................................................................text....e.......p.................. ..`.rdata..............................@..@.data...............................@....idata..............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\jingling.wav

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 22050 Hz
Category:	dropped
Size (bytes):	42044
Entropy (8bit):	7.26208833033609
Encrypted:	false
SSDEEP:	768:+3yxIuPvUsUNZ93Pczrw9P3sN/nfBhhyrBikjFI6RjGnLlX:QaUZN8zrw9PO5ehC6R8BX
MD5:	1EDB666DB90FD25360679D364FB3CEA0
SHA1:	BB90B7F89A0D0D54E18D45F8705151FAE7C26D5F
SHA-256:	DEC7D894F9A3778F738159ABD2DF39ECA6848358A9B05FD37F74800F1DB6044E
SHA-512:	4F767A17E63A1D7C9E43F4D3B50A4E056468313314BFEDE481DF20C8D197F28523C1FD5D88D09BD2AE4901B514D16A96D301332D568DECC1CA15BF42652E6002
Malicious:	false
Preview:	RIFF4...WAVEfmt ........"V..D.......data....\|.......~.u.p.r.z.y...s.j.h.p...~.x.x.z.\|.....\|.}.y.e.\|.p.g.x.....m.......}.z...z.j.f.`.b.w.....w.r...}.[.f.....q.........y.d.\|.o.........\|.~.~.}.~.u...u.\|...\|.\|...e.X.f.y.{...z.v.y.......\|.....y...x.t.....u.k.........{.t.i.v.u.~...q.{.s.[.v.\|...........t.q.......}...s.........\|.t.n.s.....s.............m.q.....}.......r.}...x.y.........u.y.t.z.............{...............................~.............................w...............................~...........k.........}.\|.d.{.....{.......{.[.z...{.{...u.~...y.W...........w...........".............D...,.}......@.............}.C.....:.....r...........B.....%.q...........7.............R.Z...y.............#.......d...&....=.3.\|.:.......m...b.%...+.a.....`.........U.i.L.Z.n.S...J.".....+.......>.....8...e.,................M.N....... .........O.......b.F.t.......'.......%.+.....w...........p.......".....j.<.}....L..t.g.}.>..1...f.y................o.........h.i...!...P...x...}.....W...e...

C:\Program Files (x86)\ZOC5\license.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9193
Entropy (8bit):	4.720150069783411
Encrypted:	false
SSDEEP:	192:yaVTEG5oNKJcrYVNeODY+anQzXqGEIvy0PgaaE:nVTEWoNKJcfEzJgdE
MD5:	E8A159A0357B073EEB4D7D75C42E7264
SHA1:	46D6AD8CB8A7E9AC9E1897CEF16AD83ED0063060
SHA-256:	8D945D5BF835E6E90F934E8B45D1B759AA885C72FCB46C07905FCAF339E8DD01
SHA-512:	CE3726A6BA9EE2EFB3B7FD66308713B26D7F42258C398E64BB1EBB68E2FD62CFEF9845994697DBAD9E0A1F2CAF6DD22FB5D495F45578655CC4B452565F94BED6
Malicious:	false
Preview:	.. INTERNATIONAL LICENSE AGREEMENT.. .. If you live inside Germany, this agreement does not apply to.. you. Please read the agreement outlined in LIZENZ.DOC instead.. or, if LIZENZE.DOC is not available, ask EmTec for a copy of the.. German license agreement... .. This is a legal agreement between you, the end user, and EmTec,.. Innovative Software, Markus Schmidt ("EmTec")... The EmTec ZOC Communications Software program version 4.xx.. (the "Software") is licensed by EmTec for use only on the terms.. and conditions set forth in this document. Please read this.. license agreement carefully. If you download the Software you.. are indicating to EmTec that you accept and agree to be bound by.. the terms set forth in this document. If you do not agree to the.. terms and conditions set forth in this document, you agree that.. you will not download the Software and we thank you for your.. interest...

C:\Program Files (x86)\ZOC5\lizenz.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	9974
Entropy (8bit):	4.497257544659393
Encrypted:	false
SSDEEP:	192:LEA3V72K5Y2drDFv50gnEvEoicVtEZOkgiCVgAIIUIJSGgH9SH7Bv5IjM:YKqynFvSVYg5TJSHSH7ngM
MD5:	FFE41046AF6927238133068704F95EF1
SHA1:	2B82A9D23F65CEFF269C17BAD81F9F2912B906B5
SHA-256:	D684D326A272DD0223D83433500E5A1768C3DD82208C85B2AB8FA6196C629740
SHA-512:	286BDE83899C7235CF05607C6B7BEBBCC9523D6B7D2015AB1F0363156802EAFB34E63EAF7E2B8714D53810912F34AADFBF77AF62156C8C120B6DA51A8A22BE35
Malicious:	false
Preview:	.. LIZENZVERTRAG F.R DEUTSCHLAND.. .. 1. Vertragsgegenstand: Vertragsgegenstand ist eine Nutzungs-.. erlaubnis (nachfolgend Lizenz genannt) des Computerprogramms.. ZOC, die die Firma EmTec, Innovative Software, Markus Schmidt,.. (Sitz: Kirchenweg 14, 90419 N.rnberg, Tel: 0911 7406856 Fax: 0911.. 7406857, nachfolgend EmTec genannt) interessierten Personen.. (nachfolgend Benutzer oder Lizenznehmer genannt) einr.umt... Hierbei wird ausdr.cklich darauf hingewiesen, da. es nach dem.. heutigen Stand der Technik nicht m.glich ist, Computersoftware.. zu erstellen, die in allen Kombinationen und Anwendungen.. fehlerfrei arbeitet. Vertragsgegenstand ist daher ein.. Softwareprodukt, das die in der Bedienungsanleitung.. beschriebenen Leistungen erf.llt und dessen Fehlerfreiheit dem.. Stand der Technik entspricht... F.r die Pr.fung der Verwendungstauglichkeit des Programms zur.. L.s

C:\Program Files (x86)\ZOC5\newuserprofile\Introduction to REXX.PDF

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PDF document, version 1.4, 9 pages
Category:	dropped
Size (bytes):	82452
Entropy (8bit):	7.889896102760033
Encrypted:	false
SSDEEP:	1536:OYMxsszUS+5tYpHFk9LIhIdYuvrTlx/be4+opb90Aa:Oxs2SOlIdYunzt+eaAa
MD5:	C5D1971E682CE12FEE68FC8B0DB87AD8
SHA1:	727746711982880B667C6B088ADB76AB049C3F4D
SHA-256:	ADF712B5322C770A2EF5E13CA44952EF14CDF82D0BE37DF9189DA0C1CAD7CA42
SHA-512:	D80E6624F2A89CB90E6FFC9DA2194EEC7E093F2B8ED1114DC866E212D5CC91FF7B2DA249C59E207CF5A4C4E6D9139889490F3694EF46DC860D9AB3EADE40BCF0
Malicious:	false
Preview:	%PDF-1.4.%.........5 0 obj.<<./Length 6 0 R./Filter /FlateDecode.>>.stream.x..._.m9q..........Z^..WF.....0.Iw....4.L ..........>...\|D.!...].W...r.;.\|.[.m........\|...........?..\|;..>..w?...>..7>...........+.q....].....T8......)..3.KA......#p.:..?..lo.....m...Y.kE...n..oo..c..h.G. ...>...........~.../..?..W[h...W...........A.>..Y..GO..v..T...+.,....hy.....-...@.Q......u.....\g....\|F...t.[....6.....3....?..........(t.^...}...<....c..i.....1(..[..V...V.S.{....e._(\|5E..?9I...q.w.C......V.3.....\.R..]..?..y.]zV...LQJm;<...Lx......v....j._(............"!.B.%H%Ad8..\|.D.~.kTz...\........%..../.. ...h\..c.U.).X....vA..C%.s.......G..{.....?v.....jL.V..&(...BO.5?R.`T.J...RW".`.._.\|.4^.._\|A<..:..U.)....e..g.i...p....'....6X.%-$Xw...&.X.;1n../.&.:.&<-}..~..\|njO..L...L.......jeh....W.5.x........m........S.z.F}.+}^.+.n\|...*.(mj&T4....PQa.'T..`m.[....%..L.R.?..0............4...8..N.P..h...............n-.W.<....?.]p...n.g...,6{.;...E...RVH...P...

C:\Program Files (x86)\ZOC5\newuserprofile\Options\3270.zoc

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	5.206987889396174
Encrypted:	false
SSDEEP:	96:NJfKtot6L5XXORrMsgagxq4B/OKttWXOlrjeDP:jfKtot6L5ORI6gU4B2KttameDP
MD5:	C2CD4258D2E1EA353A5B4343B1AA308D
SHA1:	9053EF06625079AB51981F7635EF285FE84FD0AE
SHA-256:	F4022DA38EBADF01D42385C114057FE151B5CD2F90E7C6FE27A68346263F5315
SHA-512:	FFAED7B9944D1413C14050021B1E4F1C91D533AD4D786D0BDACB38E1DA20D14011FAF7AB1947AFEFA52E47412887BAB1731134320B5DCB0312D37449A236FADC
Malicious:	false
Preview:	ZOC 4.14....[OPTS_DEVICE]..ActiveDevice=3..DeviceOpts#00=""..DeviceOpts#01="[1]38400-8N1\|9\|250"..DeviceOpts#02=""..DeviceOpts#03=""..DeviceOpts#04=""..DeviceOpts#05=""..DeviceOpts#06=""..DeviceOpts#07=""..DeviceOpts#08=""..DeviceOpts#09=""..DeviceOpts#10=""..DeviceOpts#11=""..DeviceOpts#12=""..DeviceOpts#13=""..DeviceOpts#14=""..DeviceOpts#15=""..TimeoutString="^!"..TimeoutControl=1..TimeoutTime=0..Standby=yes..NoStats=yes....[OPTS_TERMINAL]..ScrlLock=2..BackSpace=yes..CtrlChars=no..DumpMode=no..AscTrace=no..BinTrace=no..StripHiBit=no..Echo=no..Host=no..InCR=no..Beep=maybe..Software7E1=no..DoTrans=no..EchoCrOnly=no....[OPTS_CAPTURE]..CaptStatus=no..CaptDc2Dc4=no..CaptHeading=yes..CaptAppend=yes....[OPTS_TRANSFER]..TransAltDir="QW?\|GIF\|JPG"..TransAutoRemove="TMP"..ActiveTransfer=2..TransferOpts#00=""..TransferOpts#01=""..TransferOpts#02=""..TransferOpts#03=""..TransferOpts#04=""..TransferOpts#05=""..TransferOpts#06=""..TransferOpts#07=""..TransferOpts#08=""..TransferOpts#09=""..Transfer

C:\Program Files (x86)\ZOC5\newuserprofile\Options\5250.zoc

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7459
Entropy (8bit):	5.187363026269914
Encrypted:	false
SSDEEP:	96:NBeEfQto6ByR05DL5uH4Rw+0dpgagxq4B/OKttWXOlrjeDu:7DfQto6URcDL5+4RIhgU4B2KttameDu
MD5:	35E00E6D697A8D6314EB57C2C0CE8E4A
SHA1:	EDA98F72CE8FEEBFA3B24A8E7331F9846E084FED
SHA-256:	6D7CD2C875B9E222937D2CFFE8710F9BF20893FC14243DD07D76C2F39E493AAE
SHA-512:	AC8C0AA55D25D8B625576D8451209EDC67778512F0F8BDBD2D5A4BD97D29ED63C391BD72168506307530BD1DEA7E06BD426F8BECF528B0D115B312ED2DBDADF8
Malicious:	false
Preview:	ZOC 4.14....[OPTS_DEVICE]..ActiveDevice=3..DeviceOpts#00=""..DeviceOpts#01="[1]38400-8N1\|9\|250"..DeviceOpts#02=""..DeviceOpts#03=""..DeviceOpts#04=""..DeviceOpts#05=""..DeviceOpts#06=""..DeviceOpts#07=""..DeviceOpts#08=""..DeviceOpts#09=""..DeviceOpts#10=""..DeviceOpts#11=""..DeviceOpts#12=""..DeviceOpts#13=""..DeviceOpts#14=""..DeviceOpts#15=""..DeviceOpts#16=""..DeviceOpts#17=""..DeviceOpts#18=""..DeviceOpts#19=""..DeviceOpts#20=""..DeviceOpts#21=""..DeviceOpts#22=""..DeviceOpts#23=""..TimeoutString="^!"..TimeoutControl=1..TimeoutTime=0..Standby=yes..NoStats=yes....[OPTS_TERMINAL]..ScrlLock=2..CtrlChars=no..DumpMode=no..AscTrace=no..BinTrace=no..StripHiBit=no..Echo=no..Host=no..InCR=no..Beep=maybe..Software7E1=no..DoTrans=no..EchoCrOnly=no....[OPTS_CAPTURE]..CaptStatus=no..CaptDc2Dc4=no..CaptHeading=yes..CaptAppend=yes....[OPTS_TRANSFER]..TransAltDir="QW?\|GIF\|JPG"..TransAutoRemove="TMP"..ActiveTransfer=2..TransferOpts#00=""..TransferOpts#01=""..TransferOpts#02=""..TransferOpts#03="".

C:\Program Files (x86)\ZOC5\newuserprofile\Options\7bit_to_dosibm.ztr

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.113006473123906
Encrypted:	false
SSDEEP:	3:qNLjZyZY2Qyitpo0ZjwH5/URkyqo/vUsQss7vqgtv:CjoZ/QyiPogjwuR5qYU9ss7vbtv
MD5:	7A011D4EF7B7F62D428006D2301161CE
SHA1:	08AAB427BF5ACDF0FC20B2C7C3715B06E66A2BEB
SHA-256:	F85586E72E3802BF2B77EF0B49654DB54D0FCCC5E2BABA05290CAD9921B2C14C
SHA-512:	EF4BB0CF87F42110DE60C30DE1B9043E896904ACE49E8BF1E2258EAAAD24985C9D4059314B1CB1E5D5A1B165B9112235BC7884293537A8FCA260041D81AD5808
Malicious:	false
Preview:	ZOC3.93 // TRANSLATE..I\|5B\|8E..O\|8E\|5B..I\|5C\|99..O\|99\|5C..I\|5D\|9A..O\|9A\|5D..I\|7B\|84..O\|84\|7B..I\|7C\|94..O\|94\|7C..I\|7D\|81..O\|81\|7D..I\|7E\|E1..O\|E1\|7E..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\7bit_to_linux.ztr

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.113006473123906
Encrypted:	false
SSDEEP:	3:qNLjZyZY2Qyitpo0ZjwH5/URkyqo/vUsQss7vqgtv:CjoZ/QyiPogjwuR5qYU9ss7vbtv
MD5:	7A011D4EF7B7F62D428006D2301161CE
SHA1:	08AAB427BF5ACDF0FC20B2C7C3715B06E66A2BEB
SHA-256:	F85586E72E3802BF2B77EF0B49654DB54D0FCCC5E2BABA05290CAD9921B2C14C
SHA-512:	EF4BB0CF87F42110DE60C30DE1B9043E896904ACE49E8BF1E2258EAAAD24985C9D4059314B1CB1E5D5A1B165B9112235BC7884293537A8FCA260041D81AD5808
Malicious:	false
Preview:	ZOC3.93 // TRANSLATE..I\|5B\|8E..O\|8E\|5B..I\|5C\|99..O\|99\|5C..I\|5D\|9A..O\|9A\|5D..I\|7B\|84..O\|84\|7B..I\|7C\|94..O\|94\|7C..I\|7D\|81..O\|81\|7D..I\|7E\|E1..O\|E1\|7E..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\7bit_to_vt220.ztr

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.051572559025934
Encrypted:	false
SSDEEP:	3:qNLjZy8o1QoVZvRfgaCuRpU3y4VZB3HaAovfXqfqvn:Cjo8/2UaCuR+3RVP6Nvf68
MD5:	CCBE187B718F7DAD8318F9152EA3B83C
SHA1:	AE82B1A3203CC77445E5FFDC94022C2B49114DD4
SHA-256:	877EA0A397BEB0DCB6D6F4252A38BD98EC71F443514716CA157FBBF057389A3D
SHA-512:	F2281F17A9645ED01700BB9BC0606EA9180D9F7F86B308C5917B2094538E13ECC62CAE4AF56A5FD17E27B25A0996E6996573023FC6D825E44CFD74BC83843B6E
Malicious:	false
Preview:	ZOC3.93 // TRANSLATE..I\|5B\|C4..O\|C4\|5B..I\|5C\|D6..O\|D6\|5C..I\|5D\|DC..O\|DC\|5D..I\|7B\|E4..O\|E4\|7B..I\|7C\|F6..O\|F6\|7C..I\|7D\|FC..O\|FC\|7D..I\|7E\|DF..O\|DF\|7E..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\7bit_to_winansi.ztr

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.051572559025934
Encrypted:	false
SSDEEP:	3:qNLjZy8o1QoVZvRfgaCuRpU3y4VZB3HaAovfXqfqvn:Cjo8/2UaCuR+3RVP6Nvf68
MD5:	CCBE187B718F7DAD8318F9152EA3B83C
SHA1:	AE82B1A3203CC77445E5FFDC94022C2B49114DD4
SHA-256:	877EA0A397BEB0DCB6D6F4252A38BD98EC71F443514716CA157FBBF057389A3D
SHA-512:	F2281F17A9645ED01700BB9BC0606EA9180D9F7F86B308C5917B2094538E13ECC62CAE4AF56A5FD17E27B25A0996E6996573023FC6D825E44CFD74BC83843B6E
Malicious:	false
Preview:	ZOC3.93 // TRANSLATE..I\|5B\|C4..O\|C4\|5B..I\|5C\|D6..O\|D6\|5C..I\|5D\|DC..O\|DC\|5D..I\|7B\|E4..O\|E4\|7B..I\|7C\|F6..O\|F6\|7C..I\|7D\|FC..O\|FC\|7D..I\|7E\|DF..O\|DF\|7E..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\Standard.zat

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	379
Entropy (8bit):	5.040496853090476
Encrypted:	false
SSDEEP:	6:+oVO2IU9D/c6bDwBoJ7oIwBuG7oIwBE7oIwB4K7g7oIwBtdQaBGwqkdLbBG4DIV3:+oVwU9D/bcoJ7obBuG7obBE7obBY7obo
MD5:	61A0C8380AF3F4399B42859CDEC7716C
SHA1:	CD15CE9338799DB7816DF2DE1830DE929AC735DE
SHA-256:	664FDA31E23CE761AD701F90D65B006DDC62ABEECBBBEE207120D6D601BC368C
SHA-512:	FA259355CC94109248C80BF6FEE131BE1AB2ED138DC11B1A04641F3BAB0CD450F1968AECDCAA5E6CE651858A8CDD360039543727AB24077F9EF9DCAED297EEA9
Malicious:	false
Preview:	ZOC 5.00 AT COMMAND PROFILE..ModemLoadInit=yes..ModemInitCD=no..ModemDtrHangup=yes..MdmIni="AT&F^M"..MdmDial#00="ATDT ^#^M"..MdmDial#01="ATDT ^#^M"..MdmDial#02="ATZ0^M~~~~ATDT ^#^M"..MdmDial#03="ATZ1^M~~~~ATDT ^#^M"..MdmHangup="+++~~~~ATH^M"..MdmAnswerOn="ATS0=1^M"..MdmAnswerOff="ATS0=0^M"..MdmDtrOn="+++~~~~AT&D2^M~~ATO^M~~^H^H^H"..MdmDtrOff="+++~~~~AT&D0^M~~ATO^M~~^H^H^H"....

C:\Program Files (x86)\ZOC5\newuserprofile\Options\Standard.zoc

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7601
Entropy (8bit):	5.228091077364758
Encrypted:	false
SSDEEP:	96:czeEDutIBn05PKktRwfwBkdpgagxq4B/OKttWXOleMD2w:8DDutIBcP5tROekhgU4B2KttawDP
MD5:	27DA6834266E810B7181E3002DC8E4CE
SHA1:	B8BF95CE9E1FF684F080DDA80FE4C4D2446CA73B
SHA-256:	681A873F2F05C2B562A45856453CFB7463E68B3D3B4D6B7C1B272852829A8AAF
SHA-512:	A0FE06056C8BD94C5302278256F6368A3BB410DAC397CD3477325BD3AC79A66710F9DBE120276C74CB42E2EF43DA3131C049C7ED9FACE5FF7AD1E2F124DF3A75
Malicious:	false
Preview:	ZOC 5.00....// OPTS_DEVICE..ActiveDevice=-1..DeviceOpts#00=""..DeviceOpts#01="[1]:38400-8N1\|9\|250<Standard.zat>"..DeviceOpts#02=""..DeviceOpts#03=""..DeviceOpts#04=""..DeviceOpts#05=""..DeviceOpts#06=""..DeviceOpts#07=""..DeviceOpts#08=""..DeviceOpts#09=""..DeviceOpts#10=""..DeviceOpts#11=""..DeviceOpts#12=""..DeviceOpts#13=""..DeviceOpts#14=""..DeviceOpts#15=""..DeviceOpts#16=""..DeviceOpts#17=""..DeviceOpts#18=""..DeviceOpts#19=""..DeviceOpts#20=""..DeviceOpts#21=""..DeviceOpts#22=""..DeviceOpts#23=""..TimeoutString="^@"..TimeoutControl=0..TimeoutTime=0..Standby=no..NoStats=yes....// OPTS_TERMINAL..ScrlLock=0..CtrlChars=no..DumpMode=no..AscTrace=no..BinTrace=no..StripHiBit=no..Echo=no..Host=no..InCR=no..Beep=yes..Software7E1=no..DoTrans=yes..EchoCrOnly=no..DoEnq=no..EnqString="ZOC^9"....// OPTS_CAPTURE..CaptStatus=2..CaptDc2Dc4=no..CaptHeading=yes..CaptAppend=yes....// OPTS_TRANSFER..TransAltDir="QW?\|MO?\|TU?\|WE?\|TH?\|FR?\|SA?\|SU?"..TransAutoRemove="TMP"..ActiveTransfer=2..TransferOpts#

C:\Program Files (x86)\ZOC5\newuserprofile\Options\dosibm_to_ansi.ztr

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.06198202052733
Encrypted:	false
SSDEEP:	3:qNLjZiZtdtVvdfkOBuNjMyqAZgZwyZBtHua2ZNyCq:CjcZllupM5AyPVHHSs
MD5:	A6A1C8FF5D1D02249DB9DEE328475CC0
SHA1:	507C7FC77F024C0FA6106EAEE34677D33ABE620B
SHA-256:	2FE24DC47E2A9BCBDB1F5BA3BA0D17178894DAB1581B861422EC6130447F9A9B
SHA-512:	00A43D17973E85674DC4B48DD8E735E4D3B06A12FB729EFBD2E0CD9A15146C58F53D9E808CDC5C779ABFFCE186872058F77B5A026280C53B2A993461708C2ABA
Malicious:	false
Preview:	ZOC3.93 // TRANSLATE..I\|8E\|C4..O\|C4\|8E..I\|99\|D6..O\|D6\|99..I\|9A\|DC..O\|DC\|9A..I\|84\|E4..O\|E4\|84..I\|94\|F6..O\|F6\|94..I\|81\|FC..O\|FC\|81..I\|E1\|DF..O\|DF\|E1..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\dosibm_to_vt220.ztr

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.06198202052733
Encrypted:	false
SSDEEP:	3:qNLjZiZtdtVvdfkOBuNjMyqAZgZwyZBtHua2ZNyCq:CjcZllupM5AyPVHHSs
MD5:	A6A1C8FF5D1D02249DB9DEE328475CC0
SHA1:	507C7FC77F024C0FA6106EAEE34677D33ABE620B
SHA-256:	2FE24DC47E2A9BCBDB1F5BA3BA0D17178894DAB1581B861422EC6130447F9A9B
SHA-512:	00A43D17973E85674DC4B48DD8E735E4D3B06A12FB729EFBD2E0CD9A15146C58F53D9E808CDC5C779ABFFCE186872058F77B5A026280C53B2A993461708C2ABA
Malicious:	false
Preview:	ZOC3.93 // TRANSLATE..I\|8E\|C4..O\|C4\|8E..I\|99\|D6..O\|D6\|99..I\|9A\|DC..O\|DC\|9A..I\|84\|E4..O\|E4\|84..I\|94\|F6..O\|F6\|94..I\|81\|FC..O\|FC\|81..I\|E1\|DF..O\|DF\|E1..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\standard.zky

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	136
Entropy (8bit):	5.1423689121079414
Encrypted:	false
SSDEEP:	3:qFu0/a6CXb5Q9Q2QpAq2oS4b9K5nTR32c7LKQWLhCw:QYXb5Qy1uYS4bSnTdLUFj
MD5:	1A54E33AF68277595634B09084CB407D
SHA1:	1363560BDC5B07DF34992C32366B78787DD1E139
SHA-256:	E761735658CCBD0BB265A598896189E4A810BB7BFFF1630CAE6903F65C3680CC
SHA-512:	67AD3C9D4458304644BC7694B56F4157A09BA5C3E8A0D00D14E2007CD856D5A86564ADFB60DCF5514C2408BFB0838CA9BA85F2455DD062C554C88B514E07FE5F
Malicious:	false
Preview:	ZOC3.00 // KEYBOARD..// scancode\|flags\|void\|void\|future\|future\|remap-string..// flags= binary 0,0,Alt,Ctrl,Shift,Ignore-Num,Scroll,Num..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\standard.ztb

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	247
Entropy (8bit):	3.4069447517556832
Encrypted:	false
SSDEEP:	6:TVFf3OxVM/c9jT00mckKmLqbMzkTCKXswVRC61Ac3Nm:ZEY/MTz67LqWICksw7C61Acdm
MD5:	CD23D90408F40E9730DDC82473D83CBF
SHA1:	E0D40ACB84B2618DD9B5E6F35C9F17EB8B6B89A6
SHA-256:	180DF880DDD1A170D432F7E3E2351A4CE6F8926A58E0D9992DD070214BB59307
SHA-512:	540E55084AD630C26C5A3BF560A52D5EDBD816B78BC4EF459F63D602537AD92F510499CE10F4C0AF9A8AA8400A0FE21A0767C76815FB1000A75CEF76EA0C8DDB
Malicious:	false
Preview:	ZOC4.85..0 1 1..08200..08451..08452..08475..08499..08210..08490..08395..08393..08390..08456..08457..08360..08365..08367..08352..08370..08517..08516..08470..08471..08482..08484..08410..08479..08155..08215..08240..08255..08285..08250..08245..08286..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\standard.ztr

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	157
Entropy (8bit):	4.864970826691657
Encrypted:	false
SSDEEP:	3:qFxlwak3YFi1QnpoaztAFq9dZ7YSnQzMRFVJ3MFgNP4JFK3AU:QxlkokLaRFvQ+j8ONwJFzU
MD5:	588562013C171D29DFEDDF935F0A1413
SHA1:	45DADF01B4873252CE7A9807E61EBC5DE2AC4DD0
SHA-256:	C2A999124134C4439E86A67D658DC55F55F714F3BEFC4A1F2C11D03C8D02387E
SHA-512:	F9D4C9B583F52180DEE9412626E94E67F7FEF2E3B738BD496B19C8E8B01B5604BF4A2EFFED398EE699D8619D8C3FFD285C3F31817CBBDEF49A111FA7C48F3234
Malicious:	false
Preview:	ZOC3.00 // TRANSLATE..// CHARACTER TRANSLATION TABLE (CHANGED ENTRIES ONLY)..// format: x\|Old\|New ..// x= I (inward) or O (outward), Old/New in hex..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\winansi_to_ibm.ztr

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.06198202052733
Encrypted:	false
SSDEEP:	3:qNLjZToyh7Ht7ov55GUZdj/psVo0njUdM6W2n:CjloypZuhj2V/jUdM8
MD5:	8C4827EAB32AED3719B4EB5897CD2A49
SHA1:	BE1287F909BA9D8136105CD3D6DFA826C26FDDE8
SHA-256:	2C542703FF74BE150D4B460AB14E03705441834337397730C8DA80A32C6177B0
SHA-512:	9AB0017258708C1531CDD3E4BE033BAA26645C16F148CC35A60F307B8002D49667F0FD3961EC467AAAE51D114A5E9AAB338A1F9AE5B9BB14D6F10D2B7923A985
Malicious:	false
Preview:	ZOC3.93 // TRANSLATE..I\|C4\|8E..O\|8E\|C4..I\|D6\|99..O\|99\|D6..I\|DC\|9A..O\|9A\|DC..I\|E4\|84..O\|84\|E4..I\|F6\|94..O\|94\|F6..I\|FC\|81..O\|81\|FC..I\|DF\|E1..O\|E1\|DF..

C:\Program Files (x86)\ZOC5\newuserprofile\Options\zochosts.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2347
Entropy (8bit):	5.39625939318526
Encrypted:	false
SSDEEP:	48:TpPvvxQgY9/qGwIa9je4qjWkpzjT7YCXgjSwNDjrzjT7Y41gjSwH1SDjrzj4:F5Q7SdefHpfTlXyLPfTzyh6Pf4
MD5:	FB568290B72934C5208A49A6FD6CC8A1
SHA1:	A33EDF5E2973FD9478161104E9B96DE0C64C8F65
SHA-256:	4FA894A5259E519FCF377990C217BD4E3AA721EEDC0E69D3FF6307A5109885EF
SHA-512:	0CF77543BBF3084794A7C1E9165F17FED4589A049021572BD346B4F227D5BDBF599DFC7C1B8104D378D4A5A54249A066DDB1C29E2EDDB2A9AFFDC01AEF28332C
Malicious:	false
Preview:	ZOC 4.96 // X:\zoc\v5\workdir\Options\ZOCHOSTS.INI....# HOST DIRECTORY. LAST WRITTTEN 2004-06-05 16:51:10....<SECTIONS>..Flags=0..NumSections=2..Section#0=Samples VT100..Section#1=Samples 3270..</SECTIONS>......[ENTRY]..book=1..handle=1086446180..name="Library of Congress"..number="locis.loc.gov"..deviceid=3..emu=11..deviceopts="[3]0"..emulationopts="[11]00\|01\|00\|{swap}*"..first=no..dosimpledial=no..dialtype=0..qaccess=no..icon=0..username=""..password=y'Xs2hudnX5fGw3v/VCJqWgZXa4eqz1dPK+63T0KWHtp2xoO7FuaHf0/LJudbIhqaKh/yawdGjPRDo9FW3yoYXFA=='..authfile=""..authglobal=no..script=""..scriptparm=""..waitsend=""..learn=no..optfile="3270.zoc"..logname=""..dlpath=""..ulpath=""..keyboard="Standard.zky"..translate="Standard.ztr"..charset=0..protocol=-1..donewwinpos=no..newwinpos=""..ctrlfkey=0..newwindow=0..memo="3270 Emulation ... Library of Congress"..calldue=0..multimaster=no..iemsibits=63..iemsiwanted=no..calls=0..lastcall=0......[ENDENTRY]....[ENTRY]..book=0..handle=1086445972..name="New

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Internet Tutorials\Another Rexx Tutorial.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	dropped
Size (bytes):	168
Entropy (8bit):	5.133979352516949
Encrypted:	false
SSDEEP:	3:9mw32/0S4ASE9NEhQs1+1bABGQYm/0S4ASE9NEhQs1+2MDBuTVx0knVEN:8wm/r4ASE9NVFFVm/r4ASE9NVXMZXG
MD5:	334F676722A45FCE338BDACD6C7187A9
SHA1:	D36EA51318747F63D6CFAFD67A1C790B55716EA8
SHA-256:	DAF30DB014A597C1A9013ACF1D6281A51C351D0E3984FA261A5113751F3562F7
SHA-512:	A5B0A8EADBA0B479A48AF7653FC2CD25C47CA3C2E52881CF07D909DC3EEA3DB01967EAB5A713115D3A2B795DC32C1A417C6E76F762BDBB825A7328AEBD587CF8
Malicious:	false
Preview:	[DEFAULT]..BASEURL=http://www.kilowattsoftware.com/tutorial/rexx/..[InternetShortcut]..URL=http://www.kilowattsoftware.com/tutorial/rexx/..Modified=60421E6A6A2CC40185..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Internet Tutorials\The REXX Language (3rd Party Tutorial).url

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	dropped
Size (bytes):	200
Entropy (8bit):	5.239094115833339
Encrypted:	false
SSDEEP:	6:8wm/r4qpdOOEi0FVm/r4qpdOOEiVzlRsU:8wipAOIFVmFpAOBBRx
MD5:	66D3EA6678C8C1C928A3CB422507F991
SHA1:	DAD08BA648C7A4913833CD4ED878CD1C124DEAB1
SHA-256:	7378B84C53C86ABEA5567606DABE2B49C5446D023C8EB2D5CC6562B84DF718A6
SHA-512:	30919D7428DE6816E50BFF7BF35B409B92A679C7F0CCB747E0BE9B3082A1F00083ACD382890310FE8C339F0B29F38D27BA99EFD0C522CED64220A00B52B8391C
Malicious:	false
Preview:	[DEFAULT]..BASEURL=http://www.borg.com/~jglatt/rexx/scripts/language/language.htm..[InternetShortcut]..URL=http://www.borg.com/~jglatt/rexx/scripts/language/language.htm..Modified=40DA4CD8692CC40198..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\10_printer.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	611
Entropy (8bit):	5.175413963129593
Encrypted:	false
SSDEEP:	12:UIIVKwq/GRK/WLE2Shr22txA1g/T2j3pHGtPHfh5HasUuv:3IVxweYfhqexA1gr2t4P/Da/uv
MD5:	8BF2D6621265E344CD0282548A6AC999
SHA1:	378DD96D6C3B4F3E9C76460823A8103BF799A7C7
SHA-256:	7F11600371D4F603024AA4911320E17AC48D3E0BA593C208E7EB58BB16637CC4
SHA-512:	CC7B96410CFE1F59B207F8FBDAC2536379C86CCCEDDCF3A30E834C80BD573CE49E3170FD40931903D454B04F2ED50B42519E94F7CBC953810933089DD1B95094
Malicious:	false
Preview:	/* REXX SAMPLE TO PRINT TO AN ATTACHED PRINTER /..../ REXX does not support printing directly. However, if you are using .. the VT100, VT102, VT220 or Linux emulations, output can be redirected.. to a printer, by using the VT-PRINT-ON and VT-PRINT-OFF sequences..... After printing is turned on, all screen output will be redirected.. to the attached printer ..*/....esc= D2C(27)..vtprton= esc\|\|"[5i"..vtprtoff= esc\|\|"[4i"....CALL ZocWrite vtprton....Call ZocWrite "Printing ..."....DO i=1 to 10 .....SAY COPIES(" ", i)\|\|"Hello World"....END....CALL ZocWrite vtprtoff....Call ZocWrite " done!"......

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\1_first.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	477
Entropy (8bit):	4.985838011623867
Encrypted:	false
SSDEEP:	12:U2qFv8oG2Xr2qPSqq3MZE0j26/Wu7RGmOoa:tQ8N2qqaqqMEAJO6gxr
MD5:	E542B7B62FE76134BB656CF367DAB34E
SHA1:	BD58EB43148E8D13F2F441EDE3627A4D89A4B9B5
SHA-256:	EFB561370A22D367367FBD6A3F66D4B7AACF182175BBFA71FCD0410664B293D9
SHA-512:	BEB325CB1894AE3FFCA8D83C75098662E739D60889FF732861F437242B75EF0EDF8FABA56DE2640CDF8B6AB3921FBB3B2EC7E567DEA53CCAE44CD61367B155E6
Malicious:	false
Preview:	/* REXX /../ ^^^^^^ REXX programs always begin with /* REXX / on the first line /..../* clear the screen /..CALL ZocCls..../ set a variable /..WHO= "World"..../ output text and variable via string concatenation operator: \|\| /..CALL ZocWriteln "Hello "\|\|WHO\|\|"!"..../ Ask user for his/her name /..who= ZocAsk("What is your name")..../ print some text to the ZOC window /../ (this time we're using REXX's internal SAY command) */..SAY "Hello "\|\|WHO\|\|"!"....EXIT....

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\2_ifelse.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	627
Entropy (8bit):	5.0165608006206615
Encrypted:	false
SSDEEP:	12:UxAmq2vv5RRNKCJra1KKEINuFgc6aGEdREuzV+1KA4MkZ8+FGBa:0q23PHla1ldwGvaGGEuzYcxMkbV
MD5:	2A9268861EB1185F224C04E0051D62C6
SHA1:	0E259F2A64B39AE88D7EF4A7A8A0623D9B3E86D2
SHA-256:	B5DD06CC2EE3E16A2FF93EC077500B8A7423189F7D44C34BF3946C033E3D634E
SHA-512:	F6C47505AA7C25FAD5957E1DF03595D69613DFE15435FE44DF136621122F9375073022D0B4C56ECE6F9E60C5631CFD032E839957D962831457DFA7042982806B
Malicious:	false
Preview:	/* REXX /..../ THIS SCRIPT SHOWS HOW DECISIONS WORK IN REXX /....CLS..../ show a nice request window to the user /..answer= ZocRequest("Do you like ZOC?", "YES", "NO")..../ here comes a decision with one alternative /..IF answer="##CANCEL##" THEN DO.. SIGNAL endit / jump to the end /..END....../ here comes a decision with two alternatives /..IF answer="YES" THEN DO .. SAY "Nice to hear that!"..END..ELSE DO .. / ANSWER=NO /.. SAY "Oops, are you really sure about that?".. SAY "(maybe you mixed it up with Hyper Terminal)"..END......endit: / target for the SIGNAL command above */..EXIT....

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\3_loop.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	539
Entropy (8bit):	4.864272524556626
Encrypted:	false
SSDEEP:	12:UxAmqbqoAZzju15Im0ptBcKw5bCJ5MDEcuyPQA5ktwlxAAGxiWFnyoa:0q/AZzFmmIcHMDEcuyPZQ+qMWFnyr
MD5:	421CEB22C5AA75B5EFA784FC2A76380D
SHA1:	45B6BD7EBB3511D5A8474501F99305756C19D851
SHA-256:	834C2EF4EB69B3151FCD660DDF2589ED037846B61826524F6E2CEB964C037411
SHA-512:	B947BBA25F916BBE08077BD5707F07E1C7B7FF634EF79BFBDD97FD7653CBF88B7BECE7610E416F021D3954CC2EBFCB40059DD8CE13C512356A2A1AF67949DCCF
Malicious:	false
Preview:	/* REXX /..../ THIS SCRIPT SHOWS HOW TO LOOP COMMANDS /....CALL ZocCls..../ a simple loop (running three times) /..DO 3.. SAY "ZOC!"..END ....../ a loop running until the user answers YES /..DO UNTIL answer="YES".. answer= ZocRequest("Do you like ZOC?", "YES", "NO")..END ....SAY "Glad to hear that!"....../ a counting loop /..DO i=1 TO 11 .. IF i//2 \= 0 THEN / if i not dividable by two */.. DO .. SAY i": He loves me".. END.. ELSE.. DO .. SAY i": He loves me not".. END..END....EXIT....

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\4_modem.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	341
Entropy (8bit):	5.0078133170210295
Encrypted:	false
SSDEEP:	6:Uyt9r9YZjKBANQ3nxbHIIPTsso5GbAIUg51/5qUSOTNroxNMewNroxXiI6oa:U6dBAq3aIPtcbgABkoNMeuox6oa
MD5:	6ECB7DCDB03A045B6BC1DD90B5B4CA64
SHA1:	A20D1052D85A722E589945849B66ADAAE20F0373
SHA-256:	E125606EEBACD70E51789D60BD7663EB717CC7C29C84E96B7BB6C0645E326F18
SHA-512:	10FA08B089C034352C1A49544455ABE594DB0212FEBA7EFE0B1C47EA63DBE961C827D266C28438BCF0AD387A34EFC284DDC1DC7EBE966C9F064319100A4DB677
Malicious:	false
Preview:	/* REXX /..../ send something to the modem and wait for an anwser /..CALL ZocSend "ATZ^M"..../ tell ZOC to wait 3 seconds max. /..CALL ZocTimeout 3..../ wait for answer */..timeout= ZocGetline()..IF timeout=0 THEN DO .. SAY "THE MODEM SEEMS TO RESET FINE!"..END..ELSE DO.. SAY "THE MODEM SEEMS TO HAVE PROBLEMS!"..END....EXIT....

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\5_reply.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1181
Entropy (8bit):	4.82158349700145
Encrypted:	false
SSDEEP:	24:/f+T8jZ6IVWDwfJtrNdOVskFSJHcG7SbhTF0eASYPvXChrr:3A8zVAwRQWkibub0/vmr
MD5:	7A38FCEB1DA7DED6079618754B229AF6
SHA1:	511C65726B2FC5C2EC59BFB03C0B623CCB055721
SHA-256:	E0479181BCBCD776FE9B41E8B51FC3FDFB70D14648F80D5B348C64383D792AFC
SHA-512:	D5244689BA206823B65474181F160D95D2F1853132D915D21DB0DEB97C0DFBB5EBE9B73364609DEC9BB211531A8B229D7674B239A44903EC4EF66DE6856C7C58
Malicious:	false
Preview:	/*****************************************************.. AUTORESPONSE..******************************************************.. .. with the ZocRespond function you may setup automatic.. responses for incoming data. These responses are .. checked within a ZocDelay or ZocWait command... .. There is a limitation of 16 responses, each having.. 80 characters max... .. This is a example of how to login to a bbs and skip.. across the initial news (assumed that they have.. a "- press enter to continue -" prompt)... .. However, this is not the typical way to do a login;.. it is merely a sample to show the use of ZocRespond... ../....../ Setup a few replies for the login and form the info blurp /..CALL ZocRespond "Name", "ZOC^M"..CALL ZocRespond "Password", "SECRET^M"..CALL ZocRespond " continue -", "^M"..../ Dial in (no error busy etc. checking) /..CALL ZocDial "1234567"..../ wait until main menu and leave the work to the responses */..CALL ZocTimeout 3

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\6_subr.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1315
Entropy (8bit):	4.637518650497564
Encrypted:	false
SSDEEP:	24:Ls8iTNnb8OS/TFEQUCi3sbQIArtnp8pISFIM/x9PNyN4HJZ:ANnY/TFEc1bQHn0ISjj1yUZ
MD5:	52FB14A0F75D22E620845ABDD0C956B1
SHA1:	A26A7FEB891A4A666A187060FA867E539AE792A7
SHA-256:	2C41135CF8E59C0EBF69A401B3AB48899866891E59CC62410674E453BB0802A9
SHA-512:	0DDF1BC30B528B94056956B2EEDAB03652FD7FBA0EC380907BCDA6B6B08F7D1580FC8E99AE62CB816D0B6C2244D1C961D774F70FC0E05CC2F15AEECE826D42A8
Malicious:	false
Preview:	/* REXX /..../ This program lets the user enter a value. It is done in a sub- /../ routine with global variable space that modifies the variables /../ of the calling program part. Then another subroutine checks if /../ the value can be divided by any other number. /....CALL ENTERIT....IF HAS_DIVIDERS(number)=0 THEN DO .. SAY number\|\|" is a prime number!"..END..ELSE DO .. SAY number\|\|" is not a prime number!"..END....EXIT..../ Below is a subroutine. It has access to the varibale pool of the /../ calling program. Of course, this could be done in a more elegant /../ way. /..ENTERIT:.. SAY "Please enter a number (up to 1000)".. PULL number.. RETURN....../ Below is a function. The word PROCEDURE was added, to give it a /../ local variable pool. Exchange of data with the calling program is /../ done through argument passing and zocresult return mechanism.

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\6a_subr.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1295
Entropy (8bit):	4.59138834143411
Encrypted:	false
SSDEEP:	24:Ls8LaS3L/TFEQUCi3sbQIArQgL8pISFIM/x9PNyN4HJZ:A8T37TFEc1bQF+ISjj1yUZ
MD5:	785F8BB85085868122077033FB99CD0C
SHA1:	0A06C8B6D653AAEE9C8A32CAC4BE538ACACAC28E
SHA-256:	0602C22D225ED7792819F486696A9EDA1B276A651B987D1FDBE7876BA4BC661A
SHA-512:	90247382B81160FBA1EC50894EFE1D66895B622ACD09BA01AAB8A61D704C58345131E082A8B7FE5475A8C2915F6E9C27E2FBE57F49EC7DDECA3C7BB512B7E494
Malicious:	false
Preview:	/* REXX /..../ This program lets the user enter a value. This time we do it /../ in a function that returns the entered number. /../ Then another function checks if the value can be divided by any /../ other number. /....number= ENTERIT()....IF HAS_DIVIDERS(number)=0 THEN DO .. SAY number\|\|" is a prime number!"..END..ELSE DO .. SAY number\|\|" is not a prime number!"..END....EXIT..../ Below is a subroutine. It has access to the varibale pool of the /../ calling program. Of course, this could be done in a more elegant /../ way. /..ENTERIT: PROCEDURE.. SAY "Please enter a number (up to 1000)".. PULL n.. RETURN n....../ Below is a function. The word PROCEDURE was added, to give it a /../ local variable pool. Exchange of data with the calling program is /../ done through argument passing and zocresult return mechanism. */..HAS_DIVI

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\7_array.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	994
Entropy (8bit):	4.695522465090394
Encrypted:	false
SSDEEP:	24:EtGXyAnJ2U7Y28r8GSt/hanfPzS/pm8ZISVIM/x9PNyN4HJZ:EtQmUcPO/hau/pnISzj1yUZ
MD5:	2A5C7F9E3E5714DB2B010BF7FE66E9CE
SHA1:	9587D3ADEE9DA1382250D60F0A6CC59D98FBBA6E
SHA-256:	1129BA68550EA73BAEA41F87AC5683A4B901EDAABBBCBEE5074BD76CF8D1A035
SHA-512:	6CF69C4603414EE2094892DD17F97293D197EAA8EB0F363E6B1E07C7C3C135AAB1D47715A57DBB17645EBFC4905CFF34FF53D071519CB801FC7EC0B9313E853A
Malicious:	false
Preview:	/* REXX /..../ Arrays are built by appending a period and an index to a variable name /../ Typically the size of the array is stored in index 0 /..../ Build a list of 50 prime numbers /....list.0= 0..z= 3....DO WHILE list.0<50 .. IF \ HAS_DIVIDERS(z) THEN DO / IF NOT ... THEN /.. list.0= list.0+1.. ind= list.0.. list.ind= z.. END.... z= z+2..END....DO i=1 TO list.0.. SAY list.i..END....EXIT....../ Below is a function. The word PROCEDURE was added, to give it a /../ local variable pool. Exchange of data with the calling program is /../ done through argument passing and zocresult return mechanism. /..HAS_DIVIDERS: PROCEDURE .. / Pick up first (and only) argument /.. z= ARG(1).. zocresult= 0.... DO i=2 TO z-1.. IF (z//i)=0 THEN DO.. / leave loop if i is a divider of z */.. zocresult= 1.. LEAVE i.. END .. END.... RETURN zocresult....

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\8_fileio.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1958
Entropy (8bit):	4.682063876684421
Encrypted:	false
SSDEEP:	24:1SH3fcw3fyHBSKw/oW/wF3GUUirgTn6kQ/eR/aeQ7Bulgjr:1o0SaHB0L/UGUGr6OXAjr
MD5:	E9803D34F124C7A94F88FAE85B5BF6A7
SHA1:	6AF33012F57F22755C1685AF0178B9F90E84A89E
SHA-256:	92C86AB58A8E0026BEA95F9D1126C43AE3D36C3694325B9B1A6E7718442D8BF0
SHA-512:	0BB8B2D03912365AC2776AE352A1EAE8417703FECD84C2748ECFB462366AE1EEA8E3EF6472D820708E63155D1FCD4765A24D73F965750A25745E643A1B445A58
Malicious:	false
Preview:	/* REXX .. .. This example demonstrates the basic file functions:.... - check for existence of file.... - open file for writing .. - write data to file.. - close file.... - open file for reading .. - read data and check for end of file.. - close file..*../..../* ------------------------------------------------------------------ /..../ the STREAM(,"C","QUERY EXISTS") function call can be used to check /../ if a file for exists. /....IF STREAM("SOME.TXT", "C", "QUERY EXISTS")\="" THEN DO.. / file exists, so delete it /.. ADDRESS CMD "DEL SOME.TXT"..END..../ ------------------------------------------------------------------ /..../ the STREAM(,"C","OPEN WRITE") call is used to open a file. /..CALL STREAM "SOME.TXT", "C", "OPEN WRITE"..../ the LINEOUT call writes data to a file. Instead of a file handle, /../ the file name is used. */....CAL

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\99_fido.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3698
Entropy (8bit):	4.8792779713640035
Encrypted:	false
SSDEEP:	96:5/lLuW4+be83ZHSICaxvUzNNgSrUrSwVFEmFr:XuUd8zNVuSwzFr
MD5:	295E21AAFDB9A74E592854F9E815E280
SHA1:	D32F7DB7BB4C621AA575F6F8C6512B6C963E9F0E
SHA-256:	4440E8A8A005238DC34D505067119C99F1D0C7AA8A88554FEFB6550C7F8A2FC8
SHA-512:	FA8F3550C8B37626F44C10D2D907323BB46E4626FA3981D40251C60738FD60FA5542F9284C20A463DFD40654ACD594CCA8DE964EA3A52871BAA184172D3377D4
Malicious:	false
Preview:	/* REXX .... This is a non-functional skeleton for creating an autologin .. script. However you might not need it, since simple autologins .. can be achieved without script programming using the autologin .. feature of the phone book..... Scenario:.. Let's assume Zaphod Beeblebrox uses the Megadodo bbs on Ursa .. Minor Beta to download new messages and upload the replys that .. he wrote offline. .. This script calls the bbs and eventually tries again until it.. gets a CONNECT. Then it goes to the main menu where it downloads.. a new mail packet and, if available, uploads Zaphod's replies...../....../ Prevent users from accidently dialling long distance to Ursa Minor Beta */....CALL ZocMsgBox "This is a sample file. You should check it's source code"....really= ""..yesno= ""..DO UNTIL yesno="##NO##".. yesno= ZocMsgBox("Are you "\|\|really\|\|" sure that you want to make a "\|\|,.. "call across the universe?", 2)..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Learning REXX from Samples Step by Step\9_lastln.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	461
Entropy (8bit):	4.906846021583566
Encrypted:	false
SSDEEP:	12:U6dBAq34+cPjRVDox1Q+vvYtZpmumguUD4rubD4qaEc0CJo6oa:ndBY++jf38vGJmgNMrC5aEcU6r
MD5:	AFA516AAC6EB71B2B60345D57944FF35
SHA1:	1FD9777FBF3325CC5BFBB37D3547C27237BFF7B6
SHA-256:	2D2726623206A03BFC20131157716421BFB378A6BCDAF9281B69C8F9B8DC6668
SHA-512:	5587FED5651AD1834BFF4CAA32ABF7FA84C565DF92C2C58BC9B549F523822A965EB271FDB0AE88D7A44EEFCC23188A007FFD9881B687F69E85006747D6D32B26
Malicious:	false
Preview:	/* REXX /..../ send something to the modem and wait for an anwser /..CALL ZocSend "AT\S^M"..../ wait for answer /..CALL ZocTimeout 10..../ read text linewise and wait for a line containing OK /..DO X=1 TO 999 UNTIL ZocLastline()="OK".. timeout= ZocGetline().. IF timeout=640 THEN DO .. LEAVE.. END.... / remember all lines /.. A.X= ZocLastline()..END ..../ show all lines again */..DO Y=1 TO X.. SAY Y ":" A.Y..END....EXIT....

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Samples From the ZOC Manual\first.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.467841256956491
Encrypted:	false
SSDEEP:	3:Uy99IIC5fxTPKov1swessXsGTysw3iK8HiFuLRFqmqov:Uy4gyyrXn4yjqHov
MD5:	F4607CD1DA24023A937577AE5B047F8D
SHA1:	BA7DEC9C2CBD2C5F2630DA0FCC350E91737590EE
SHA-256:	086F71AE18E5B23E7F687BE11FD8136F9064C5C6BCB8FD3E6319C4FC752151EF
SHA-512:	BABDE7EE40ECA40FEFEFB22C517B2FF3FD809A01AF7708F8D4F52F9063CD3408660B4034267CB76EA4DC095C7794CFBC57BC44B1D3EEFC4EB308C6BDD90DB678
Malicious:	false
Preview:	/* REXX-Program: FIRST.ZRX /....CALL ZocCls / clear screen /..CALL ZocWriteln "Hello World!" / print text */..EXIT..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Samples From the ZOC Manual\if1.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	744
Entropy (8bit):	5.047610240590951
Encrypted:	false
SSDEEP:	12:UXKyKS4jXNHFbwlMBPNMLHnRgk5N+MWbaN8hj0Fbwl6BPNMZgTCjqxrZ5N+vuEov:WK759wmBPonmk5N+MtLw0BPlCYZ5N+WZ
MD5:	9D8F17370B70D0FD1A99795A073CA0B1
SHA1:	9A7E88BF7D61E73B780D2E971A4A33D221BBBE73
SHA-256:	37BF18F6B51D72F2EED16C19ABC1DA901C299D57BAA47CA48BB7A01BC9BC7BF6
SHA-512:	1E46CBE2482656C7CAE658C6C6AB3686EE8857C0FB6A250327124801359E12FEB4D72494AF1E7DDF7A6B62D2382661A6DDEDF1C2D5B17EC7DBC47E05C49A661E
Malicious:	false
Preview:	/* REXX sample about decisions /..../ Set max wait time to 60 seconds /..CALL ZocTimeout 60..../ Wait for text 'Name:' - check for timeout.. and send user name or report error /..timeout= ZocWait("Name:")..IF timeout=0 THEN DO.. / received 'Name:' /.. CALL ZocSend "Joe User^M"..END..ELSE DO.. / Ouch, 'Name:' was not received /.. CALL ZocWriteln "ERROR (Name)!!".. CALL ZocHangup..END..../ Wait for text 'Password:' - check timeout.. and send password or report error /..timeout= ZocWait("Password:")..IF timeout=0 THEN DO.. / received 'Password:' OK /.. CALL ZocSend "secret^M"..END..ELSE DO.. / Ouch, 'Password:' was not received */.. CALL ZocWriteln "ERROR (Password)!!".. CALL ZocHangup..END....EXIT..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Samples From the ZOC Manual\if2.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	837
Entropy (8bit):	5.043415793560473
Encrypted:	false
SSDEEP:	24:WK759wmBPonKk5N+MWKrCLw0BPlCYZ5N+WF:WK8QWx2zZ/
MD5:	695D4AA15AEEA083CDE1942F52F1A2DC
SHA1:	5A20AFE704C256631208C95F6EBFC0668C46E0CD
SHA-256:	15B44D8DB593E3489444C0C24C99792FD4B3F0DED4E5DBF315A22AD63E2BFAB8
SHA-512:	AE7B7FEBDA6B946D7282A4CD0B409B5D538025F54F79B822CD2AC8C48B417031F6E1FCEA49FCF9EFD0AE17FCFC9454CBF271CF5B54F9DF36EC2F4385685654BD
Malicious:	false
Preview:	/* REXX sample about decisions /..../ Set max wait time to 60 seconds /..CALL ZocTimeout 60..../ Wait for text 'Name:' - check for timeout.. and send user name or report error /..timeout= ZocWait("Name:")..IF timeout=0 THEN DO.. / received 'Name:' /.. CALL ZocSend "Joe User^M"..END..ELSE DO .. / Ouch, 'Name:' was not received /.. CALL ZocWriteln "ERROR (Name)!!".. CALL ZocHangup.. SIGNAL GetOut / Jump to end of program /..END....../ Wait for text 'Password:' - check timeout.. and send password or report error /..timeout= ZocWait("Password:")..IF timeout=0 THEN DO.. / received 'Password:' OK /.. CALL ZocSend "secret^M"..END..ELSE DO.. / Ouch, 'Password:' was not received /.. CALL ZocWriteln "ERROR (Password)!!".. CALL ZocHangup..END....GetOut: / target for SIGNAL command */..EXIT..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Samples From the ZOC Manual\if3.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	800
Entropy (8bit):	4.935324415591888
Encrypted:	false
SSDEEP:	24:WKSyw1BhVnvMnwWIPrDVW5N0Wjg35N+MAy:WKWHBWIM+Ay
MD5:	26297DD7F3E806A603347B1F979C105B
SHA1:	76BB7EA89715C0659E4305BC0945C2A9C3852F31
SHA-256:	02FD4458AD9632EAC8D7426F6D659C942B70CE43F1FAA32CA107F160BCD6DE74
SHA-512:	F006DE69EC0F1D6F0D5A57E9E854BCF6904705B83532165E8B0F437BBA0780DBBDEAC089FB35421000694E5F222BAFD9E95AA3773DB9C458BB72592A2991F7D9
Malicious:	false
Preview:	/* REXX sample about decisions /..../ Set max wait time to 60 seconds /..CALL ZocTimeout 60..../ Wait for 'Name?' - check for success and report error /..timeout= ZocWait("Name?")..IF timeout=0 THEN DO / outer IF /.. / received 'Name?' /.. CALL ZocSend "Joe User^M".... / Wait for 'Password?' - check for success and report error /.. timeout= ZocWait("Password?").. IF timeout=0 THEN DO.. / received 'Password?' /.. CALL ZocSend "secret^M".. END.. ELSE DO / inner IF /.. / Ouch, 'Password?' was not received /.. CALL ZocWriteln "ERROR (Password)!!".. CALL ZocHangup.. END / inner IF /..END..ELSE DO / outer IF /.. / Ouch, 'Name?' was not received /.. CALL ZocWriteln "ERROR (Name)!!".. CALL ZocHangup..END / outer IF */....EXIT..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Samples From the ZOC Manual\login.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	878
Entropy (8bit):	4.8448417392950995
Encrypted:	false
SSDEEP:	12:UBjXR4RkBuj00rRFEiDFpds8mPOgay0DsQ0SEFgXQIDX2Q8vSr7:Aj+GbkfvFk8GOga/YuE2XZG3a7
MD5:	38C77C5FD4096245047A14865CA26472
SHA1:	317E6C206D321A2A4F5A468092EB4E6459E47C79
SHA-256:	A9253A8D06DE8D09AA18DAA0F64BC42C9CC944DD1A1806EFE09D74FEF7306A40
SHA-512:	A46BB0B1505AEF37188C52BA9315ED19A9B481B0F7D36E9A4C56305FBC704B1BD3538CE076E8A1CBBE558ED2D4DC551766DA13F31B2F4C9C0F3DA76D04AEEE80
Malicious:	false
Preview:	/* REXX-Program: LOGIN.ZRX /....CALL ZocCls / clear screen /....CALL ZocTimeout 60 / max. time to wait for something /....CALL ZocWait "Press <ESC>"..CALL ZocSend "^[" / ^[ is the code for the ESC key /....CALL ZocWait "Name?"..CALL ZocSend "Joe User^M" / don't forget ^M after the name /....CALL ZocWait "[Yes/No]"..CALL ZocSend "Yes^M"....CALL ZocWait "Password?"..CALL ZocSend "secret^M"..../ the next command means that ZOC should .. automatically send a ^M (Enter) every time .. the text "Press Enter to continue" arrives... This way all the news screens are skipped,.. no matter how many of them appear /..CALL ZocReply "Enter", "^M"..../ Wait for the main menu /..CALL ZocWait "Main Menu"..../ Cancel the previous REPLY command so ZOC won't .. kick in if we received that text later */..CALL ZocReply "Enter"..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Samples From the ZOC Manual\login2.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1839
Entropy (8bit):	4.996162808785838
Encrypted:	false
SSDEEP:	24:j582eJLw1BPnbN+MAI54H4JLwzBPH7llnj6N+WsCmqLhfbSf5IgM4z++onN2c72F:gJsHCO5JsFvz5qLlbUjM4ynNz/UZ8I
MD5:	5C6B56BA9F67B46989DD07331FEAC083
SHA1:	27FF0F5F2A0D754AFB80B9D605A71E752D14E7FA
SHA-256:	960367CB30BB65B211964899961698666A056CC9F8EABF01D4DEBD124668F112
SHA-512:	DB30EFD58EF7526737CD9DB4E76F8D7CCEF897F3970A45973B3E1AE93CE065546A53BAEC013B54C64DD686FF1A6C19C53CC7AE361EBACD568CDBAD4DE74A3A15
Malicious:	false
Preview:	/* A REXX sample to show how to log into a bbs and do .. work automatically /....CALL ZocTimeout 60 / general time out /..../** Wait for name prompt or bail out **/..timeout= ZocWait("Name?")..IF timeout=0 THEN DO.. / received "Name?" /.. CALL ZocSend "Zaphod^M"..END..ELSE DO.. / Ouch, "Name?" was not received /.. CALL ZocWriteln "ERROR (Name)!!".. SIGNAL BailOut / this command jumps to the end /..END..../** Wait for password prompt or bail out **/..timeout= ZocWait("Password?")..IF timeout=0 THEN DO.. / received "Password?" /.. CALL ZocSend "HeartOfGold^M"..END..ELSE DO.. / Ouch, "Password?" was not received /.. CALL ZocWriteln "ERROR (Password)!!".. CALL ZocHangup.. SIGNAL BailOut..END..../** Skip host's intro screens */../* (and probably security feature) **/....CALL ZocReply "Press ENTER to continue", "^M" ..CALL ZocReply "Enter your birthdate", "270466^M" ....CALL ZocWait "Main Menu" / we just

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Samples From the ZOC Manual\zoclastl.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1446
Entropy (8bit):	4.749518613763713
Encrypted:	false
SSDEEP:	24:X5/FfECjxTJuTHGQoq7aFAKhPdIM//g1QSQDkW9vPJL/DC49/PwSjP3yqWLIQdyt:XVyIxTWDWVA1oYW5JrDJDELRyt
MD5:	CB53D0962A039DF7922910E2AC4A1CE1
SHA1:	C152E41EC15DB02B6035A85D6849ACA246F40CD2
SHA-256:	E4AFBB8CE770FD9C4AEB90A12B22D820E92ACE4AD7BC3D1B9C8EE1FDAEF27517
SHA-512:	498AD9DC809A1056468818198EC08F9514BCFCD224D04C1C60CAFB6291DAD426169DE65981DFB7B69E2CBCF1E4C2BCF275687212D9CA04D7BAB88D81BE6D3269
Malicious:	false
Preview:	/* REXX script to dial (and retry) a phone number /..../ Ask user what number should be dialled /..number= ZocAsk("What number shall I dial?")..../ dial the number if it was non empty and if user .. did not press the ESC key /....IF number\="" & number\="##CANCEL##" THEN DO .. / redial 5 times max. /.. DO TRY=1 TO 5 .... SAY "Try #" TRY .... CALL ZocDial number.... / wait for CONNECT within 60 seconds /.. CALL ZocTimeout 60 .... / scan the next 6 lines for something interesting /.. DO LINE=1 TO 6.. / receive next line of text /.. timeout= ZocGetLine().... / if timed out, end script with error /.. IF timeout=640 THEN SIGNAL ERROR.... / if BUSY was received, try again (leave inner loop) /.. IF ZOCLASTLINE()="BUSY" THEN LEAVE LINE.... / if NO CARRIER was received, end with error */.. IF ZOCLASTLINE()="NO CARRIER" THEN DO.. SAY "Error!".. LEAVE TRY

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\Samples From the ZOC Manual\zocresu.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	264
Entropy (8bit):	4.881008105807107
Encrypted:	false
SSDEEP:	6:UytPbn8bmJrH29yomUA1RHKK9yNT1RmbjOyNT1/vv:UuNlH29yoQKK0NfmbbNNvv
MD5:	15652593AF9AA24E56CE9DDA69E83B8F
SHA1:	2F741A56A8521A84D389130F53F53DC5F7C6C595
SHA-256:	1C6E74A1CFFF642B67743BE8D064A03F57D20C9879872FFA6F9EBE35451B394E
SHA-512:	8A0E2E3149918C5691ED9016040CB4636DE380B9644005225193F57E2910248F800C4E254AA5E449B0713CE6ADA0B883431CAFC9017244CEB567B880F2246C9D
Malicious:	false
Preview:	/* REXX */....answer= ZocRequest("Are you sure?", "Yes", "No")....IF answer=="Yes" THEN DO .. SAY "User really wants it!"..END....IF answer=="No" THEN DO.. SAY "User isn't sure!"..END....IF answer=="##CANCEL##" THEN DO.. SAY "User pressed the ESC key"..END..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Language.hlp

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows 3.1 help, Thu Jun 3 17:17:30 2004, 59631 bytes
Category:	dropped
Size (bytes):	59631
Entropy (8bit):	6.10531993749522
Encrypted:	false
SSDEEP:	768:lJllMQAV2vzamF+JVszFmPfhMhEeCupKTlyCnSMFGmq6y2pghv1//Tgrokrn+TY6:z/92MaKIsEm1PpKThSM4mqJgKFnYn+
MD5:	5E421A7B4AE1A807CC42FF4697ED2A4D
SHA1:	1F3A37C9F957F467B0278DD7EDE450D617584711
SHA-256:	F68845143F07EFF25035EBC80580E4F2D217A0407799E8555EFAB94B808EA5CF
SHA-512:	22B4B36E1CC83DE8DC05D2466AEC30AC3C34ADFDCDFF16283BA1A47138F7685693494DB71FB876629D8360D82C213F19C61B7940B849780C9F312E16B800F2C0
Malicious:	false
Preview:	?_........................(,.:[])].,aADDRES.Sanandar.eargumen.tA.@s.Psa...sign..beb.lank-del.imitedBu.iltbycas.echaract.er.`scomm.^.concate.nati..ond"i.@verC.co.untcurr~..datadeci.malDefau.ltd.Pfine.dDIGITSd.igitseit herEnr.pr.iseenvir.o. expre..Don.psex..d.ed..rnalf.irstfoll.owingfor.fromfunc...F.@h..ler.hex-str'.....PifIfIn.i..<.m. inpPutIn.uF i...v0isB.gua.geL.@leng.thlogica.lna..otNo.tesnumbe.rNUMERIC8ofor.s...op.er..s. tor$sO.Popd.or.out..padp.osn!progr.am..dre......!require...sn.retur.........sREX$Xs".ch.0edg......if../.pi..fi..tP"..r.t. \...teV".P.-...ps[.eam.a1g11n12sub.x1SuL.rysy.mbolM.plS.Ft....tTh..e.tow.k"dtyp.eusedVAL.UEvaluev@ariabl.`s.w3 rwhich willwO.wo..."").".%.''),'/'(."()([)),.).+-......)..]/00..0011.24..08.59;<<.=,=>=,[,.\<\>]];].]AA-Fa-z.A-ZABBRE.Vabbrevi..#ab..ABSa.ccv...>.iv.....afI.allA.ll..owsal.soAnANDa.....anyAPI.app."..l=.`.(ARG.S-@2Ar1).met^..psc...s..#edA.c...oc....ss......"atBB2Xb...b..m.@sbx..be>...gi.......g. ..havi.orbe. lo..A..wbetw9 yq..bin...0gCB

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN01.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.702596273066022
Encrypted:	false
SSDEEP:	3:U5VUL3CKQCNsuFyxJPHyHK9/GycKlUL3o:U5V50FyLHPGelR
MD5:	4AE64E464764B3C057A9F3124FEDACD6
SHA1:	874CAB5C7E7C58B67CFA334ECC479F662A047ED9
SHA-256:	053873E159F3E203C388E4B10E0D52043F86C87377A1932DE0257029969C1075
SHA-512:	932A52725B406A4C7BA9201A1A327C4AF72FD49A325DD047B0D1C18ED8587351B918BA091A8BFAF04B04528B2CE0290C2982537E3AE100D2A27E23ADA0F4AFBD
Malicious:	false
Preview:	/* LEARN01.REX -- write "hello" to screen /....SAY "Hello, world."..../ END LEARN01.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN02.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	OS/2 REXX batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	307
Entropy (8bit):	4.018420704081766
Encrypted:	false
SSDEEP:	6:U5VXsuKKJwSPUFHL0fdeeyHL0fdfi/fYgfdePMlXs1D:U5VXsKJb1MHA1fi/Qg1QaXU
MD5:	29E8AC38C6BE8DC9049BF1C7391AD10F
SHA1:	38B71405F6F0E440A636C8C5CAB62E15A04EF7E3
SHA-256:	18BFCA06A45B7A2212F55B32F2A17E672D42B17FD0FF3D236034632C9190F665
SHA-512:	2821CC08E4DAFA335DED3CA810A079C003DE2A42C3F4A5149A8A127BFDC48F08A0D419DB217B6FEC96A97FF134B4F18790F16D36669B7E4272062B5729F7CB2D
Malicious:	false
Preview:	/* LEARN02.REX -- show different clause formatting /....x = 4 + 5 / (1) /..SAY "The answer is" x....x = 4 + 5; SAY "The answer is" x / (2) /....x = 4, / (3) /..+ 5; say,.."The answer is" x..../ END LEARN02.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN03.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	225
Entropy (8bit):	4.807467288344102
Encrypted:	false
SSDEEP:	6:U5VdFr3Woo95NRHDWRAivCnqDWRAi7wpQx1xhErFA/RpyRldFr:U5VL3U5XaRAiEJRAi0yurmZpyfL
MD5:	28FD2D4A223B6B93A246DF9101723B8B
SHA1:	791AD05A778B139CBB79940660AF8EA7AB5FE298
SHA-256:	17BD27D1132FF61B6DD4F7275DEC75FD9CB2FDA22B238F5BCFDB827E6FA01F73
SHA-512:	8D40E779A8943B901C764BD1A4F393AAFEEE86B163AF40732AD6D19ECA3F95A84D076CBDCC2F63C0A35DBA5B57320FCE1E635D3FF4087867FC34D34362A39E49
Malicious:	false
Preview:	/* LEARN03.REX -- get user's name and age into variables /....SAY "Please enter your name"..PULL name..SAY "Please enter your age"..PULL age..SAY name"," age "years is too long to be without REXX."..../ END LEARN03.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN04.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.99805043474594
Encrypted:	false
SSDEEP:	3:U5VR8n1b2wyzFTENJzFzlF2ObWvGi99H/a0vDUHoSEWFKlx1CW6NGjWOr5UlR8nr:U5VR812L9a5Z2ObWrNYH3ENlu9N7oUl+
MD5:	68F0B51E672EB7E28D917A9E42FA1994
SHA1:	674F8DFFA57E8B65DD9DCE34FF188255DB12A3C6
SHA-256:	374E24E0FB03408F40E82B6AEBD2293987FA165110EA0E4CF56EB68697A09F51
SHA-512:	EEBC25A35818E313E6C34CCEB4961D7AB22FE0EBF2197E19862AD57E45619CD7BD66F13E71B6557F519A428D6E7FE27E980342EB30B05EDC93204B494EDA40CE
Malicious:	false
Preview:	/* LEARN04.REX -- concatenate two variables without space /..first_half = "Cow"..last_half = "lishaw"..SAY "REXX was designed by M. F." first_half \|\| last_half"."../ END LEARN04.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN05.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	210
Entropy (8bit):	4.871206839394081
Encrypted:	false
SSDEEP:	6:U5VpAg1U2AhqgR8FHe7stQG/EFG0FRQyZq7SaswMQCpl9D:U5VpAqUrhhvG0FqSB3X9D
MD5:	87CBCB44AC267E677EA314875E0FF397
SHA1:	67550DEEBDDE44C4E5C5B036EA679B82C73A5B3E
SHA-256:	73FDD501F6A368B078C60A66DEF8496B2991EA934D7DDF3156B0F420D710030B
SHA-512:	50759AE81B5233FD6D5010A29E4F7C5CF56B05327F192B3081154492F01964350F6E5849EFABB3B0C9533F15C23088AB5F5BF55025FE4DE60A66C5B232629797
Malicious:	false
Preview:	/* LEARN05.REX -- calculate circle characteristics /....PI = 3.14159..SAY "Enter radius"..PULL radius..SAY "Area = " PI (radius*2)..SAY "Circumference = " 2 PI * radius..../* END LEARN05.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN06.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	213
Entropy (8bit):	4.824562646183596
Encrypted:	false
SSDEEP:	6:U5VTu3ORKe5NRHDWRAiwLzb4qYLthAoqL6kDR9ACJlTU:U5VTu3k5XaRAiwP0jthAFN9ASTU
MD5:	CCFF6BDF28E70FD7D5BB0910D17AEC75
SHA1:	70E16A9C442B79A3A9F2EB0361EB7C686310DF4F
SHA-256:	F6D36CD20F7A7A542551193FBABFC637C4806812687083C03B27D46C86253D7E
SHA-512:	432E2E00EF203DD66A4DBFFDFA61F251E00BD47305DCF173DC7436C7B6A58693D39FBC7CB28C61A9D88B62B5BAAB65315B68C5D2A430FCAC647C3061FEDD1308
Malicious:	false
Preview:	/* LEARN06.REX -- get user's name into two variables /....SAY "Please enter your first and last name"..PARSE PULL firstname lastname..SAY "The name entered was" lastname"," firstname"."..../ END LEARN06.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN07.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	218
Entropy (8bit):	4.889620378740217
Encrypted:	false
SSDEEP:	6:U5V99M5zLHy44gHDWRAiZRJbCclkGKU0JL6pTvl7D:U5VshxaRAivJbflkGtTN7D
MD5:	FDF644F7B27C2D3D4FA1572B4C24BBA3
SHA1:	36FB09974B429BCA106F22B7131CF2529F01D985
SHA-256:	3BA36DB3DBBB321F7186424C8ABA11661782DAB078E399C6F6F6E72C2ACD6941
SHA-512:	22C9E5CA1FBA55ADB5B5CB2E81124D750B3EA7AEA50EDEF1E2E1866BB670E789F6010CDD9BCD5EB848AD28ADC0DFA341B0496906EDB11558BF622D2A0FD9736E
Malicious:	false
Preview:	/* LEARN07.REX -- split birthday into month, day, and year /....SAY "Please enter your birth date in the form: mm/dd/yy"..PARSE PULL month '/' day '/' year..SAY "The month entered was" month..../ END LEARN07.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN08.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	198
Entropy (8bit):	4.7644227151305225
Encrypted:	false
SSDEEP:	6:U5VdsdVoH5pN0HLjCDstHom9goXKFOeRlds9:U5V+w5P0rjCDstioXKrfy
MD5:	F72176D61F181317F1AEBDF86583534F
SHA1:	4247AB03FF5B1D3D21D68BD28F25D86D273A104A
SHA-256:	34BEB51E3F0D6FA8C806F53F315049172FBFA59603D377FE5727B861097985D3
SHA-512:	36B25EEA84AE8ABAD34684A125E67BB50F260C59A408A1BF5434604B30745F9089AE7A2E9561F1BE929EEBEDCFEC6692815737F39B6BCDD3FFFB95EF6D86BBC3
Malicious:	false
Preview:	/* LEARN08.REX -- use compound variables as arrays /....array.1.1 = 5..array.1.2 = 10....i = 1; j = 2....SAY "array.1.1 =" array.1.1..SAY array.1.2 "=" array.i.j "Right?"..../ END LEARN08.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN09.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	435
Entropy (8bit):	5.064384015228786
Encrypted:	false
SSDEEP:	12:U5VhDw5I0W1sN4gTmPxiBmD+Nt1QnRJd89Ium0hr:+DwG0WBBiC+N3QnX0Ii
MD5:	4E448FBAA6AE1EFE67A101EFA73A23AA
SHA1:	E08566571806872273548DD2AF6B22982D564B6B
SHA-256:	912E1674877CA3533DECFEE416923B92111116D2ABCA7221DA4CB8EB92E8C43B
SHA-512:	289D9F2A3E9E094FE8162937B66D63EB5A76B3C20F6A764CC7F5AC4496032D928F2868728C0D6411F11091004FE6B12AC8822827FA95AFA195EE0CA90AB5B08E
Malicious:	false
Preview:	/* LEARN09.REX -- use compound variables to find area codes /....areacode. = "unknown"....areacode.ME=207; areacode.NH=603; areacode.VT=802; areacode.RI=401..areacode.CT=203; areacode.MA="east 617 and 508, west 413"..areacode.CA="408 for San Jose"....SAY "What state do you want the area code for?"..SAY "(Enter a two-character abbreviation) "..PULL state..SAY "The area code for" state "is" areacode.state..../ END LEARN09.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN10.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	523
Entropy (8bit):	3.5869347179621394
Encrypted:	false
SSDEEP:	12:U5KkQYu5puphukBfj8ZRRYtgkRqWgVeW94:+KHYu5pufukBrgbmdHs94
MD5:	67D10B17EF4EEDA0F61BE1A47BBAFCD6
SHA1:	60378D68175E25020147E0EE36793C05ABD064B6
SHA-256:	1DAA9C0A0623C9E0A96E7E1EDE18DDE526D5075D114C685DB380FF7EB26E9D9A
SHA-512:	5D358D9D0FDDEA1232A1C71867C7E8EC244A26669C2874219FAD8A55B40D1758999392DD1DAD557774F930F37F0CAB7BE3B5752F958E54336BCEFA8F873CC7EC
Malicious:	false
Preview:	/* LEARN10.REX -- demonstrate normal comparison operators /....SAY 2 = 2 / equal /..SAY 2 = '02' / equal /..SAY 2 = 2.0 / equal /..SAY "TEST" <> "Test" / not equal /..SAY 4 > 2 / greater than /..SAY 1 < 2 / less than /..SAY 4 >= 2 / greater than or equal to /..SAY 1 <= 1 / less than or equal to /..../ END LEARN10.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN11.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.012571552109016
Encrypted:	false
SSDEEP:	3:U5UE4F1sJ6VOWEvzwuPH/SiCeD/jFU4xYUxKKmLLL1FHc0LwKkE4Fr:U5JIRVOlvzRHaQrjFU8YULyLrHrp5Ir
MD5:	92931AC3B4501BEA6BD4C84FC2E87DAF
SHA1:	0FAE7CD357AE0E9954405853F04C388FA1E81017
SHA-256:	B3A6DFBD8587AE31F517266101E0F9FF56450F85645A9D83421A5EDE3809BDA9
SHA-512:	0F8138907F4657A8A8CF3C9BEACED26688F8106ED3FA0659A12F9EEA975E6A249F9D0E5813AC276E4C3E7541943D9B8736DA03269B40FBF72087E2966FB70E0B
Malicious:	false
Preview:	/* LEARN11.REX -- show simple IF construct /....SAY "Enter age: "..PULL age..IF age < 16 THEN SAY "Too young to drive."..SAY "Done."..../ END LEARN11.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN12.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	341
Entropy (8bit):	4.814814397902301
Encrypted:	false
SSDEEP:	6:U5k3nFSAjVFcFHam/1yNCCCQqL7zn5iCC5QOLnZH0UU3yD:U5eFSGVjyMNCJLRiCyZUg
MD5:	344C0DC31C1F6F41643AAE503FE2F54D
SHA1:	22C2D6A07FFC2977FED93AEBBA7339D2DD19B9AB
SHA-256:	5CE5C4A6828CB125A7D10A1757964E4C484673B1729482165D94A05693231AE1
SHA-512:	FC57361C8AAA8B82D956DEB4A76603CB43B7DF5ED0F2BA84DCEEFAB3527D1D32148079ABB8B2069EAF1E2C158A34C8B63F3E3F74DB425AE37CFF7714F4544CF9
Malicious:	false
Preview:	/* LEARN12.REX -- voter registration screening with nested IF's /..SAY "Enter age:"..PULL age....IF age >= 18 THEN DO.. status = " vote".. msg = "Please proceed to the registration desk.".. END..ELSE DO.. status = "not vote".. msg = "See you when you're 18".. END....SAY "You can"status..SAY msg..../ END LEARN12.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN13.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	608
Entropy (8bit):	4.7751212714162605
Encrypted:	false
SSDEEP:	12:U5nWGwPmbW1Q6kw0Eo5Iqg5kIml8cf/ZglVMcS67umRQbed/HS:+nWNPmOQ6kw03bdT8cfBcLtiqda
MD5:	78B33D936FDCF249DADF252C02920FC2
SHA1:	C89428D091614813B31FBE27936DA4C735CAFFDA
SHA-256:	593AFADF8B8750D8928AFCCB87B17E42BE34706B602B4081E61A77FF6D8A1345
SHA-512:	49BA43D80805CBD833A02A5653CA46DCF5E69C144132FEF5D56E86722E12221FC4975B5CB87E0204D83433E8969B4D95BF43858E2BEBC04A8A3165E70FD4A996
Malicious:	false
Preview:	/* LEARN13.REX -- use SELECT to find area codes /....NULL = ""....SAY "What New England state do you want the area code for?"..PULL state....SELECT.. WHEN state = "CT" THEN code = "203".. WHEN state = "MA" THEN code = "617, 508 or 413".. WHEN state = "ME" THEN code = "207".. WHEN state = "NH" THEN code = "603".. WHEN state = "VT" THEN code = "802".. WHEN state = "RI" THEN code = "401".. OTHERWISE.. code = NULL.. END....IF code <> NULL THEN.. SAY "The area code for" state "is" code..ELSE.. SAY "The New England states are ME, NH, VT, CT, RI, and MA"..../ END LEARN13.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN14.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.378373163157642
Encrypted:	false
SSDEEP:	3:U5UtQ1tZb2hDyuWFFDSA8olnvycKktQr:U52QDZb2hDyuWFecemQr
MD5:	0DD9DE927C7262B63DE9E8FC72A04319
SHA1:	54CB447132E45B37A171C417F4072B9784C86EE1
SHA-256:	EB04EFF67417D8384EF7BAC9522B105F0FDE31EE192BD2A6D875A911AD779166
SHA-512:	2E2E8D70577E842D3DED356A5EF5153BE71EC0EC4CE242735FE923D5984FC8B9A1EC6BDC37C22F1DB0877BE30795D6DF8D9D6A2C9BFF6473BCA522B769B8CE32
Malicious:	false
Preview:	/* LEARN14.REX -- simple DO loop /....DO 4.. SAY "hello".. END..../ END LEARN14.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN15.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	122
Entropy (8bit):	4.558972276952569
Encrypted:	false
SSDEEP:	3:U5U9IIbOasNbllK0Dy59FquCvF+kJm6ivycKk9PD:U5KOasbfK0DyEjv7mZekD
MD5:	CC7574D2440F0AE9FD85F2FCEA63E9C6
SHA1:	3506FD639D0F8FF41642DFA6C0CA307758D548EA
SHA-256:	5008476A32B4DDE87A9BFFD92E4430870894F43E62EAE8F84365B7FF543DAC91
SHA-512:	24A3B2C47DDD642336B550AE06FCAA5F365E56B99CAFF3C4684BC084911153DB08F4FD382669EE5B5DF224869C340F5043C176B10089B0BE9B919D4A5ED10CD7
Malicious:	false
Preview:	/* LEARN15.REX -- count to 10 with controlled loop /....DO ctrl = 1 TO 10.. SAY ctrl.. END..../ END LEARN15.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN16.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	4.0771466102864675
Encrypted:	false
SSDEEP:	6:U5QBzlGKgFmFUGB7IKDa2knjezCbFftiS/BezC7/TFScNrENiKlENpA4:U5yGKgU0KO2Lefb/oe7/JMiPR
MD5:	21AB47105C24420AB3F618C2B20FB731
SHA1:	7B3D8797166C05B5EE72D8765EF59CADB2311A5F
SHA-256:	34780FA5A3116F4F2B9B08C21074D2745CFF8EAF8DB5CFA975A65A00A89A4682
SHA-512:	25A42337599B5276E2A7F368A3D23228C2FB806BDD9E2BD286F3F92CBF875682A660BFB98D720E5D95ED6E0B2773E3DCF7FBA83F17934CDCAD7CCAF3A38A8311
Malicious:	false
Preview:	/* LEARN16.REX -- use nested controlled loops to write /../ a multiplication table to the screen /....limit = 3....DO x = 1 TO limit / find multiples up to limit /.. DO y = 1 TO limit.. SAY x "x" y "=" x y.. END y /* control variable /.. END x / control variable /..../ END LEARN16.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN17.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	309
Entropy (8bit):	4.453565368052895
Encrypted:	false
SSDEEP:	6:U5/IRL7yo+n/eRWDsVsek7J9HlFC96FhJfNN1y7rF/7Ax/UVPDsVs9F/vevIPD:U5/IRv+/eRWDQkdlLXlNNW/7AZUVPDhV
MD5:	D07144BBFFE7BA13742DC87F75729777
SHA1:	036566B61ED994EFE7E3CBF1097EDAA435279CAE
SHA-256:	50B610BCA98C4A35CF46F1CCB823830B116AF9A1CBEEB3A19D0BDE925464C0CF
SHA-512:	0A225DF57DBAADE1D44C4139E0432076C056F0F6FCCCFEE07FD711C3345B99573FA0E183069DADCF716183BF70DDF58E5F3137E33AC5F9CBCC33CFCFE38731FD
Malicious:	false
Preview:	/* LEARN17.REX -- echo keyboard input to screen /....PARSE PULL text / get first line of input /....DO WHILE text \== "" / while input is not null /.. SAY text / echo input to screen /.. PARSE PULL text / get next line of input /.. END..../ END LEARN17.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN18.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	329
Entropy (8bit):	4.783499374252201
Encrypted:	false
SSDEEP:	6:U5i3uFML2LRASAeyTmQsTMoRHakKO2PB1X9Jw5aQpz9TMOvcHNbwJPOveS3o:U5i+FMQRAp2Qs406kKO2PPtBm9T3vcFK
MD5:	9747F91971B9392203EFF368453F46AA
SHA1:	AC4D3A3422CA207B951BAF3D877766B3A7D722DA
SHA-256:	E01DAFD825D2C303F19F5909CFD906AAA8D0A095DC6ACC289C2B573C9DCB7B73
SHA-512:	02CE32D192BB3B9F93E3CB186167759941CC2CFEEEB4A072990895C1AA8099B42EFAB889B168ED616A1089985A6205AE595C41991D1DECDDA9042A6D587D830B
Malicious:	false
Preview:	/* LEARN18.REX -- write even integers up to maximum /....MAXIMUM=10....SAY "Enter count:"..PULL count....DO i=1 TO count.. IF i > MAXIMUM THEN.. LEAVE.. IF \DataType(i/2,"Whole") THEN / test for odd integer /.. ITERATE.. SAY i / display if even /.. END..../ END LEARN18.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN19.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	159
Entropy (8bit):	4.835683721257266
Encrypted:	false
SSDEEP:	3:U5UXKqcqcuJgKR6gAoAWiFCk/ExwVtWLtEIAovDa7WLtEIAovycKkJ:U5xg8JWmyw+LthAouyLthAoap6
MD5:	B10D22EC168620BBA24071C6E9D83937
SHA1:	A047805D1CB868D8A66486764C05CD62BA922507
SHA-256:	87832432840687A2D7C84745032D4D59C030452586896D141EE5CC460CE11F6B
SHA-512:	CD9BF7D754FAF4657F775E38F7997D371EAC98AE5ABD4E25DCEA721F5ACFA9E5497A9FBE38F205CC4181DBE049C7D19A3F5E879B381625273B7E007636E88FB7
Malicious:	false
Preview:	/* LEARN19.REX -- break up a variable into words /....name = 'Ann Smith'..PARSE VAR name firstname lastname..SAY firstname lastname..../ END LEARN19.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN20.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.90586844766982
Encrypted:	false
SSDEEP:	6:U5XVLQ9IgWAFx42qk5FMBzQUj2hFAkkg9A4lzoFByUMnVLQ91D:U5FsTLF4kcsHkOCas9
MD5:	F20BFE69FF4E06A922CE937566E39309
SHA1:	10E7F818B51F00C79A53035318787033AEE67B5A
SHA-256:	A28AA3B264240A9E67049E68E17F361AD02EE91D5E85221CB6265572ED7E1686
SHA-512:	2126A5A19E2E52B9DABF42FE3C02807852FCD08095F25792B150701611AEC6D007B0BBCC4E08FE8717FCE5B8F81F149703D9B70A66FB48242B6ADC016AD5D02F
Malicious:	false
Preview:	/* LEARN20.REX -- break up file statistics /....taxinfo="NY 000-11-2222 Smith"....PARSE VAR taxinfo state id / id gets '000-11-2222 Smith' /..SAY id....PARSE VAR id ss_num . / period holds place /..SAY ss_num..../ END LEARN20.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN21.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	229
Entropy (8bit):	4.973425106455231
Encrypted:	false
SSDEEP:	6:U5XzQ1HCOXJEPtHqRoVpDYHIkzcsH6GEAjdwRnz9:U5jWCOZElKspMD6d9
MD5:	3C8F5442527E9C982FC55AF74406919D
SHA1:	FB4F69A95DB9A792079C4A06DE7D45616B0DD9E7
SHA-256:	192AF2C7A501D3D05B1FDE613F104FAFB837238562D309F3739F6A0179AD3837
SHA-512:	1B9A274E75622F948D276248D36E4EC8543E116FE0B0A95F003C80225EECD43F9EE9A80281C7583F49C35DDFF8BB677BCD290F158B119DDC89B9F466F6E90D7F
Malicious:	false
Preview:	/* LEARN21.REX -- break up variable using literal patterns /....SAY "Enter your name and address in the form"..SAY " Name, Address :Zip_code"..SAY ""..PARSE PULL name ',' address ':' zip..SAY address..../ END LEARN21.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN22.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.966902660480558
Encrypted:	false
SSDEEP:	3:U5XXLlIKqLE1HJgDZlFPDfLDKYWLSKFFFX4pXot+kxE9cFWMsUvYv2k8vYvycKnk:U5XXLF1HCdnW8KNX457kxWcFWcvYv2kj
MD5:	E6A919B1109E3428186118C5EBE8D4DC
SHA1:	6D82D7AFA8BCF29D2F7DCF44AC270A272DFA62EC
SHA-256:	20B2F18A8414A9E127E6E425D32DB774389EE5FD9FCF860CC53AB409B396E0DE
SHA-512:	9AA7B24F423B8755F4F92CEC001F8F84181FD8CA19BA3FB9FB6EDC6BD58941EBBF2BF5B083E4B89FCF9250A8C5C34A9136B74FA0A5BA5D17F1A9A1E1FC352E6C
Malicious:	false
Preview:	/* LEARN22.REX -- break up variable using column numbers /....info="Smith,A. 111-22-3333 203-555-1222"..PARSE VAR info name 16 ssn 31 phone..SAY phone..../ END LEARN22.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN23.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	469
Entropy (8bit):	5.109606766780292
Encrypted:	false
SSDEEP:	12:U51TZeoY42Q6WjbLZmrGpSsw/vO/pSswjmruW:+19qV+0CiW
MD5:	E97CE74510A2830D9E83FFFEE5F2F36C
SHA1:	5192DBEAB1C56B527CEFD438106420197D982D41
SHA-256:	DDD5C85CC223B75785C84661F04ACA9A5D1D0B0C572DC0A268BA91C966DA497B
SHA-512:	BB377DE8F31A4371E6B3FCAA3D2695B2069E92038791E94386AD601EBB1DEC79104579E84FE5D17E58037925BB9C298DF220BAE57DCD2056C241C5D22FE26D7A
Malicious:	false
Preview:	/* LEARN23.REX -- prompt user for title, display banner /....WIDTH=40..BORDER=4..BCHAR=''..SPACE=' '....SAY "Enter title: "..PARSE PULL title....IF Length(title) > WIDTH-BORDER THEN.. SAY "Sorry, your title is too long"..ELSE DO.. SAY Copies(BCHAR, WIDTH).. SAY BCHAR Copies(SPACE, WIDTH-BORDER) BCHAR.. SAY BCHAR Center(title, WIDTH-BORDER) BCHAR.. SAY BCHAR Copies(SPACE, WIDTH-BORDER) BCHAR.. SAY Copies(BCHAR, WIDTH).. END..../* END LEARN23.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN24.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	682
Entropy (8bit):	4.997454527775191
Encrypted:	false
SSDEEP:	12:U5Bufw4No8eyfGu2W0Nj93QRZGGSONNv9rvUXrjGGS5ZwN2xo91ceU:+eNxGrW0L3qZGGSOv9LUbjGGS5KF1cD
MD5:	AF3729D889EE5F6531B1AE2703ECC2A2
SHA1:	F41A4F411DD6491428F90ACB56FFB14AD3725FFF
SHA-256:	A5D332F78BFE998BDE6C6F84CC28312675E72E13AEBE4CB681BC611E8CC21414
SHA-512:	98F14FE8F8702B1A5C2B32C79E0BDF1183E7CC6EB4F1F1C79330924D791ECA9272919D1B2C57ADFA6578985FD791E14CE89E41E24884378A85DB059C632EBD66
Malicious:	false
Preview:	/* LEARN24.REX -- general-purpose number base conversions /....SAY "Enter value to convert:"..PULL n..../ convert from ASCII if only one character was entered /..IF Length(n) = 1 THEN DO.. SAY '['n'] ASCII -> Decimal = ' C2d(n).. SAY '['n'] ASCII -> Hex = ' C2x(n).. END..../ convert from decimal if valid number was entered /..IF Datatype(n,'N') THEN DO.. SAY '['n'] Decimal -> ASCII = ' D2C(n).. SAY '['n'] Decimal -> Hex = ' D2x(n).. END..../ convert from hex if valid hex number was entered /..IF Datatype(n,'X') THEN DO.. SAY '['n'] Hex -> ASCII = ' X2C(n).. SAY '['n'] Hex -> Decimal = ' X2d(n).. END..../ END LEARN24.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN25.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	181
Entropy (8bit):	5.00628693992262
Encrypted:	false
SSDEEP:	3:U5XQD1IsJipg6pMIX+jAiobQt5ydBowrUHwmHmHViI7EuozyoUKnQDyD:U5X9g6D+0tQfHwwmEFuozyoRn9D
MD5:	EA751163F45DFD01C9BC9D7931CA4151
SHA1:	6773CCDCF83AE3FA09CC7D41D7A0A3C3FDC36DC5
SHA-256:	349F2751591CF1E32B865E6E15384D5E04B6AFD4B8D4E76A371245979F3E8786
SHA-512:	4A500B79969AC79CE00BB131E636DFF27A2002C7E23CB03D6B3129D849601A0AF3244EF8C34EA92ACE6143102687B0A4D17555B62FA99DD79BD881BD94B6E033
Malicious:	false
Preview:	/* LEARN25.REX -- show readable date and time /....PARSE VALUE Date() WITH day month year....SAY "It's" Time("C") "on" Date("W") Date("M") day"," year"."..../ END LEARN25.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN26.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.878889459907833
Encrypted:	false
SSDEEP:	6:U5XTLQ9RhiqLF+TYhTKRhpotBsZswjBdUFscRMvU6Qm9dvtKM5jzagxwuenTLQ99:U5XQ9RrF+TtFotojBdU6cW8KztKM5KgB
MD5:	B945119C73DBB05C00799B69F63F8B05
SHA1:	9EED356559D7AFEBBA19E2D8E0DDC8DDD8D78AAA
SHA-256:	60E0C60BF73D92880396CF11FF41A7D21CB676569D9CEFD09A8F92A45D531C7D
SHA-512:	766E8EFE8E4AB17A490AEF2A6D3C97E76A2CBB37062176095AE3B65CCC6175AC6DE657498EBA94017CE4BD204BC0B55CE7E2C801998E98D4C3B5A3492CE36218
Malicious:	false
Preview:	/* LEARN26.REX -- call subroutine and pass it an argument /....CALL FindArea 5..r = 50..CALL FindArea r....EXIT....FindArea:../ compute area of a circle from its radius /.. ARG radius.. area = 3.141592 (radius)*2.. SAY "A circle with a radius of" radius "has an area of" area.. RETURN..../ END LEARN26.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN27.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	411
Entropy (8bit):	4.923771219817775
Encrypted:	false
SSDEEP:	12:U55hrFotkodU6s8ytKM5Kgx3wAodUKx7N84E1D:+n5akodUd2M51AAodUq5Q
MD5:	C2DDFF831C5D0189A6DE7BF10F881B17
SHA1:	4DBEA278179B72C0567EB8E8583E61CF84B7FB86
SHA-256:	5963FD98BE25DC7A23B141A8656025BFF29E83029ADEFF0924A0A5A6DD7DB7B1
SHA-512:	4D74FB02EB8A967A5C2C80914B4EDA153544D6FDBC5611FFF7AEDB8555CC8BAFCBE4EF8B28B971874E693803DA3E50029315F1DAF5D6CF2B00D6E9DD9AC29696
Malicious:	false
Preview:	/* LEARN27.REX -- have subroutine invoke function /....CALL FindArea 5..r = 50..CALL FindArea r....EXIT....FindArea:../ subroutine to display area of circle /.. ARG radius.. area = CalcArea(radius).. SAY "A circle with a radius of" radius "has an area of" area.. RETURN....CalcArea:../ function to compute area of circle /.. ARG radius.. RETURN 3.141592 (radius)*2..../ END LEARN27.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN28.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	508
Entropy (8bit):	4.750433760101003
Encrypted:	false
SSDEEP:	12:U5N4c6vfqq0iDG9o9clRu9QCB2frOvax5RU:+NT6Xqq0iG1l6MRTU
MD5:	67BB10BBCAE3D52A908B9A7BD53BC3AD
SHA1:	BBE0AB21A84C107AE23591E0D69898AAA1DF5575
SHA-256:	42D82206D846C72E7FB014A355273009F2051D453A24AF6D81436EE1599AAC6F
SHA-512:	2E3302478C45D0BB1AE1D2488256C1CAE6FE6ACD9D28B9F77CBE6DF2EF28C04D3989EA224F9C75FE1203BED0D9C8A4DD2B5971C84BF613AB73853181B6B6F18B
Malicious:	false
Preview:	/* LEARN28.REX -- demonstrate REXX argument passing /....CALL Sum 1, 2 / call as subroutine /..SAY "RESULT="RESULT / special variable /....our_result = Sum(3, 4) / call as function /..SAY "our_result="our_result....EXIT....Sum:.. ARG first, second.. SAY "Sum:".. SAY " Arguments passed=" Arg().. SAY " first =" first"," Arg(1).. SAY " second=" second"," Arg(2).. RETURN first + second / return sum of arguments /..../ END LEARN28.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN29.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	628
Entropy (8bit):	5.06062797705183
Encrypted:	false
SSDEEP:	12:U5x1ZJOovXk3dvXiLLN1JvqoWVPHddT7O5vNpgxsX7z2KQ8LLKOJbx7xOr:+xTJOygyLLN1hqFfd2/0kzLLK01Or
MD5:	B34AFAD1525CF00C3BD3CCF635D46F02
SHA1:	96608BDE96EC9F8DBF7911708EE9685B597CE169
SHA-256:	BDD28256535063221356F0C3677D44209A54E83174BCC1E5C58D5F20E881B480
SHA-512:	00DA74676CC6E812A3EAA509D4EC6A08AE1BC41CF4C61EB6476BDFF7319E66D8995C4572299D1EFB7F728C678A04AD31F2DF1D1289B6EDF40811362B40065476
Malicious:	false
Preview:	/* LEARN29.REX -- demonstrate REXX variable scoping /....a=1..SAY "Main (j unassigned):"..CALL PrintVars....CALL Proc1 a..SAY "Main (j created, a changed):"..CALL PrintVars....CALL Proc2..SAY "Main (a changed, j restored):"..CALL PrintVars....EXIT....Proc1:../ everything is accessible /.. ARG j.. SAY "Proc1 (j created equal to a):".. CALL PrintVars.. a = 3.. RETURN....Proc2: PROCEDURE EXPOSE a../ a from main is accessible, j is local copy /.. SAY "Proc2 (a changed, j changed locally):".. a = 7; j = 10.. SAY "a="a "j="j.. RETURN....PrintVars:.. SAY "a="a "j="j.. RETURN..../ END LEARN29.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN30.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	648
Entropy (8bit):	4.811437811828752
Encrypted:	false
SSDEEP:	6:U56gxFMK2Vg1CFnif6EeaM2vtiFCJ0OoH/pfBW6qiMKQ5LgWEjNjiSzyHaphniZf:U56W6w22220OBSQYxj9xlCWjCVQeoJo
MD5:	086738C7914BB186C15AA36C2F4A5312
SHA1:	CD7676520424A5CB9809C218FBFCF3C39FD12059
SHA-256:	BC00227B69FB95578A5202A5DA8951BC5BEB18E242C9F27E89D1A8D60A4B9AFC
SHA-512:	5BE20643E862F8F166354A083C5D61A49B1615A92B7877A792ECD8B8D6B1BF0628678CCC6C44F9A34F2F4A26ED3509EA4464BA5D4D594CF171CE4297C3610CD1
Malicious:	false
Preview:	/* LEARN30.REX -- display DOS information using DOS commands /..../ If Environment is Windows, ask about quitting. /..Parse Source Environment Type ProgName..if Environment = "WIN" then do.. Question = "Under Windows DOS information commands execute correctly, but their output is lost when each DOS window ends, Continue?".. Answer = QuestionBox( Question, ProgName ).. if Upper(Answer) = "NO" then.. Exit.. End....'ver' / DOS command to display DOS version /..'path' / DOS command to display DOS path /..'vol' / DOS command to display current volume name /..../ END LEARN30.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN31.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	449
Entropy (8bit):	4.466700411533483
Encrypted:	false
SSDEEP:	6:U54hVtW7FTb7IYWCom2r+mOLCk/LzFwHVZ/nMeKFXPzBTirsX7wLtWQPZ/vTAq62:U58+yqmO2kDJwn/1Et6DxfR/vTPec
MD5:	2C530AB000663EC34A5C27A6024FD09A
SHA1:	A6A8F66E6A14900DF1E9C01ACBAF264230CC0291
SHA-256:	A39547E41D9489D481D524CDC839EE8D618503FA98FEB73FBC105CC557D860CE
SHA-512:	5900E8217D9D85D657206600EAAA24A49795EBA316253EDF6C207F01947BD5F6ED3DA4F1D6CC8D57B0C114647B656C989E2AFA36E43712153AE651626C3A563C
Malicious:	false
Preview:	/* LEARN31.REX -- execute DOS command against list of files /....filelist = 'files.lst'....ARG command / get user's command /....DO WHILE Lines(filelist) > 0 / loop through file list /.. current_fileid = LineIn(filelist) / get a filename /.. command current_fileid / execute command against it /.. END....CALL LineOut filelist / close file list /..../ END LEARN31.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN32.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	237
Entropy (8bit):	4.5697450318905295
Encrypted:	false
SSDEEP:	3:U5W0IIE3LQEmPcu4L4sdyo4RrJKG/OyfXTTTTTTTTTTTTTTTTTTTTTSSdyo46oKq:U5gEEI4Es0D/n2S72/nGIND
MD5:	74E0D49D63A31CDCCC3A71AF1D1D75A1
SHA1:	C6D28D6E562EE40F4581BF791EC6F7F4BDB9F3C1
SHA-256:	A6427AC226CDB52859A5F250EC3BC54792B3145C061BB2674AC2DE7BDA51ABBA
SHA-512:	A4B2C07645CC72AB10127ACC8D4B249077D106A2043001E5CB0BC3E7CF90EB07481199AB72CAEC847EA1943BA89C9F771A648F202D8A83DD78E16F4AD73689BE
Malicious:	false
Preview:	/* LEARN32.REX -- demonstrate REXX numeric operations /....NUMERIC DIGITS 30..SAY 5/3 / writes 1.66666666666666666666666666667 /....NUMERIC DIGITS 10..SAY 5/3 / writes 1.666666667 /..../ END LEARN32.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN33.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.594094770721171
Encrypted:	false
SSDEEP:	3:U5WV23OF/a37uP2PQano9QLd/d2FQlQxwae7vcKmL:U5h6K0AQyo9cl2FQSxwa2u
MD5:	41AA0B7B6F428429FFCADECE752F6188
SHA1:	092CD183940978F41B825E734428F129F9DFC29F
SHA-256:	7A5C1882306E322156F3943E9B3240F39DC50A1FE08DB0DA2A42DD791E3743FA
SHA-512:	6FD6BCD00BEBED5294836523338663BEB8386A4C8CEF41CB2DC4C3904AA6E3369414CB2671641F94AC041921952063A85DED8D9E69E1141BA8E36224EDA71EF5
Malicious:	false
Preview:	/* LEARN33.REX -- use TRACE to find bug /..../ TRACE ?R /....SAY Sum(1, 2)....EXIT....Sum:.. ARG i j.. RETURN i + j..../ END LEARN33.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN34.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	137
Entropy (8bit):	4.9031392700962515
Encrypted:	false
SSDEEP:	3:U5W2bVJqRZDaIfQ9pAov2TJqR/y5GgcgGQKR/yyKPFKm29:U5bArayQ9pNuFqN8GRMKNrKPM7
MD5:	81B7BEFB32B43B9BA94AB27F807CC12B
SHA1:	60E971BBAEA52B80C6DA6028BF89028A99ABF0CA
SHA-256:	3003AA8C715415ED0E6CE147C9E0DF4453FFBBA0286E3C45E0DECCDA2FCE7D6A
SHA-512:	25C8CCF453FA7846E295A317E8D41A671AEA8C444475EEEDC04107E6A961114DC9F15F4AF557C00CBCFEA153B61368C9B339BC712536CDB8F83592C22C6E9AB0
Malicious:	false
Preview:	/* LEARN34.REX -- calculate result from any REXX expression /....ARG calculation..INTERPRET "SAY" calculation..../ END LEARN34.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN35.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	203
Entropy (8bit):	4.833715995232883
Encrypted:	false
SSDEEP:	3:U5Wo4yIKQUJtWRE1eX49M+fvTAqbhx1wJRvTAqbhxt/EF5Kmo41D:U5Tu0WREEIK+zAqNxwAqNxrDyD
MD5:	2DAEC2483B8F85CFB29E9313A74C2504
SHA1:	88D9D01F5C2F313A0EDC5ABC5FA88860CCB6259E
SHA-256:	4FA9602C38AA2646A3FA2BDC812DB021ED8C43EF9E34B99F90874BE0D6CB730C
SHA-512:	C467F0486AFAB0AE4E666CE72A9D272AAA6D5F3F15721B2547E4B341451F575D77A8DEA98789A613F60D1F426DC7D4172A992822C9C504DF80AC8DE6F1294032
Malicious:	false
Preview:	/* LEARN35.REX -- write time-stamped note to disk file /....PARSE ARG newline..CALL LineOut "notes.txt", Date() Time() newline..CALL LineOut "notes.txt" / close file /..../ END LEARN35.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN36.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	442
Entropy (8bit):	4.711000503219674
Encrypted:	false
SSDEEP:	12:U5Eg0/enS9Rz+0goFd0Q7D8JyDwQXYgqPYTovTPmuEkPYr/gr:+EgxC4M70QvuyDwfgvovw/gr
MD5:	9A66E5671AB87CFC65240DC41FAC89E9
SHA1:	D062F68F3AC334FA170131C9C41B30ABF775BE3D
SHA-256:	036DA8EBBC4D27A01A8F2563643BE96D4212F47D92D66087B6B443D909D8CE19
SHA-512:	8E29A77E2B972AECD027F3F83D8614633E6F061134B8CF977288221A2C1BF9BCB3B758E05C15F3EF86B6E37C1048987DED294CD4731E69DE635B0BDAFD34A445
Malicious:	false
Preview:	/* LEARN36.REX -- copy one ASCII file to another /....PARSE ARG inputname outputname..../ delete old output file so we don't append to it /..CALL DOSDel outputname....DO WHILE Lines(inputname) > 0 / check for end-of-file /.. CALL LineOut outputname, LineIn(inputname) / write line /.. END....CALL LineOut inputname / close input file /..CALL LineOut outputname / close output file /..../ END LEARN36.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN37.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	460
Entropy (8bit):	4.620446229091455
Encrypted:	false
SSDEEP:	12:U5O/Ad0+EQKDE6h5J4CJDdZGUGYQ0hTPFz7QgezJAAoBZPD:+uguDEgJ75dZGn0hFEVONBB
MD5:	E3C0986977770033AAE1BF719D4C83F0
SHA1:	1F13D643557125978CED35058F4E407F53522461
SHA-256:	ECD6E2DDD13E78DF93E5F1FD94B66DB26E15F3F3379DF6F23B9156C18F868C60
SHA-512:	AEE257244B1D0A3DDFE70BBF94A5C520A6091B3954FC48689BD9E3A4EC49E7CBACDEEEF3A842468847FE313C419892ABEC650E97E6231653C5EBD782D3810060
Malicious:	false
Preview:	/* LEARN37.REX -- list occurrences of string in file /....PARSE ARG fileid string....DO WHILE Lines(fileid) > 0.. newline = LineIn(fileid) / read line /.. IF Pos(string,newline) \= 0 THEN DO / search for string /.. SAY newline.. found = "yes".. END.. END....CALL LineOut fileid / close the file /....IF found \= "yes" THEN.. SAY "String" string "was not found in" fileid..../ END LEARN37.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN38.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1067
Entropy (8bit):	4.902083782297034
Encrypted:	false
SSDEEP:	24:+myicU60hRhgo94wluS0iKSVoGgVwLKEsORf68BWD:+myicpchgolf0JT2sAf6N
MD5:	069093F4844A430E872ED26BC07BE393
SHA1:	0D5A963EBBDB2BD83AE6B43776F3C7FDC29B506D
SHA-256:	79FE8E37EC829AE4048A5136C5ED5F4C3328590F5B260DF8ECFC36EA6A69DECC
SHA-512:	783E041C11DA711EE9078F748369140CE3BE44B7F41E19891DE7E17DD0C334E308B0C6E3A3201DDD329F185DF005C894B65C8B68FB5AF31D6A8550757200B46C
Malicious:	false
Preview:	/* LEARN38.REX -- analyze host PC /..../ Check if Environment is WinREXX, if so.. \| run the appropriate commands.. /..Parse Source Environment Type ProgName..if Environment = "WIN" then do / Analyze Windows PC /.. DosMessage = "Under Windows PCROMDate(), PCRAM() and EMSMem() are not* supported.".. WinMessage = "Use WinMem(), WinVersion() and GetREXXDirectory().".. Answer = MessageBox( DosMessage" "WinMessage, ProgName ).... SAY "".. SAY "DOS:" DOSVersion().. SAY "Windows:" WinVersion().. SAY "Memory Free:" WinMem() "bytes".. SAY "".. SAY "DRIVE:" DOSDrive()":".. SAY "PATH :" DOSCD().. SAY "REXX Directory :" GetREXXDirectory().. Say "Free space on" DOSDrive()":" DosDisk(F,DosDrive()) "bytes".. SAY "".. End..else DO /* Analyze DOS PC */....SAY "ROM Date :" PCROMDate()..SAY "DOS Version:" DOSVersion()..SAY ""..SAY "RAM:" PCRAM()..SAY "EMS:" EMSMem()..SAY ""..SAY "DRIVE :"

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN39.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	4.686159245567156
Encrypted:	false
SSDEEP:	48:+DiMVgWq0AYqYDun2qmNqb6tKPM8bdwKPwGU:+DiMVgW1AYPDbOb6tKPM8+KfU
MD5:	577C11E5079C15327F39A1D2621FD88A
SHA1:	6EECA2A5E74E09730C0785C5701214F50C7AD217
SHA-256:	4A697084852202C123A0FB64F3C2B4051FB946201AB583D54F84139E8708F004
SHA-512:	7E13475BD308B82A32B597A5C945D24A5DF21CFCB20C7FC33F81FC018CAE919ACB46FF6D066F6A56C52C47DC6AF89EBBE4FFEFDCDA415E1CCC98363DCD3EF568
Malicious:	false
Preview:	/* LEARN39.REX -- draw border, wait for user to hit key /..../ Check if Environment is Windows, if so quit. /..Parse Source Environment Type ProgName..if Environment = "WIN" then do.. Message = "Under Windows the SCRxxx functions are not* supported.".. Answer = MessageBox( Message, ProgName ).. Exit.. End....CALL ScrClear /* clear the screen /..CALL Cursor 3,5 / cursor in row 3 column 5 /....CALL Frame 1,1,25,80 / draw the frame /....CALL InKey / wait for user to hit key /..CALL ScrClear / clear the screen /....EXIT....Frame: PROCEDURE../ draw border with IBM double-line extended characters /.... ARG urow, ucol, lrow, lcol / upper left & lower right /.. / coordinates of frame /.... horiz = D2C(205) / ASCII 205: horizontal border /.. vert = D2C(186) / ASCII 186: vertical border /.. tleft = D2C(201) /

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN40.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.127374888847482
Encrypted:	false
SSDEEP:	6:U5RVoduQvHGEjHGfGLZyZm1uhIAwnRHBSAivmBiCou/jSmBi55IvmBiAemBifph6:U5R6Hv9mi1zAwnRhSdvmBhlbSmBNvmBr
MD5:	0C7FDF5A8FD8548C6513B3E659168C1E
SHA1:	A4E369674BAFB0FD3C0F1267FEED2FB5C4D4F14D
SHA-256:	6A9EC2169B04D6D44148AA2475EFA9A501EE357334171CCB7E48F904AE16CD29
SHA-512:	977AB0804EC06D1BE47AB490205ECA7EB5C3A30CB43E71DC294FA7DE8C5203592B9ECD78CC13494B6125A2C6DADC7D68E7FDC673E64EFE4272E7F956CA4544A3
Malicious:	false
Preview:	/* LEARN40.REX -- process file name using miscellaneous functions /....filename = "c:\WinREXX\WinREXX.EXE"....parsedname = ParseFn(filename)....SAY "Drive = " Upper(Word(parsedname, 1))..SAY "Path = " Lower(Word(parsedname, 2))..SAY "Base = " Lower(Word(parsedname, 3))..SAY "Exten = " Upper(Word(parsedname, 4))..../ END LEARN40.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (Files)\LEARN41.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	833
Entropy (8bit):	4.843271131551359
Encrypted:	false
SSDEEP:	24:+RwSzeyp1opI2hxFPr887Gr2nplnUY1ruVHGsGn5NaiR:+RdzeE4fTFjzNQnArR
MD5:	A00329639D4356688C1894DA6360D236
SHA1:	2F53617C226F5AAEBAA65ED5A44AAF7DEA7A4167
SHA-256:	154906C6334FFD58FD93A92206625DCE40FD49D106A43E8996B0054D4A9EC31C
SHA-512:	73C95CA530AA42035CF5EC8A91EE29AB49100E770FB4226C6E7FC0E15360FD58E7F9F04F8ABE260E0A343196F8576FA9A06D9B82D21E175CF080EBFB5B34A23C
Malicious:	false
Preview:	/* LEARN41.REX -- create menu of executable files and run one /....NULL = ""..top = 1....CALL BuildList ".exe" /* find files /..CALL BuildList ".com"....IF top = 1 THEN DO.. SAY "No executable files in current directory".. EXIT.. END....DO i=1 TO top-1 /* display menu /.. SAY Format(i,2)":" Left(dirlist.i, Length(dirlist.i)-4).. END....CALL CharOut , D2C(10)"Enter choice (Hit ENTER to leave):"..PULL choice / get user's choice /....IF choice <> NULL THEN dirlist.choice / issue command /....EXIT....BuildList: PROCEDURE EXPOSE NULL dirlist. top.. ARG filespec.. dirlist.top = DOSDir(filespec, "n").. DO WHILE dirlist.top <> NULL.. top = top + 1.. dirlist.top = DOSDir(, "n").. END.. RETURN..../ END LEARN41.REX */..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\The REXX Lessons (engl.).hlp

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows 3.1 help, Wed Jun 2 21:57:33 2004, 87270 bytes
Category:	dropped
Size (bytes):	87270
Entropy (8bit):	6.4105180064304745
Encrypted:	false
SSDEEP:	1536:37PAu/D4Ghy2iZ6dXV5FFY/ABDq9HgmZJlmbueLaobc9rWjU:LIu/D4GhygdF24Bq9Hp8KvobpjU
MD5:	573A86AF70BB4017C81ADA0444F2A35C
SHA1:	7213960410D47BCF8C1C41F8FD3D6202763C8F49
SHA-256:	746BF6DD4C320A4B9CE3DD852C322D5890DA5364C6E8F428E7F8D808D6142B1A
SHA-512:	AAB02C7A91BBFACED2B5D1D82A44C5678070E4E9015DB3874D2E5DD357B6E2C78DFCEF2F1D42F4F9C6EC9887075120732D196F069B491EAC2E137443AE67D71D
Malicious:	false
Preview:	?_..\........T..L...C....< ...0...."(.()/,--../:=aana.ndanyare...argumen.t.Psarray.asbebuil.t-inbyCA.LLcancha@racter.`s@clause.0spcomm[..@..p@arison..o.u..ncaten.ati..ntro.ldefault@differ..d@isplay.@s.DODOSENDQ..erE..pR.e.environ...examplee.xecutede.xpress`..p`sfile....r.stfollow.ingforfr@omfunc..F..@s.Pshave@Ifinin.m.. inputin.stru4 I.p...lis$.sINT.ERPRETis.itlangua.geL..Z.gli.neloopmoE..a..otn..r.icof..ope.ratorsor.otherPAR@SEPars..p0rogr...0sP.ULLradiu.s..U..0..tur0nREX... 's.ro..e.@sSA.YscrV.siL.G.....@sub-@S..`ssy2.xteCz...that..T...HEN..nth...oTRACE ..u..value. .sV..abl...`.. swhichw.illwithy.ouYou..r.........$S!"""@)".",.."...."="'').',..'.'/'.':''[''].("('(),(.).(.)([).)))),)..):):"....0....(.-*+.+++p.'--..B>u.)/00..6...11...21...12221231.5161818..2203207...233.1415.9..35440...355/3505.08555660.36177880.29:":\;<.<>=">>=>.>>??"[\\.=]])],_`.`Aabbrev.i.#abilitRy..Ab..a.0o.veAccN.a.@...i....ordB.u..u..y..F.G.v!..tual.0ly.add..e..ij Ddd..advQ.e.dA.@. t..a..+..Z.fj.A..ag.ain

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\ZOC Specials\zocevent.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2963
Entropy (8bit):	4.407875912076701
Encrypted:	false
SSDEEP:	24:m2nBaIykM/LkJ/GLAn+VflJ9I4+RqWxDEG71uC5/V25HT4D0G3xwKkk2VRSsyxuf:HBhpM4J/a1jBIRxDn/kH/GsBS5uYm3f
MD5:	E3FC77C88216EBE27D6B12E2EEECA3FF
SHA1:	23FEB9CA91ECCF2B0AECFEE314334A09BE9A350D
SHA-256:	45C2BF0E7580073FFDEB615F93D87FC6D902782B97445E3B57B57820F698FACE
SHA-512:	C543082B3D74D8546B0D269A610553875B5F736F4952269E4E347D21A39F0DC60EABEB17E75C904DFCB270E97B8F013C8144B025F4EAF9B50FF3B140CF469561
Malicious:	false
Preview:	..---------------------------------------------------------------------------..1) HOW TO USE ZOCEVENT.ZRX..---------------------------------------------------------------------------.... The ZOCEVENT.ZRX file is called at certain points in ZOC (with the.. parameters identifying the event shown in the table below)..... The ZOCEVENT file can, for example, be used to turn off a fax program.. before ZOC will try to access the com port and turn fax receive mode .. back on when ZOC exits (OS/2's FaxWorks offers such a feature via the.. FXRCV.EXE program, as shown in the sample ZOCEVENT.ZRX file).........---------------------------------------------------------------------------..2) CALL PARAMETERS..---------------------------------------------------------------------------.... ---------------------------- ------------------------------------------.. EVENT PARAMETER(S).. ---------------------------- ------------------------------------------.. ZOC

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\ZOC Specials\zocevent.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2125
Entropy (8bit):	3.7197433400923225
Encrypted:	false
SSDEEP:	24:GFFfIhYtguCy4khEAL8jx/N/sMP/JsFtPp/XsF1p/ocsk3Sr:GFFghe4k6ALixVUES5El0Jr
MD5:	B3C2B96E3688F6F247BCD4DE7916E795
SHA1:	9DCF37EA6A816EB005E87581075CB8615FF61558
SHA-256:	5B58FA1990AEE3B559A4FE140FE780EF625B3D2C7CEC30167BDDB8619430121F
SHA-512:	92E0B7B3537784883A5393E3E38D20BA6BD73778B40CE13EB3C75EB95BBB8E64A8C650C568A34A2FB2F52371F5913CC7DDF077FD00680CDFB3EBBC1A9195BB0C
Malicious:	false
Preview:	/********************************************************************* .... PLEASE SEE ZOCEVENT.DOC FOR A DESCRIPTION OF HOW TO USE THIS FILE....*******************************************************************/....../*******************************************************************/../ The line below exits at once -- remove it to make it all work /../********************************************************************/....EXIT / >>>>>>> to make it all work delete this line <<<<<<<<<<<<< /......../********************************************************************/../ Parse the command line arguments /../*******************************************************************/..PARSE ARG Event " '" DeviceName "'" "'" DeviceOpts "'"......../*******************************************************************/../ Find out where FaxWorks is installed /../***********************************

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\ZOC Specials\zocxfer.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4167
Entropy (8bit):	4.561074898630256
Encrypted:	false
SSDEEP:	96:x5YwYBa8b5/aqyaH2iW7ySzM2qhiiL/GYcZhgzF57:0w78b5/aqyaH2itcM2kirZi
MD5:	7FF1DA6E7DBC2D80B92E6CC501094155
SHA1:	2E9646AA5AF2EF90F2DFB52D0BBF88AF696B9B90
SHA-256:	8AC184605CFC413CFAFEF467D4FCAD9DD95D678E848B4894A761EEAB7C558B1A
SHA-512:	7CDB06D2E5983302E2A8A317E9FCA4D2DAEA9426678FF44A8FBF464EDDC49DB72EF120C57D56440620FCF19819392277D5BCFF599549539BF2A8D8C4ACEAACE3
Malicious:	false
Preview:	..---------------------------------------------------------------------------..1) HOW TO USE ZOCXFER.ZRX..---------------------------------------------------------------------------.... The ZOCXFER.ZRX file is called before and after every file transfer... Parameters identify the type of event (see table below) at which .. ZOCXFER.ZRX is called. This lets you do things before and after file.. transfers according to your needs (see examples below).......---------------------------------------------------------------------------..2) CALL PARAMETERS..---------------------------------------------------------------------------.... ---------------------------- ------------------------------------------.. EVENT PARAMETER(S).. ---------------------------- ------------------------------------------.. Before upload 'PRE' 'UPLOAD' '<full filename>'.. Before download 'PRE' 'DOWNLOAD' '<full filename>'.. After upload

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\ZOC Specials\zocxfer.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2211
Entropy (8bit):	3.35667516929533
Encrypted:	false
SSDEEP:	24:u0ggoo5KQrzhSzwl+LyvxH/Jd1/053o/05B+f/TG/053gY/05k:u0l7MqhSJ25
MD5:	433A15A30372D0E12AFA035CD8C60159
SHA1:	772D75D54E082C610AC16D2FEC2C7A2178FE5A60
SHA-256:	2300C62D7A9E90481D20AAD28246380E62AF41200BCDA8AB23EF653241E93EB3
SHA-512:	DD6AD5FD8BD07941B634AB27230D13CE72AC46DF021BDD778D8CB71BDC210F400036F3F76F95CE7CB26F28EE514B926C1EE165FD9D2509ABE7D5BBF1C5D2E99E
Malicious:	false
Preview:	/********************************************************************* .... PLEASE SEE ZOCXFER.DOC FOR A DESCRIPTION OF HOW TO USE THIS FILE....********************************************************************/..../ get the call parameters: PRE/POST UPLOAD/DOWNLOAD <filename> /..PARSE ARG WITH "'"prepost"' '"updownload"' '"file"'"..../ don't delete the following line !!! /..newfile= file..../ get filepath, filename and extension from file /..filepath= FILESPEC("Path", file);..filename= FILESPEC("Name", file);..PARSE VALUE filename WITH filestem"."fileext....SAY "ZOCXFER.CMD: "prepost"\|"updownload"\|"filepath"-"filestem"-"fileext ....IF prepost="PRE" THEN DO .. /****************************************************************/.. / Before file transfers /.. /***************************************************************/.... IF updownload="UPLOAD" THEN DO .. /********************************************

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\buttoninfo.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	670
Entropy (8bit):	4.8859428969312235
Encrypted:	false
SSDEEP:	12:UySA9cgtk9wbE8hCdFDX2ENy8TW6MO++wUXBQLgJDpG/ePKocAxpQxRQj+WEov:bGwZhCzbk86O++wUXLCoKoxx6NWBv
MD5:	B0AAFBBAE8E6672004D1F62CFE6A53D4
SHA1:	E178D51314EE3EF94C46584AE584A3BC9F8B5933
SHA-256:	BCC8A8BF4BF7B117FE655A62696D126AECA60A025F4343B3288FAB94136F8EB8
SHA-512:	670CF739E99AB73D5126EA0D0E951E356D887ABBC91C42F7E4C9DE69DED1C9E2FF8E6064D2A85E1C9906BA98B1CDD7B7572F02BB449CCF1AFB4DFC191546AD22
Malicious:	false
Preview:	/* REXX /....cr= x2c(0d) / Carriage Return, Hex 0D /..lf= x2c(0a) / Line Feed, Hex 0A /..crlf= cr\|\|lf / Carriage Return plus Line Feed */....msg= "The buttons in this part of the ZOC window are examples"\|\|crlf..msg= msg\|\|"to demonstrate the User Button bar"\|\|crlf\|\|crlf..msg= msg\|\|"They are part of a session profile and can be modified "\|\|crlf..msg= msg\|\|"from Options menu, Edit Session Profile or by clicking"\|\|crlf..msg= msg\|\|"the User Button Bar with the right mouse button."\|\|crlf\|\|crlf..msg= msg\|\|"(To find out more about Session Profiles, please read"\|\|crlf..msg= msg\|\|"the help topic at the bottom of the Options menu.)"\|\|crlf....Call ZocMsgBox msg..

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\minihost.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	OS/2 REXX batch file, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	21777
Entropy (8bit):	4.714604012293766
Encrypted:	false
SSDEEP:	192:E47JUeBkp3pQXKuUXBqyZKpOrPP59CaGLfpSah9/QOhwCbUA5cTMVbMSRx0UFWWV:EXeBkp3phumopOrpkfpStgsq
MD5:	916910EA5F27F7E4356C84098FC4750D
SHA1:	F156A52A45E513A90A7B068DAAD4B1E17EDC960C
SHA-256:	BA467BB880580EA063AFBA3A06997FF896355AC0CB5686AC6EC9A5E7DB1581F9
SHA-512:	23B3CFA7CCD3EDA92EC93AEBBCCCBBD5900EACA9D31EF78319B8ABAFEC546F20D5C3AE8DA02D1B08279C788A0B3B5C48FB87EC39FD5040A21E52FBAC2CEAB0F5
Malicious:	false
Preview:	/******************************************************************.. REXX program to simulate a simple host .. .. Features: .. + Simple user list (see below) .. + Two user levels (admin and normal) .. + Change of directories (admin only) .. + Up-/Downloads .. .. 09-13-2004 Edited by David Rife to speed text sending with .. Zoc version 5. .. ..*****************************************************************/.... / uncomment the TRACE A command to debug this program /.... / TRACE A */.....

C:\Program Files (x86)\ZOC5\newuserprofile\Rexx\sample.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	631
Entropy (8bit):	5.019330612025214
Encrypted:	false
SSDEEP:	12:U2qFv8oG2Xr28EynXErP26/Wu7RGmaPZYfZxTXdAzxDuPp5VrdZlFpLroa:tQ8N2q8MrPJO6g/WfuzyvVrdZlXLrr
MD5:	D9B7591864B5B570C2D3174F74752E3F
SHA1:	59A49DFE2E7C2A7848E58FD50987EF4072A756B5
SHA-256:	4ACF3B72179F79F02D49463D6EF9FAE0FEA5D9029CE99217769680E3EBDE8628
SHA-512:	35C2AE0099E3F6DC58E2183E1429191219385F1B1F187478235EFF567CDF14132534F8ECB76E12D051318ED8056FDA464FE089A1476FEA346BF0F8C335520CAC
Malicious:	false
Preview:	/* REXX /../ ^^^^^^ REXX programs always begin with /* REXX / on the first line /..../* clear the screen /..CALL ZocCls....SAY "This is a REXX scripting example."..SAY ....../ Ask user for his/her name /..who= ZocAsk("What is your name")..../ print some text to the ZOC window /../ (this time we're using REXX's internal SAY command) */..SAY "Hello "\|\|WHO\|\|"!"..SAY ..SAY "Thank you for using ZOC!"..SAY ..SAY "For more information about REXX scripting, please"..SAY "read the help topic at the bottom of the ZOC Script"..SAY "menu or the REXX information in your My Documents,"..SAY "ZOC Files, REXX folder."....EXIT....

C:\Program Files (x86)\ZOC5\newuserprofile\minihost.zrx

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	OS/2 REXX batch file, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	20993
Entropy (8bit):	4.6667010304226935
Encrypted:	false
SSDEEP:	192:E49U7Bmp3pQXKusjBqyNlgpOdPP5vi0mLHpSahHK6TKJluKoBwiKkK1YKmpEz1VJ:Er7Bmp3phu68pOdpYHpSGEZsq
MD5:	3FA2364235C2679DEC169BF71ADAEF45
SHA1:	E68D500E6A1F2ED4141E369340B7B3B1072C41D6
SHA-256:	5C098D96F36DE565FEC209FA6E53CD6723D3EFA2895431E65262F3B3DC95BCA4
SHA-512:	EE7F4F4B720C029B2BCF5DFEE104C20DB53BAC377B03BCBF2E94E64E98E4C07947E96C64A54B38D1C5E263A7E7463CD64986E91E2457C84407189DEBF36C5A54
Malicious:	false
Preview:	/******************************************************************.. REXX program to simulate a simple host .. .. Features: .. + Simple user list (see below) .. + Two user levels (admin and normal) .. + Change of directories (admin only) .. + Up-/Downloads .. ..*****************************************************************/.... / uncomment the TRACE A command to debug this program /.... / TRACE A /...... /*********************************/.. / below is the list of users /.. /*********************************/.... curdrive= "C:" / Work drive for all users */.... user.1= "ADMIN"

C:\Program Files (x86)\ZOC5\order.cfg

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	684
Entropy (8bit):	5.27554706036504
Encrypted:	false
SSDEEP:	12:cBEzLG5bX3I7h9br5sdzMbMIzMrX4Ie+sG2ypkfScr9Yok3E2F9bM65J5SR4BBIJ:cyzq5bH4b1RMbX4JDMcr9YDZFDJ5SR4S
MD5:	66E7C0335E4512EF0058FD87D7A9DDD7
SHA1:	56C0D9A6CCCAF5338DC7CFD325A3F5E831340E2F
SHA-256:	0BF26CECEE9324DB3534577E1B3888FB4D7193E50191CB866EA883A4DB78AD17
SHA-512:	3721013BDC61713A4ED0D3FD71677AA066DD2F51C16CD7F4EFA2F1300ED66F41A21FB0E42BCF5DF61DFADE7140A21756E352AFBF6F953F73ED4D5F18CC0C0AF0
Malicious:	false
Preview:	AppName=ZOC..AppVersion=5.12..Expire=2009-03-01..AppRegistry=*..Distributor=compulab.cfg;CompuLab (Germany)\|bmtmicro.cfg;BMT Micro (USA)..AppHelp.German=zoc.hlp\|10600..AppHelp.English=zoc.hlp\|10600..DefaultDistributor.English=bmtmicro.cfg..DefaultDistributor.German=compulab.cfg..WelcomeMsg.English=You are about to order ZOC.\r\rBefore ordering, please also check the Order-Info item in ZOC's Help menu.\r\rClick 'Next' to continue.....WelcomeMsg.German=Sie sind gerade dabei ZOC zu bestellen.\r\rBevor Sie bestellen, lesen Sie bitte auch den Punkt Bestell-Informationen im Hilfe-Men\xfc von ZOC.\r\rBitte klicken Sie auf 'Weiter'.....Amt0=1..Amt1=0..Amt2=0..Amt3=0..Amt4=0..Amt5=0..

C:\Program Files (x86)\ZOC5\order.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116152
Entropy (8bit):	6.214109707259487
Encrypted:	false
SSDEEP:	1536:7KeswrgGp6tNfam2vGt8LihNOJpYJL2cnX6+X5tIGpI88n4+Ybi:7L6jSLiuJiJ1nX6+X5tz2n1Ybi
MD5:	A6CBAC90B8A6A8A68507D72588206DFD
SHA1:	1D4C5A52AF0DB1E9BEE0813DD784C9F75542E828
SHA-256:	74D61C03197DCB019C0D10AEDFC04AAD2920238138503204B50B10EA43A2F764
SHA-512:	71627C1614C6249A2E2E2B40CCB8D3EFB310D4A959D457E73C3F4BC8BA78D794533947A9F015D71AAB32AF7498319FB009831B5B355C23A61B3E4AF03F48E0EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............A...A...A.$.A...A.$.A...A..A...A...A...A.$.A...A.$.A...A.$.A...ARich...A........PE..L...Qz.I............................q........ ....@..........................................................................@..<....p...J...........................!...............................;..@............ ..@............................text...J........................... ..`.rdata...'... ...0... ..............@..@.data........P.......P..............@....rsrc....J...p...P...`..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\osyswin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73771
Entropy (8bit):	5.032482186650669
Encrypted:	false
SSDEEP:	768:efLYCoLTsC5OY+fd6tmIyOof10EeqbFUXL1ZwbZu44z:eECofxOY+fQAIod9ecqXLYb0rz
MD5:	82BDDA936AC6FF9E9CB9B2DC0C4315CF
SHA1:	020C9CEE03A606AFF9ACA5F91D251F93874B627B
SHA-256:	337A89A3543E7C1EDCFAD78699BA9890F7BAEC65D13E7C5867DB04900FABB0D6
SHA-512:	86B4BE01244780FC726ED7F597D33C779B33095C7BD1BA052D250C4877A14786798C4882839311A83393327C2C431B1A5106F0C85BB908530FC4258565B4428F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K...K...K...)...A...0...O...M...N......H...K.........O......H...RichK...........PE..L...V^5I...........!................................................................................................0...F....P...............................p.......................................................U...............................text............................... ..`.rdata..v........ ..................@..@.data...Pq....... ..................@....idata..A....P... ..................@....reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\phimport.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86064
Entropy (8bit):	4.975279205887081
Encrypted:	false
SSDEEP:	1536:jlDDd03Lt24k7iTUcqYh4ioLiCi3yzcdb73TGYaEsov+Gg:FDdN4k7Fc5oLiCi3yzcdb7jGYwovNg
MD5:	AA8B245347EBE573F9B4245254582C68
SHA1:	16739C52ACB3F398CD9007F70AB5333CD5B4857F
SHA-256:	EB2E94C34DC1C8528FB7ED2FD988E56CDBDC216D94C99423EA6240FDC55C0DAB
SHA-512:	F6EC1F517C88ACA652E22F9C0E22852DA946ABF14DD36525A7E28427DB88930D3132BB1E78E5263C2A62D9C7927D82E750EAC4A384EC192966E5606F89A89089
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...7...7...7...7...7...7...7...7...7(..7...7...7...7T..7...7...7...7C..7...7...7...7C..7...7Rich...7........................PE..L...c^5I...........!.................f............p..........................P..................................................d.... ..p....................0..........................................................(............................text............................... ..`.rdata..Z........ ..................@..@.data............ ..................@....idata..............................@....rsrc...p.... ....... ..............@..@.reloc..&....0... ...0..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\setup\advertise_pyrotrans.cfg

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ISO-8859 text, with very long lines (316), with CRLF line terminators
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.816120057098652
Encrypted:	false
SSDEEP:	24:kUWJSELiTnam2f93rbivK5PpaNWTqyaeYLUkn:kUWJxm2f93r2upQ0CTn
MD5:	4D455C67B52A40D32AEBA2012941B1B4
SHA1:	709765E8B70C6C1F34EF11941CD1DA6812B77626
SHA-256:	4F86C2BB0F72392081BEEA4EA03A51511A74966A1AE3B84BE7A3BE1F91925C3D
SHA-512:	B50AFE0013F500A582798A4AA1744985769A16CC421503EAB005D4BF95B1E007552160CF170040474E81A872C48DB311CD5FB48987C4B6A92465685862B74E5A
Malicious:	false
Preview:	Product=PyroTrans....Teaser1.German=Suchen Sie ein Dateitransfer Tool?..Teaser2.German=Dann sollten Sie unbedingt unser Programm PyroTrans testen!..Description.German=PyroTrans dient dazu per Modem, ISDN oder Internet Dateien automatisiert (z.B. im Rahmen von Warenwirtschaftssystemen) oder manuell (z.B. Au.endienst) zu .bertragen.\r\n\r\nPyroTrans unterst.tzt automatische Kompression und Verschl.sselung der .bertragenen Daten. 30 Tage Testversion mit Support!..Url.German=http://www.emtec.com/pyrotrans/index.htm....Teaser1.English=Do you need a file transfer tool?..Teaser2.English=Then you should definitely test our product PyroTrans!..Description.English=PyroTrans is a program package that allows automated and manual file transfer over Modem, ISDN and the internet.\r\n\r\nIt is a great solution to transfer data between a company headquarter and branch offices or field staff...Url.English=http://www.emtec.com/pyrotrans/index.html..

C:\Program Files (x86)\ZOC5\setup\out\setup.cfg

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4242
Entropy (8bit):	5.493963837193557
Encrypted:	false
SSDEEP:	96:Vyhx3JoX7i6IjmhgIqeXZ84Z1Clxh/7Sh:Vyh5qIjaqe/mxFi
MD5:	68C45D1D1E6AB31BB71BD8D6B2656CB7
SHA1:	E0906AB53D25C18054C2C970EA3E4BE07C0D528C
SHA-256:	7BFBE6CBD814C2F6A9EE211DEB8FD521DC224E1D34594465E033E015AB6520D2
SHA-512:	B27A6817B9A60939C4B4DA8F30AD82616CD01C28298F6A8AB9C1A2677D9E5A572EAB9959FB121750192115B609D6717D4C9FE67973D7DE8820A2B5E710CC4D71
Malicious:	false
Preview:	//..// ZOC V5 install script..//..AppName=ZOC..AppVersion=5.12..Advertise=advertise_pyrotrans.cfg..IdIcon=100..IniKey=ZOC5....InstallPath=ZOC5..UninstallIcon=ZOC.exe..StartMenuUninstall=1....CopyToDest=Setup.exe\|\|SetupEnglish.Dll\|SetupGerman.Dll\|lizenz.txt\|license.txt....DeleteAfterExtract=Develop.doc\|Versions.doc\|Problems.doc\|Isdn.doc\|Register.doc\|Features.doc\|Readme.doc\|..DeleteAfterExtract_2=emucept.dll\|xfrcept.dll\|xfrcis.dll\|megadodo.dll....ProtectedFiles=.zrx\|.zky\|.zfg\|.ztb\|.ztr\|.zoc\|phonebk\|standard.cfg\|.ini\|newuserprofile/....AskOverwrite=....//..// English..//..WelcomeMsg.English=You are about to install ZOC - a powerful terminal emulator for Windows...FinishMsg.English=Now please start ZOC from the start menu. After starting the program, select Quick Start Guides from the Help menu.....StartmenuName.English=ZOC Terminal 5.1..StartmenuOpts.English=ZOC V5;*Zoc.exe\|Readme;Readme.txt\|Order ZOC;Order.exe\|..StartmenuOpts_2.English=Feature List;Features.txt\|Order Info;Registe

C:\Program Files (x86)\ZOC5\shellicons.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	352256
Entropy (8bit):	5.590182704315919
Encrypted:	false
SSDEEP:	3072:rKBBoF8GyN0ugGFzn3rGUmPv6a6iR1Vw67ZF7vBsuWloi23zTIbBDrRyZr:r+hmJGxK1J62wKxzTCi
MD5:	73D2820FDE6A97A6DE008099D670DE5C
SHA1:	DD96D80EEFEDFA18BAC33E2160220ACC3A68956A
SHA-256:	B995A01A1C0EDB4E6FF402BCDCCB4BE871C0433EABC0CD0C4CA0B395DA525641
SHA-512:	45559F6E29813448398FD78E88A6403AE2823C8B99A7CB75C594B1B02196E631C1AE5D38FDA8F848B44CDDBD20E83B3AA3FF37D42A1D109F69DB5B843438B063
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.R.Y.R.Y.R.Y.R.X.c.Y.0.J.Q.Y...S.E.Y...W.[.Y...R.P.Y..._.S.Y.RichR.Y.........................PE..L...b^5I...........!.....0... ...............@...............................`...............................................D..(....`.......................P.......................................................@...............................text....*.......0.................. ..`.rdata.......@.......@..............@..@.data........P.......P..............@....rsrc........`.......`..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\showem.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127020
Entropy (8bit):	4.8387559460698855
Encrypted:	false
SSDEEP:	1536:YI7lY6OAGW9fFRh89KWW/7npmpVEGa8L6Wj3Muz96Dua8L6Wj3Muz96DT0:n7lY6OwlFKWdMEGa8U1ia8U1k
MD5:	4C65B83F9DB916B5BF17B985B669D6AF
SHA1:	8661FC66F622F6FF695A9E31697915B5634F486F
SHA-256:	BAE9EBBBF710DD55A5E8CE0C5CEB0C7DE70C0F1117052FAD3EA78C1532231515
SHA-512:	5C636D94BA6AF26AB78002066CA23394A3CE7DFDAE26C9FC77C5230499DD277F41D46489236C8F8CADDCFD709586FCE55DD7F427C72991BAA7D785EE07FD2571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............._..._..._..._..._..._..._\|.._..._..._..._..._..._..._..._..._.._G.._..._..._..._Rich..._........PE..L...c^5I...........!................5........................................P..........................................Z....`.......p.......................@.......................................................c...............................text...R........................... ..`.rdata..............................@..@.data....t....... ..................@....idata.......`......................@....rsrc........p......................@..@.reloc..:....@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\sndbell.wav

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 22050 Hz
Category:	dropped
Size (bytes):	42044
Entropy (8bit):	7.26208833033609
Encrypted:	false
SSDEEP:	768:+3yxIuPvUsUNZ93Pczrw9P3sN/nfBhhyrBikjFI6RjGnLlX:QaUZN8zrw9PO5ehC6R8BX
MD5:	1EDB666DB90FD25360679D364FB3CEA0
SHA1:	BB90B7F89A0D0D54E18D45F8705151FAE7C26D5F
SHA-256:	DEC7D894F9A3778F738159ABD2DF39ECA6848358A9B05FD37F74800F1DB6044E
SHA-512:	4F767A17E63A1D7C9E43F4D3B50A4E056468313314BFEDE481DF20C8D197F28523C1FD5D88D09BD2AE4901B514D16A96D301332D568DECC1CA15BF42652E6002
Malicious:	false
Preview:	RIFF4...WAVEfmt ........"V..D.......data....\|.......~.u.p.r.z.y...s.j.h.p...~.x.x.z.\|.....\|.}.y.e.\|.p.g.x.....m.......}.z...z.j.f.`.b.w.....w.r...}.[.f.....q.........y.d.\|.o.........\|.~.~.}.~.u...u.\|...\|.\|...e.X.f.y.{...z.v.y.......\|.....y...x.t.....u.k.........{.t.i.v.u.~...q.{.s.[.v.\|...........t.q.......}...s.........\|.t.n.s.....s.............m.q.....}.......r.}...x.y.........u.y.t.z.............{...............................~.............................w...............................~...........k.........}.\|.d.{.....{.......{.[.z...{.{...u.~...y.W...........w...........".............D...,.}......@.............}.C.....:.....r...........B.....%.q...........7.............R.Z...y.............#.......d...&....=.3.\|.:.......m...b.%...+.a.....`.........U.i.L.Z.n.S...J.".....+.......>.....8...e.,................M.N....... .........O.......b.F.t.......'.......%.+.....w...........p.......".....j.<.}....L..t.g.}.>..1...f.y................o.........h.i...!...P...x...}.....W...e...

C:\Program Files (x86)\ZOC5\sndlogoff.wav

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 11025 Hz
Category:	dropped
Size (bytes):	28660
Entropy (8bit):	6.966179955749021
Encrypted:	false
SSDEEP:	768:ay+o/ZrezCOAs8v75WZi5utFb3x58IqAgU1gt2ML3VeYK9j:ajoNY1AtUZistthChq02y3VeYKR
MD5:	08B2E91D036508D7B828EA9B610D8733
SHA1:	3E122436165634E0DC43FC95AAFB5D368702C154
SHA-256:	EDCD854EB01CF4013B61238055EBAC53A98198DEC2AFA0808ADD15395911C628
SHA-512:	D1147CA5A88DF1181277FBF1D6CB50B6CB13C5764DF5C983B6FF386FA50D93671C071DA3F8CF99CDE04FF6E1AD6B2B38F2F4F342869E015C4E6EBE822A7B0307
Malicious:	false
Preview:	RIFF.o..WAVEfmt .........+.."V......data.o......................................~.x.q.j.e.\.].^.Z.Y.V.V.S.N.M.J.E.@.>.C.B.E.G.F.H.O.Q.U.`.g.l.o.v.....................................................................\|.x.l.m.d.Z.Z.W.R.R.T.S.R.R.P.N.S.O.J.H.J.C.@.@.E.H.J.O.S.].h.p.z...........................................................u.r.i.c.a.[.`.c.]._.`.`.g.d.a.d.Y.U.T.P.J.N.L.E.J.M.S.S.W.].b.f.n.s.s.w.\|.........................................................~.}.\|.x.q.k.e.\.T.T.L.F.A.>.@.@.>.@.C.B.F.O.P.O.S.Z.\._.b.a.d.f.m.q.r.{.}...............................................................y.r.i.d.`.].Z.X.Z.[.Z.S.T.Q.O.O.O.K.G.E.A.?.>.A.B.E.P.X.c.j.u.~.....................................................................l.Q.6.'...............o.N.9.%.+...............I...d...................)..........'.v.9.M...........U.U.Q.u."...V.Z...-...U...................=.V...V.... .". A...)...5.T.........n...?.....\............i..............M..............................R.-.l.i.s.

C:\Program Files (x86)\ZOC5\sndlogon.wav

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
Category:	dropped
Size (bytes):	51844
Entropy (8bit):	6.2970672875462705
Encrypted:	false
SSDEEP:	1536:VaHtWYhgQ5EDWEzgDTkTM60Ao6ERFE506:VanHED4j6Y6ERa
MD5:	D2F8A0BE605DD99B9D9F3B9E103C4EC6
SHA1:	F0C0C0381A0FE394AE0DA8AE74853CF00AA16031
SHA-256:	1703443307B4DD8E2C3CFE8B97FC30D4C8C9ED38B15995623E256AD62A2D874A
SHA-512:	6A138A47D6CD23EBDEA11B7AD3CE9EEE8BB48C0D6BB363554B1BF4062284F1E4A5E0F0F988F0F655990CB12ADA867E9DBB29DFB91A8BC3851AB41DC83A20675F
Malicious:	false
Preview:	RIFF\|...WAVEfmt ........D....X......dataX...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\ssh.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.458005410829246
Encrypted:	false
SSDEEP:	1536:kzo/SjbRojT0MEL1e0+yr7oqO8RioEkqECK:Crwsr7oqO+ioSEv
MD5:	F13E41B0AF9AE537B5D593216C1E81AC
SHA1:	EF586AEA2E946346DD4910EBC087D8DDCF698B47
SHA-256:	58ACB663D3D2377F71C928B1136B65D97BBBDE2F94DBEF69592CD76CDEB02324
SHA-512:	6EE1E93F776D99219EA03597515021422817F65D94F84AA458CCCD94AE903E4DDBAF6F5D1AC9E281E501B9DBE5FC3E72405C355E76DCF2C91AC8E7E5C29D91E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C".."LM."LM."LM.>@M."LMJ>BM."LM!=FM."LM."MM."LM.=_M."LM!=GM."LMq$JM."LMRich."LM........................PE..L...d^5I.................`..........o".......p....@.........................................................................pv..<........Q...........................................................................p...............................text....].......`.................. ..`.rdata..D....p.......p..............@..@.data....-....... ..................@....rsrc....Q.......`..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\sshdll.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	970803
Entropy (8bit):	6.247424026890006
Encrypted:	false
SSDEEP:	12288:5SEosu6j5Pf0bD4lyItfX4ASbVY6Io+pCiiD1L/bqh:526jZcbclyItfX/Sb6jp/iD1L/bqh
MD5:	28B99B73CEA225DE79B8F0A75F2B8E0B
SHA1:	6932C9EB4C3C02A05D1881DC3E6B17320155B68B
SHA-256:	DF2F15D2C67272F944E19D7E25661E8E407612B1CAAA57C3FF7AA2E8294A5BF8
SHA-512:	1B45B3A12E0BD2B5AD82B8853E8026D2F3B1EB15AB0EFBFFA3175CA00C08B4FA5D08E0B1C4BB080654F5C900D5321368CF93E65F01E99DA3155CA067284B7E29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...p...p...p...\|...p...c...p..+z...p.g(t...p...~...p...q.2.p.p.z...p.p.t...p.Rich..p.........................PE..L...Z^5I...........!.....P...................`...............................@.......................................a..........................................`....`..................................................\............................text...PB.......P.................. ..`.rdata.......`.......`..............@..@.data........p.......p..............@....idata........... ..................@....reloc..1............0..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\telnet.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.3116807849891226
Encrypted:	false
SSDEEP:	768:93iTjD7qK4TdJlpjKNDCLV85u7omaMRio+jASXGWtVETMEu1K:hiTb4TdnpjKdUr7olMRioEkqECK
MD5:	310BF913306CB84845F896DFC04A4E93
SHA1:	3648C612239ED10D1234401682D99182FCCDF202
SHA-256:	F869D4D0964879F9086BEAB02270BD3F843DD82CF551C153802381567DA47A63
SHA-512:	01E93178A3894A4B19B0184E3B492EB697220BEDEB309848D01519D2ECBB0995CC9445E49196C73679C8AD1177B0C16D0D6F7AC5F359527B8A434A8B160B964F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3M..3M..3M..?M..3MP.=M..3M;.9M..3M..2M..3M.. M..3M;.8M..3Mk.5M..3MRich..3M........................PE..L...d^5I.................`...................p....@.........................................................................pv..<........Q...........................................................................p...............................text....Z.......`.................. ..`.rdata..D....p.......p..............@..@.data....*....... ..................@....rsrc....Q.......`..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\tips_engl.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	Generic INItialization configuration [TIP]
Category:	dropped
Size (bytes):	3630
Entropy (8bit):	4.600993811809027
Encrypted:	false
SSDEEP:	48:M6MSzeVpIib+YIm1iAeb7G4pV6FYDut63+hk0zUvV2LZsRtJMpslpUECgfDdEBh:3zeTrbv8O4f62p3+FzU4ZsrWpCprCBh
MD5:	A84703FADD0E9CC7497C4B1D6686D947
SHA1:	86BC1A3B3CEA6E0BAD29ABA7B389674774C74B3B
SHA-256:	215F7E1E29315E7680FA08B938E6503D7597EAA048B59817E4B789D6D1519D33
SHA-512:	E991570854E68989BBB7A39E940A901141BC1ACB4E80FB6ED2C223C5DCE9251E10B244ADEEC49FF70B4DF4BD60F2DE962A2E6D4344B290D73FD5768F9019BA5C
Malicious:	false
Preview:	....[TIP]..A click into the fields of the status bar will bring up the..corresponding configuration dialog (e.g. Devices or Emulation)..from the session profile.....[TIP]..There are various ways to quickly access your commonly used..host directory entries.....To do this, edit the host directory entry, go to the Shortcut..tab and select the options to either add the entry to the file ..menu or to the list of user buttons (below the toolbar) or to ..create an Icon on the Windows desktop.....[TIP]..With the Alt key pressed you can mark rectangular parts of the screen.....[TIP]..Did you notice that you can resize the host directory dialog?....[TIP]..If you are using Secure Shell (SSH) connections, you can transfer..files to and from the remote host by using the Zmodem file transfer..(see the help topic at the bottom of the Transfer menu).....[TIP]..You can disable devices and emulations which you do not need in..the Options, Program Settings, Subsystems dialog.....[TIP]..If you press Alt+C

C:\Program Files (x86)\ZOC5\tips_ger.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	Generic INItialization configuration [TIP]
Category:	dropped
Size (bytes):	4111
Entropy (8bit):	4.810490270525413
Encrypted:	false
SSDEEP:	96:dtbXSD2E7ITrsJiOEbTVwVU47aZMstLuvGK4SWjjlEM4Jlfh:dtbXSCyITrsJjTUiaZM0LuvGKijlEB
MD5:	25EE62102F465C9320F63940EF9E5EC5
SHA1:	EA3AEDB21E1FA8FF915FC59DA0E5FFB1433C619E
SHA-256:	CEAED39ACE911EA69D1099D35962414E22333CE3D4C91944D43D75E3CF99027F
SHA-512:	7C2C8B710BCEDE7179C4ABF354A1DA6BBF37243BD8FA02BC339A1992B69A4AFCFD7E10DC0DF567A91F9C31B4F220F7E5D4A764C183AB74E158158F4DE6AEB26A
Malicious:	false
Preview:	..[TIP]..Ein Klick auf die Informationsfelder in der Statuszeile .ffnet..den zugeh.rigen Konfigurationsdialog des Verbindungsprofils.....[TIP]..Es gibt einige M.glichkeiten um ohne Umweg auf Ihre h.ufig genutzen..Verbindungen zuzugreifen.....Dazu bearbeiten sie den Adressbucheintrag, gehen in das Register..Verkn.pfung und aktivieren die Optionen, um den Eintrag zum Dateimen.,..zur Leiste der Benutzerkn.pfe etc. zu erstellen.....[TIP]..Mit gedr.ckter Alt-Taste k.nnen Rechtecke am Bildschirm markiert werden.....[TIP]..Ist Ihnen aufgefallen, da. Sie die Gr..e des Adressbuchfensters..mit der Maus .ndern k.nnen?....[TIP]..Falls Sie mit Secure Shell (SSH) arbeiten, k.nnen Sie Dateien per Zmodem ..zwischen Ihrem Rechner und der Gegenstelle .bertragen. (Weitere Informationen..dazu im Hilfethema unten im Transfer-Men. des ZOC Fensters).....[TIP]..Sie k.nnen Kommunikationsmethoden (Devices) und Emulationen, die..Sie nicht ben.tigen unter Optionen, Programmeinstellungen, Subsysteme..deaktivieren

C:\Program Files (x86)\ZOC5\unicode\1250.tbl

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3514
Entropy (8bit):	3.8541350007044057
Encrypted:	false
SSDEEP:	96:WlzXcRCUa1nkSZJ66qecrewRK/eXSV/3/3txm:QclaVhNwew3Om
MD5:	12B9F511785AB1CC185EB7F34E212A98
SHA1:	E606E17C2D149368D39B03B6412943DDF4F92010
SHA-256:	2E454431B203D271129F6CFA12752D588C044152333EA8932D010196B066F58B
SHA-512:	50985E539D563A48FCBAA741E3FF29D1E51664F0D1EC528072D74472007D7F9EDBBBE2A1011606274D35A964D61C4E9AC47968D52FCB4FA18FBC654B626012F1
Malicious:	false
Preview:	00 = U+0000 ..01 = U+0001 ..02 = U+0002 ..03 = U+0003 ..04 = U+0004 ..05 = U+0005 ..06 = U+0006 ..07 = U+0007 ..08 = U+0008 ..09 = U+0009 ..0A = U+000A ..0B = U+000B ..0C = U+000C ..0D = U+000D ..0E = U+000E ..0F = U+000F ..10 = U+0010 ..11 = U+0011 ..12 = U+0012 ..13 = U+0013 ..14 = U+0014 ..15 = U+0015 ..16 = U+0016 ..17 = U+0017 ..18 = U+0018 ..19 = U+0019 ..1A = U+001A ..1B = U+001B ..1C = U+001C ..1D = U+001D ..1E = U+001E ..1F = U+001F ..20 = U+0020 ..21 = U+0021 ..22 = U+0022 ..23 = U+0023 ..24 = U+0024 ..25 = U+0025 ..26 = U+0026 ..27 = U+0027 ..28 = U+0028 ..29 = U+0029 ..2A = U+002A ..2B = U+002B ..2C = U+002C ..2D = U+002D ..2E = U+002E ..2F = U+002F ..30 = U+0030 ..31 = U+0031 ..32 = U+0032 ..33 = U+0033 ..34 = U+0034 ..35 = U+0035 ..36 = U+0036 ..37 = U+0037 ..38 = U+0038 ..39 = U+0039 ..3A = U+003A ..3B = U+003B ..3C = U+003C ..3D = U+003D ..3E = U+003E ..3F = U+003F ..40 = U+0040 ..41 = U+0041 ..42 = U+0042 ..43 = U+0043 ..44 = U+0044 ..45 = U+0045 ..46 = U+0046 ..47 = U

C:\Program Files (x86)\ZOC5\unicode\1251.tbl

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3570
Entropy (8bit):	3.8595554148402194
Encrypted:	false
SSDEEP:	96:WlzXcRCUa1nkSZJ66qecwaZp+RpRyzkK7K4pYYF:QclaVhNbaZEpn4L
MD5:	E0EF80BD2A19C0448C2D03F198E95394
SHA1:	F95C48738DB6CD1E638D7418541B1686F55810BE
SHA-256:	D5FA60E08163D7B92D7A26B169261EBEE1CB52E826B4BD76F9799E8399FCCE1C
SHA-512:	F004BEA45B81C6FDDB76D57AE40E912175B2134A3EEAC1B5E67B93DB0DE17369043DFD4020478AB8A5BDAE55990535CD1A5CD7A8AF9B45C926CAC6DC5EFE7931
Malicious:	false
Preview:	00 = U+0000 ..01 = U+0001 ..02 = U+0002 ..03 = U+0003 ..04 = U+0004 ..05 = U+0005 ..06 = U+0006 ..07 = U+0007 ..08 = U+0008 ..09 = U+0009 ..0A = U+000A ..0B = U+000B ..0C = U+000C ..0D = U+000D ..0E = U+000E ..0F = U+000F ..10 = U+0010 ..11 = U+0011 ..12 = U+0012 ..13 = U+0013 ..14 = U+0014 ..15 = U+0015 ..16 = U+0016 ..17 = U+0017 ..18 = U+0018 ..19 = U+0019 ..1A = U+001A ..1B = U+001B ..1C = U+001C ..1D = U+001D ..1E = U+001E ..1F = U+001F ..20 = U+0020 ..21 = U+0021 ..22 = U+0022 ..23 = U+0023 ..24 = U+0024 ..25 = U+0025 ..26 = U+0026 ..27 = U+0027 ..28 = U+0028 ..29 = U+0029 ..2A = U+002A ..2B = U+002B ..2C = U+002C ..2D = U+002D ..2E = U+002E ..2F = U+002F ..30 = U+0030 ..31 = U+0031 ..32 = U+0032 ..33 = U+0033 ..34 = U+0034 ..35 = U+0035 ..36 = U+0036 ..37 = U+0037 ..38 = U+0038 ..39 = U+0039 ..3A = U+003A ..3B = U+003B ..3C = U+003C ..3D = U+003D ..3E = U+003E ..3F = U+003F ..40 = U+0040 ..41 = U+0041 ..42 = U+0042 ..43 = U+0043 ..44 = U+0044 ..45 = U+0045 ..46 = U+0046 ..47 = U

C:\Program Files (x86)\ZOC5\unicode\1252.tbl

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3516
Entropy (8bit):	3.871423200808488
Encrypted:	false
SSDEEP:	96:skzXP3M1nkSZJ66qecsXnTwR1AH4XBc0+aH:9P8VhNfsOAN
MD5:	0D0778F6F5D2F8CD964D1DCFADEE9733
SHA1:	1DD1DC72FCC59A71C26D8689701B0FED9E409856
SHA-256:	91CFD135132341906777555684D3AD783E5C77A124DFE07834F8C56C88D1CBEB
SHA-512:	FBB2120626EAB7EE2FC3BD1989CC2DCD8567ED1F9995123D21C1ACCB03A435271CF6112C1994A407B94C9EE2154739AF578C0651D7454A5FB09AD861E0B4D22C
Malicious:	false
Preview:	00 = U+0020 ..01 = U+263A ..02 = U+263B ..03 = U+2665 ..04 = U+2666 ..05 = U+2660 ..06 = U+2663 ..07 = U+25CB ..08 = U+0008 ..09 = U+0009 ..0A = U+000A ..0B = U+000B ..0C = U+000C ..0D = U+000D ..0E = U+000E ..0F = U+000F ..10 = U+25BA ..11 = U+25C4 ..12 = U+2195 ..13 = U+203C ..14 = U+0014 ..15 = U+00A7 ..16 = U+2584 ..17 = U+21A8 ..18 = U+2191 ..19 = U+2193 ..1A = U+2192 ..1B = U+2190 ..1C = U+2514 ..1D = U+2194 ..1E = U+25B2 ..1F = U+25BC ....20 = U+0020 ..21 = U+0021 ..22 = U+0022 ..23 = U+0023 ..24 = U+0024 ..25 = U+0025 ..26 = U+0026 ..27 = U+0027 ..28 = U+0028 ..29 = U+0029 ..2A = U+002A ..2B = U+002B ..2C = U+002C ..2D = U+002D ..2E = U+002E ..2F = U+002F ..30 = U+0030 ..31 = U+0031 ..32 = U+0032 ..33 = U+0033 ..34 = U+0034 ..35 = U+0035 ..36 = U+0036 ..37 = U+0037 ..38 = U+0038 ..39 = U+0039 ..3A = U+003A ..3B = U+003B ..3C = U+003C ..3D = U+003D ..3E = U+003E ..3F = U+003F ..40 = U+0040 ..41 = U+0041 ..42 = U+0042 ..43 = U+0043 ..44 = U+0044 ..45 = U+0045 ..46 = U+0046 ..47 =

C:\Program Files (x86)\ZOC5\unicode\1253.tbl

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3346
Entropy (8bit):	3.871891137077453
Encrypted:	false
SSDEEP:	96:WlzXcRCUa1nkSZJ66qecsfCRhsTgMzl+GZwWy:QclaVhNfqqNBNG
MD5:	C23CA228AAFD6D1A155A80CB3E6D9754
SHA1:	E033ACB8878C651D4A52C35A04468419DA213D38
SHA-256:	E62C5FFFB38EBA68788E7974281884D88F28ED6EC2A68BEB8A8798BB136DC937
SHA-512:	346546DB4CD957F02BA1B5B4CFCAC73A3F1857E83CAE6C8353248C9C208C41C640C10DDD45106A521677FB332ECC6F5B305A4648987397772ED32AA4AF2889C9
Malicious:	false
Preview:	00 = U+0000 ..01 = U+0001 ..02 = U+0002 ..03 = U+0003 ..04 = U+0004 ..05 = U+0005 ..06 = U+0006 ..07 = U+0007 ..08 = U+0008 ..09 = U+0009 ..0A = U+000A ..0B = U+000B ..0C = U+000C ..0D = U+000D ..0E = U+000E ..0F = U+000F ..10 = U+0010 ..11 = U+0011 ..12 = U+0012 ..13 = U+0013 ..14 = U+0014 ..15 = U+0015 ..16 = U+0016 ..17 = U+0017 ..18 = U+0018 ..19 = U+0019 ..1A = U+001A ..1B = U+001B ..1C = U+001C ..1D = U+001D ..1E = U+001E ..1F = U+001F ..20 = U+0020 ..21 = U+0021 ..22 = U+0022 ..23 = U+0023 ..24 = U+0024 ..25 = U+0025 ..26 = U+0026 ..27 = U+0027 ..28 = U+0028 ..29 = U+0029 ..2A = U+002A ..2B = U+002B ..2C = U+002C ..2D = U+002D ..2E = U+002E ..2F = U+002F ..30 = U+0030 ..31 = U+0031 ..32 = U+0032 ..33 = U+0033 ..34 = U+0034 ..35 = U+0035 ..36 = U+0036 ..37 = U+0037 ..38 = U+0038 ..39 = U+0039 ..3A = U+003A ..3B = U+003B ..3C = U+003C ..3D = U+003D ..3E = U+003E ..3F = U+003F ..40 = U+0040 ..41 = U+0041 ..42 = U+0042 ..43 = U+0043 ..44 = U+0044 ..45 = U+0045 ..46 = U+0046 ..47 = U

C:\Program Files (x86)\ZOC5\unicode\437.tbl

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.893517111310728
Encrypted:	false
SSDEEP:	96:WlzXcRCUa1nkSZJ66qec80u4xnLafeT4RHvuqKPLJ:QclaVhNx4ZsbpvufV
MD5:	091A27A96C313FFB7AF1099E40F13E5B
SHA1:	4038CBAF21CC3A8ABF05FCC80B8844468C11097F
SHA-256:	6FA8E1B0B6BC6BB1DDA32850BB00EEFAF87BFFF829BBDDD9A1989A8A5DA48A2D
SHA-512:	14C816A23CF363F513C1AC1E2DCEAB8872766A207F01926A0304E0E3737BF88BFFC03432E117611BBE69B3645692B34157596D618CD8CB79D29003EBEEC0EBEC
Malicious:	false
Preview:	00 = U+0000 ..01 = U+0001 ..02 = U+0002 ..03 = U+0003 ..04 = U+0004 ..05 = U+0005 ..06 = U+0006 ..07 = U+0007 ..08 = U+0008 ..09 = U+0009 ..0A = U+000A ..0B = U+000B ..0C = U+000C ..0D = U+000D ..0E = U+000E ..0F = U+000F ..10 = U+0010 ..11 = U+0011 ..12 = U+0012 ..13 = U+0013 ..14 = U+0014 ..15 = U+0015 ..16 = U+0016 ..17 = U+0017 ..18 = U+0018 ..19 = U+0019 ..1A = U+001A ..1B = U+001B ..1C = U+001C ..1D = U+001D ..1E = U+001E ..1F = U+001F ..20 = U+0020 ..21 = U+0021 ..22 = U+0022 ..23 = U+0023 ..24 = U+0024 ..25 = U+0025 ..26 = U+0026 ..27 = U+0027 ..28 = U+0028 ..29 = U+0029 ..2A = U+002A ..2B = U+002B ..2C = U+002C ..2D = U+002D ..2E = U+002E ..2F = U+002F ..30 = U+0030 ..31 = U+0031 ..32 = U+0032 ..33 = U+0033 ..34 = U+0034 ..35 = U+0035 ..36 = U+0036 ..37 = U+0037 ..38 = U+0038 ..39 = U+0039 ..3A = U+003A ..3B = U+003B ..3C = U+003C ..3D = U+003D ..3E = U+003E ..3F = U+003F ..40 = U+0040 ..41 = U+0041 ..42 = U+0042 ..43 = U+0043 ..44 = U+0044 ..45 = U+0045 ..46 = U+0046 ..47 = U

C:\Program Files (x86)\ZOC5\unicode\737.tbl

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9875
Entropy (8bit):	4.726104058969953
Encrypted:	false
SSDEEP:	192:6K6zkmcIZ3h9Xhz3/y9Xfteq7/JrhNa/ZCzPOYJs1jt:47cU3bX13/2ftPJN8/PYa
MD5:	3EF08BF1102CE7D716F76ABF21B23A15
SHA1:	FEBF6E505706AADF89624398719B315B2A074D94
SHA-256:	B00B8F90682D829D0D3C2344F9AF3E685C9A82B0CAC2F38636F354FF7078A0A1
SHA-512:	4DD83532012413EBC5557ED4FFBEC96CABD20F70EF2947F0A25F6E2DC820B33186C63A64F55D42632CF3CD14F67E5CC4BC7875454461D8950B1F7F099E1CFC56
Malicious:	false
Preview:	// Microsoft Windows OEM Codepage : 737 (Greek)....00 = U+0000 : NULL..01 = U+0001 : START OF HEADING..02 = U+0002 : START OF TEXT..03 = U+0003 : END OF TEXT..04 = U+0004 : END OF TRANSMISSION..05 = U+0005 : ENQUIRY..06 = U+0006 : ACKNOWLEDGE..07 = U+0007 : BELL..08 = U+0008 : BACKSPACE..09 = U+0009 : HORIZONTAL TABULATION..0A = U+000A : LINE FEED..0B = U+000B : VERTICAL TABULATION..0C = U+000C : FORM FEED..0D = U+000D : CARRIAGE RETURN..0E = U+000E : SHIFT OUT..0F = U+000F : SHIFT IN..10 = U+0010 : DATA LINK ESCAPE..11 = U+0011 : DEVICE CONTROL ONE..12 = U+0012 : DEVICE CONTROL TWO..13 = U+0013 : DEVICE CONTROL THREE..14 = U+0014 : DEVICE CONTROL FOUR..15 = U+0015 : NEGATIVE ACKNOWLEDGE..16 = U+0016 : SYNCHRONOUS IDLE..17 = U+0017 : END OF TRANSMISSION BLOCK..18 = U+0018 : CANCEL..19 = U+0019 : END OF MEDIUM..1A = U+001A : SUBSTITUTE..1B = U+001B : ESCAPE..1C = U+001C : FILE SEPARATOR..1D = U+001D : GROUP SEPARATOR..1E = U+001E : RECORD SEPARATOR..1F = U+001F : UNIT SEPARATOR..20 = U+

C:\Program Files (x86)\ZOC5\unicode\852.tbl

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10957
Entropy (8bit):	4.816792809535233
Encrypted:	false
SSDEEP:	96:pLsKiAOtZRoql8rBox2/ZW9ZnZ/kUpszwT/V192d/Wb8ZSfoHNkvj2MKddCXIcUb:SKiDZYiRZ1zppTdCnG9iaPphqX4k
MD5:	5328995808A4CE2222C03187AE4A4FC2
SHA1:	2C6AE631E1F57E15690F69E4E511CFFCD7DC1FEF
SHA-256:	BED56B0FBC91965284B743C1EE1CBA15015CCAE1E338374D17BA6DA3FA18C19D
SHA-512:	931C2398964A12AC4A8553853842A5761C644A8B8A2ABDEBDA6D8027C909A96331ADDE3119159117EECE71BDB3572C8275118EC24FA823DD1F17C324F961D5A6
Malicious:	false
Preview:	00 = U+0000 : NULL<br>..01 = U+0001 : START OF HEADING<br>..02 = U+0002 : START OF TEXT<br>..03 = U+0003 : END OF TEXT<br>..04 = U+0004 : END OF TRANSMISSION<br>..05 = U+0005 : ENQUIRY<br>..06 = U+0006 : ACKNOWLEDGE<br>..07 = U+0007 : BELL<br>..08 = U+0008 : BACKSPACE<br>..09 = U+0009 : HORIZONTAL TABULATION<br>..0A = U+000A : LINE FEED<br>..0B = U+000B : VERTICAL TABULATION<br>..0C = U+000C : FORM FEED<br>..0D = U+000D : CARRIAGE RETURN<br>..0E = U+000E : SHIFT OUT<br>..0F = U+000F : SHIFT IN<br>..10 = U+0010 : DATA LINK ESCAPE<br>..11 = U+0011 : DEVICE CONTROL ONE<br>..12 = U+0012 : DEVICE CONTROL TWO<br>..13 = U+0013 : DEVICE CONTROL THREE<br>..14 = U+0014 : DEVICE CONTROL FOUR<br>..15 = U+0015 : NEGATIVE ACKNOWLEDGE<br>..16 = U+0016 : SYNCHRONOUS IDLE<br>..17 = U+0017 : END OF TRANSMISSION BLOCK<br>..18 = U+0018 : CANCEL<br>..19 = U+0019 : END OF MEDIUM<br>..1A = U+001A : SUBSTITUTE<br>..1B = U+001B : ESCAPE<br>..1C = U+001C : FILE SEPARATOR<br>..1D = U+001D : GROUP SEPARATOR<br>..

C:\Program Files (x86)\ZOC5\unicode\866.tbl

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9789
Entropy (8bit):	4.720534418441563
Encrypted:	false
SSDEEP:	192:VK6zkmcIZ3h9Xhz3/l8EUX4JrhNa/ZCzPMJy:J7cU3bX13/lTJN8/rJy
MD5:	6C1E007E838269CA78EA5D60177086DD
SHA1:	5E484799619C710E15FD26BA2B0370871A231C0F
SHA-256:	36F921F6C8CB8E0C1BA76F8FBA5E641764B01A4CF9FABAAC476ECA3633D57582
SHA-512:	5908A1AAFEDAF737FD4282B065006CBDC8BBFA0AFF7FE52C9ADA93FE011AA8A0E31078CC1910BF5AF3A5992AA9C2CF76EE56F381432056F3720FA234099545B2
Malicious:	false
Preview:	// Microsoft Windows OEM Codepage : 866 (Russian)</h2>....00 = U+0000 : NULL..01 = U+0001 : START OF HEADING..02 = U+0002 : START OF TEXT..03 = U+0003 : END OF TEXT..04 = U+0004 : END OF TRANSMISSION..05 = U+0005 : ENQUIRY..06 = U+0006 : ACKNOWLEDGE..07 = U+0007 : BELL..08 = U+0008 : BACKSPACE..09 = U+0009 : HORIZONTAL TABULATION..0A = U+000A : LINE FEED..0B = U+000B : VERTICAL TABULATION..0C = U+000C : FORM FEED..0D = U+000D : CARRIAGE RETURN..0E = U+000E : SHIFT OUT..0F = U+000F : SHIFT IN..10 = U+0010 : DATA LINK ESCAPE..11 = U+0011 : DEVICE CONTROL ONE..12 = U+0012 : DEVICE CONTROL TWO..13 = U+0013 : DEVICE CONTROL THREE..14 = U+0014 : DEVICE CONTROL FOUR..15 = U+0015 : NEGATIVE ACKNOWLEDGE..16 = U+0016 : SYNCHRONOUS IDLE..17 = U+0017 : END OF TRANSMISSION BLOCK..18 = U+0018 : CANCEL..19 = U+0019 : END OF MEDIUM..1A = U+001A : SUBSTITUTE..1B = U+001B : ESCAPE..1C = U+001C : FILE SEPARATOR..1D = U+001D : GROUP SEPARATOR..1E = U+001E : RECORD SEPARATOR..1F = U+001F : UNIT SEPARATOR..

C:\Program Files (x86)\ZOC5\xfrkerm.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	45102
Entropy (8bit):	3.4832637065587106
Encrypted:	false
SSDEEP:	384:RP6hm2D1b3G94Ths//tCGbfECslNCXkBEzwZoUr6:etD1C9DP0cUmwZoUr6
MD5:	29E303CA575C688CEA7603E35E0DCA93
SHA1:	BD6530D9FF511B0BCE6CC3F7F3B4441E50E01E4D
SHA-256:	D959C3BA4F84897B263B755A24C25AF0C6702CE7FA4135589A39A3A747750D82
SHA-512:	A913EC2785726D285D794A7013818C0AFB46E7D53EAF55923138FD33C6D81353023B50657BD7DDD6224CE58347F7D314086EF5C4FFEB8B6BE27DF0640AEB8372
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.X...6...6...6.x.:...6.a.%...6...<...6...2...6...7. .6...=...6...0...6...2...6.Rich..6.................PE..L...`^5I...........!.....P...P.......B.......`.......................................................................a..t.......x.......I............................`.................................................\|............................text...0D.......P.................. ..`.rdata..T....`.......`..............@..@.data...\|....p.......p..............@....idata..............................@....rsrc...I...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\xfrsealink.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	45108
Entropy (8bit):	3.6480363262967668
Encrypted:	false
SSDEEP:	384:LkE+UcvSzoNfOr6DLd/Rl9NqzUUuQ2XkBUFflzos+zK:L0UcvDNWr6Dbl9UznunkB4sB2
MD5:	7079D6CB2CDC274F0C2F514AE039C780
SHA1:	46C2741917D613EAD7246A99DF35230EA6DA8A09
SHA-256:	7767E1AE7F5C12B27CD25ADB6BAC8424DF7245AEE7E0341D2EDD815DCDE1E676
SHA-512:	8309C0139E88FC49E545E677C91E8E9578A479FACF6B4FAEF2C15B71C24F209EAC1DA39C88390CD37E205AE2E08BB04BDAD53544FF16694DB8BC8F80A49FCB8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e...e...e...z..e...y..e..xy..e...F...e...E...e...e...e...z...e..Cc...e...z...e..Rich.e..........................PE..L...a^5I...........!.....P...`.......>.......`.......................................................................a..x.......d....................................`...............................................................................text....@.......P.................. ..`.rdata..X....`.......`..............@..@.data...`....p.......p..............@....idata..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\xfrxyz.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65580
Entropy (8bit):	4.668020247244705
Encrypted:	false
SSDEEP:	768:HYSZ+iOMJXDTr2iiTvCjXizWu7UbEjdmVObNhBpA+n7NX5:PZyIavCjS17UbrObNhBpA+n5p
MD5:	C75D57916A02C9229FEC61ACCEE07BAC
SHA1:	9A6906A44A79B0E899416130D37465F3031A3F2E
SHA-256:	DD3B59BBF6083AAD48AA5532A122479DCC1FAC738FFEC684618B6F8C099F8A2D
SHA-512:	31E976D4D5FE2C3DF85FF5E8C6B59303ED2B5700AE9A750BD4B3A466BD3F38D0E12A2109DB9D49EB28A9C850C564FFA846061FBBF41259F997FA6C53C493BAB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................0............L............[.............[......Rich....................PE..L...a^5I...........!................5z.......................................0..........................................s.......d.......9.................... ..h....................................................................................text....{.......................... ..`.rdata..S...........................@..@.data....I....... ..................@....idata..............................@....rsrc...9........ ..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\zaphoddll.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	286720
Entropy (8bit):	6.560323791094061
Encrypted:	false
SSDEEP:	6144:1VtILNxAC/UveJ7Cp6b555kUnEwjWp/anXX:14LNyC/UCU6b55yUnE1RaX
MD5:	D32EED4AAB334A215B2AD11FA067F0C2
SHA1:	BA69464CFC72A44C7EFD98A911967F5B201E0276
SHA-256:	86E9DCF2B8DC7CD40B23112A75A9EBA3EB8CCF7781836FFE76E45E3BC55BF60F
SHA-512:	2B2835ED612A8C725CF26C32837165A90DB9F824321FF4790872A58F7E7C47860CC85E8AD9AC4A2B74BE9D679B210245AB4AE9B67AE5E2BC40CAAF737547B535
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6..r..r..r.....p.....b.....u..r..h....u..t..v..r..]....q....a....\|....s..Richr..................PE..L...tW!I...........!.................c.......................................................................................................................`...)...................................................................................text............................... ..`.rdata...).......0..................@..@.data...d........P..................@....reloc...0...`...@... ..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\zoc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	193976
Entropy (8bit):	5.053087055174888
Encrypted:	false
SSDEEP:	3072:ZGa8U1ia8U1rQP54cV+PgZ5a8U1w+24oqNvjiJH3D2n1YN:BDLDcP5SDw+24oqNGJH3Dp
MD5:	509F8FB9D88C297B45F8B8DFF664FF87
SHA1:	CBAD39989790CF2233E526790EBCC2B75756BC9A
SHA-256:	9180FFF5B288505046BB88526723DB0FA978DAC3A2ECC57913C9B0825ED50A21
SHA-512:	29220F72B64328544B7266DE957084EE559E300C696CB7EE659E9D592E83AD155B16841EFEFE02DF42721CCB09B706EA69710E2E1B4BD4785873D5EB7BC11AAD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................h...................................S.......Rich............PE..L...g^5I..................................... ....@..................................c...............@....................... ..d....@............................................................................... ..t............................text...\|........................... ..`.rdata....... ....... ..............@..@.data...<....0.......0..............@....rsrc........@.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ZOC5\zocdll.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2240549
Entropy (8bit):	5.452693957934987
Encrypted:	false
SSDEEP:	49152:3XumpHM+yDFPZnSgp8Iz5d5doXYR7f2r/gj4DUT35T:3+mpHM+yDdp8Iz5d5doXYR7f2r/gj441
MD5:	99AD2698701C8AC1320867F304C00CE6
SHA1:	ED8F982439ADF8D9783F2D65C6A992FA887222DD
SHA-256:	D38D7E7A7F124AA2387977C6874632883A4C51D576BD6E3A73DF6EA8EE9CD2F7
SHA-512:	1F36D02EEF90C4C77FBC685877006B54F78248D47FECD9FC4275F6561901A6602E01EB6277354648F7F79B162FCBB5EE328590EEDF5E193FC71082D1DCDAC134
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.`..m...m...m...m...m..gq...m..~r...m..q...m...N..bm...M...m...m..o...r..+m..k...m...r...m..Rich.m..........................PE..L...f^5I...........!......... ...............................................0#.....................................0...v............ ...+...................P".....................................................4...0............................text...M........................... ..`.rdata..............................@..@.data...H...........................@....idata...l.......p..................@....rsrc....+... ...0... ..............@..@.reloc..;....P"......P!.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FEA0B4.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	data
Category:	dropped
Size (bytes):	145
Entropy (8bit):	5.12116922861803
Encrypted:	false
SSDEEP:	3:ezEzmWXkRL405mOAL4rYQJIADFXHiLpvZR6YfwSV5w0n:e2/XkRL405mJ4r9JfDFXIvZRr95w0n
MD5:	48696193DC0EE3ED4980633C17E2BCD6
SHA1:	BD360013F10CC3CF40B1B5BCC800A2B295BBB23C
SHA-256:	F7F91D3DD3821F2D65C2013ADF7CD711BF6007C650B8F5CF77813D746518EBD8
SHA-512:	183C39DDB0E1901285F4F1E95524BC4A124C0C37983E5C5907F582E1278D86C60E08E9970B03C4EBC19CFA6BAAC1ACF4BF98B6569F4392DEEB02CB2DAAAD2024
Malicious:	false
Preview:	[FE].Name=ZOC Installation.ZipSize=3036850.Exec=.\setup.exe.DefaultPath=$temp$\~emtec~354033.Intro=.URL=.Author=..AutoExtract=1.Delete=1.NoGUI=1.

C:\Users\user\AppData\Local\Temp\~emtec~354033\FILE_ID.DIZ

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	5.0515146867470575
Encrypted:	false
SSDEEP:	3:mbXsW2BoKGLT0GKIiEJYMQ5KdDA22c2xHV+P/3BAIJhyIFovpKhV6PIiceVAWcv:EcW2BXGvCoJMQTPZtjpypSpir2v
MD5:	1A069926B914F82F11423FAD97B14CC0
SHA1:	6ABDF40E4E77A79C9E4FA4EAAB73ED1A813692FD
SHA-256:	11078408D33EC708C18A8D346D3CF9779C830B119F223534752A67B0A13830DF
SHA-512:	2D86ECEFE54CA66F1D4C3742E479C17C97C877AECA7A1D73A79AE16DB2A2B06CE5EA03E56502CA5B96FDDB53CCC680A8EA9FFC47FFF760F76E3B349008443305
Malicious:	false
Preview:	ZOC 5.0 - 32bit Telnet, SSH, Modem and ISDN..comm. application for Windows 9x/ME/NT/2000/XP...Outstanding GUI, solid VT220 and Zmodem, powerful ..scripting, countless options and many features...

C:\Users\user\AppData\Local\Temp\~emtec~354033\advertise_pyrotrans.cfg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	ISO-8859 text, with very long lines (316), with CRLF line terminators
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.816120057098652
Encrypted:	false
SSDEEP:	24:kUWJSELiTnam2f93rbivK5PpaNWTqyaeYLUkn:kUWJxm2f93r2upQ0CTn
MD5:	4D455C67B52A40D32AEBA2012941B1B4
SHA1:	709765E8B70C6C1F34EF11941CD1DA6812B77626
SHA-256:	4F86C2BB0F72392081BEEA4EA03A51511A74966A1AE3B84BE7A3BE1F91925C3D
SHA-512:	B50AFE0013F500A582798A4AA1744985769A16CC421503EAB005D4BF95B1E007552160CF170040474E81A872C48DB311CD5FB48987C4B6A92465685862B74E5A
Malicious:	false
Preview:	Product=PyroTrans....Teaser1.German=Suchen Sie ein Dateitransfer Tool?..Teaser2.German=Dann sollten Sie unbedingt unser Programm PyroTrans testen!..Description.German=PyroTrans dient dazu per Modem, ISDN oder Internet Dateien automatisiert (z.B. im Rahmen von Warenwirtschaftssystemen) oder manuell (z.B. Au.endienst) zu .bertragen.\r\n\r\nPyroTrans unterst.tzt automatische Kompression und Verschl.sselung der .bertragenen Daten. 30 Tage Testversion mit Support!..Url.German=http://www.emtec.com/pyrotrans/index.htm....Teaser1.English=Do you need a file transfer tool?..Teaser2.English=Then you should definitely test our product PyroTrans!..Description.English=PyroTrans is a program package that allows automated and manual file transfer over Modem, ISDN and the internet.\r\n\r\nIt is a great solution to transfer data between a company headquarter and branch offices or field staff...Url.English=http://www.emtec.com/pyrotrans/index.html..

C:\Users\user\AppData\Local\Temp\~emtec~354033\commandline.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.2389012566026314
Encrypted:	false
SSDEEP:	3:d2pcn:d2pcn
MD5:	42D25632DD6D3DC322823A52E533958C
SHA1:	7F63A6C3A2AC5B2971F64F127C769D7E5EE2C236
SHA-256:	3192442BC78F91C7ABAA7AB84DDBEBA9F35FC197001886FFEB58A4712EBA938E
SHA-512:	5E6ACEDFCEB06D38316074AB62ACCA28A5D400F46337E0904D99E828B9AF713F38268AF2F59D40382CA824EE331B20FD437D7D83B4E18913140A939DFDDC8680
Malicious:	false
Preview:	/LANG:ENGL ..

C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.cfg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4242
Entropy (8bit):	5.493963837193557
Encrypted:	false
SSDEEP:	96:Vyhx3JoX7i6IjmhgIqeXZ84Z1Clxh/7Sh:Vyh5qIjaqe/mxFi
MD5:	68C45D1D1E6AB31BB71BD8D6B2656CB7
SHA1:	E0906AB53D25C18054C2C970EA3E4BE07C0D528C
SHA-256:	7BFBE6CBD814C2F6A9EE211DEB8FD521DC224E1D34594465E033E015AB6520D2
SHA-512:	B27A6817B9A60939C4B4DA8F30AD82616CD01C28298F6A8AB9C1A2677D9E5A572EAB9959FB121750192115B609D6717D4C9FE67973D7DE8820A2B5E710CC4D71
Malicious:	false
Preview:	//..// ZOC V5 install script..//..AppName=ZOC..AppVersion=5.12..Advertise=advertise_pyrotrans.cfg..IdIcon=100..IniKey=ZOC5....InstallPath=ZOC5..UninstallIcon=ZOC.exe..StartMenuUninstall=1....CopyToDest=Setup.exe\|\|SetupEnglish.Dll\|SetupGerman.Dll\|lizenz.txt\|license.txt....DeleteAfterExtract=Develop.doc\|Versions.doc\|Problems.doc\|Isdn.doc\|Register.doc\|Features.doc\|Readme.doc\|..DeleteAfterExtract_2=emucept.dll\|xfrcept.dll\|xfrcis.dll\|megadodo.dll....ProtectedFiles=.zrx\|.zky\|.zfg\|.ztb\|.ztr\|.zoc\|phonebk\|standard.cfg\|.ini\|newuserprofile/....AskOverwrite=....//..// English..//..WelcomeMsg.English=You are about to install ZOC - a powerful terminal emulator for Windows...FinishMsg.English=Now please start ZOC from the start menu. After starting the program, select Quick Start Guides from the Help menu.....StartmenuName.English=ZOC Terminal 5.1..StartmenuOpts.English=ZOC V5;*Zoc.exe\|Readme;Readme.txt\|Order ZOC;Order.exe\|..StartmenuOpts_2.English=Feature List;Features.txt\|Order Info;Registe

C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	632248
Entropy (8bit):	6.449097954904934
Encrypted:	false
SSDEEP:	6144:1AnAlC5W1ZUfb3OZFpMwDZi2aZW2ENFsypo4xhTGjL1bEfNMDUqTWlpb225NPaoz:1uw8b3OZ3zloWTHgNgFM6b2eUA/
MD5:	51F4C23DB5D7F30E4F2B50AED1851339
SHA1:	43D30BB2CB683CED13BDE7B95976F0562EDF77AC
SHA-256:	9EC8FD7D1C01783F653A49BFA885B0A2DC9882BD068FD5F4A8489A0216635F11
SHA-512:	9E04389378D34E87CAB0C5FC67E719BC45C991CF02AD149C908FD3B816CE235D0AC6AC5E2E493671D1F60000B6FC3D4D03DA5740F7D9A4600EB4F884CD6A58FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<...RQ..RQ..RQ.(/Q..RQV..Q..RQ.,Q..RQV.2Q..RQ..SQ..RQV..Q..RQ.(?Q\.RQ.(<Q..RQ.(.Q..RQ.(Q..RQRich..RQ........................PE..L......I.................0...........f.......@....@..................................r...............................................@..............................pE...............................B..@............@..t............................text...!%.......0.................. ..`.rdata...x...@.......@..............@..@.data....{.......@..................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.fil

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	2675963
Entropy (8bit):	7.997487616975496
Encrypted:	true
SSDEEP:	49152:2h++BnIgUSaW2QVRoAKfpxxjTmgl8GS55UnxM5cZaYAEgtUfIFzHAIhyIpg2ikJg:2gKIA8Q/RKfpXTB8J5inxM5E+5WIhyII
MD5:	FFE4ECFAC22C616DAC175E77CF4FF9F2
SHA1:	527E616306C4948929EF9F57B082C622FBF70F80
SHA-256:	D2E26BEF94580AD8A32284B598B69624148B5ECB69D91066F12D07CD6C8B64BA
SHA-512:	CA06DB3A0E587CE806428C606CB2109C8A9D8A94FFAEBF629B5F901EA15DC42050D8AA99461B4963261DB4EF93A70B228DD452101CD4C6A91B30A86DFDA2BDA8
Malicious:	false
Preview:	PK...........9oE.+D...........admin$$$.ini.V]o.9.}...`!E...l.}..C6$J.A...]...x..`OmO...{.....m7..x\|.\|.9...EfM......uB.km..N....Z.u....w..+.aW.r.Z.,hk.F......]:..^...2...,K.....5.-._I.r....../..z..~?......#_.B6...;[...I....=.\..V.l...8...R..t&..u.P@...re.....uUY...Xb..y...2A.?:..[.q.........Lt...c..-s.z}..N......L.....ty..<.~j7.h....:.=..~.=N.r..H...a'.6..>.k#.........Dg...\A..F..N......].q...`I.p&.s..06.......MY.B.@.)I8J.GD.Fm((pa.5..J...A.u.... ......X(.LFQ.A...{.t..@.l<3i(.S..........kY.9#aP......a.X.H0?.o,.(.t.@D.S.Q.......E>.Mw.-a...-9.w.....l....<.....\|P...o@... l...j..v.8....`cJ..%.]..t..@T..y..........-..9[.}Z.....(..)P.n..,H.M..7.j?...G0..m..O.$..I<...........%q.u..yR:.T/RhO.SJs....8..`......D%PY9..5.>.. ..K'.)K.....Q....Q9.&,.B...s..,....Xbs[.. r..h........C.....!.C...H.,...s..t..j...N.3..p.....Y......i...u....O..?.yp).r...\..B.t....x..y...-.;...x-.?.vOl..c.f....D../.0.h....@...RcCQ..a.W.d)Br5...^...$..~._l.....#.O.Ib..!.4.W.

C:\Users\user\AppData\Local\Temp\~emtec~354033\setupenglish.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.596786790402431
Encrypted:	false
SSDEEP:	1536:FnoitMmU499/Mh9muec5Dnz9hwY3JbScGPaVLHO4:p7tO4WmYzbwY3FnGPaU4
MD5:	0AD002F80572C02A9F746E8420D8084F
SHA1:	AF1921A44FDBE9A2E640782B38CF49B4B19C6B5A
SHA-256:	5D3A66975C924437CFCFD75F4D5129C17BFAC8917BD58D5620D92718F556B662
SHA-512:	38AC70A30AA67948CC59B0B0410056F59FDA18E3928A1BB6A9CE5197ACE30B31C10228F7F138B3632825C2F3B4F01B912C4C572A6DEAE884EFBB65BD5571A00E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L....z.I...........!.........p...........................................................................................................^...................p.......................................................................................rsrc....^.......`..................@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~emtec~354033\setupgerman.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	4.445942285482228
Encrypted:	false
SSDEEP:	3072:u+7tO4R3odQuMV/ejSX7p99mymYzbwY3FnGPhREP7jdIMrbMKiwssMSIcrqQGvX5:xpbp1T31GP
MD5:	360E58DD2B63F5C097E228268272349C
SHA1:	A1EA8CECC3155227B89B0001D3EB8730D2906A64
SHA-256:	F1A99F390734DE85EF6FF7ED8A50A6BB268BA7A07D781E837743883695B36226
SHA-512:	465084056F9F08F0589D11D1A7A1F92D580CF84A582F7F39DFD2D7321124C4F7349DDB319BD9747AC7ACC13644D6C35A5CA2076D994494B1784BE647D273A7E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L....z.I...........!....................................................................................................................x`...........................................................................................................rsrc...x`.......p..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Developers Readme.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Tue Apr 23 19:27:09 2024, mtime=Tue Apr 23 19:27:09 2024, atime=Tue Dec 2 14:12:32 2008, length=1443, window=hide
Category:	dropped
Size (bytes):	1113
Entropy (8bit):	4.60053670214484
Encrypted:	false
SSDEEP:	24:8vzhEEHdOEfKkju3qtsAuiAwM9xdtS3OdtFoUUnqrqygm:8vzdHdOWjueruV9xdtS3OdtF9Cyg
MD5:	80736754FA7D4A8383B8BC321DC8769A
SHA1:	74056A0CB2FD9CAFB8A265E7C0385AEF8437A0F4
SHA-256:	4163684A66D8CC9C8CFEEB5F2709BCE7138824C0841F0846F7E9F247121C1EBE
SHA-512:	1EB8C6E8F21E5BC3FCB0FBB258315FEB6BEDB10962A78E7F5F01C6C16ADE2EB4FF5B5DA58ECA08CC93B8EC56DD103992473426416406EE2EA357AC7C48D0E316
Malicious:	false
Preview:	L..................F.... ....F......V..........e.T..........................w....P.O. .:i.....+00.../C:\.....................1......Xe...PROGRA~2.........O.I.Xe.....................V.....B..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....N.1......Xg...ZOC5..:......Xe..Xg...........................p2..Z.O.C.5.....b.2......9.y .Develop.txt.H......Xe..Xe.....H.........................D.e.v.e.l.o.p...t.x.t.......V...............-.......U............2.[.....C:\Program Files (x86)\ZOC5\Develop.txt....D.e.v.e.l.o.p.e.r.s. .R.e.a.d.m.e.?.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.D.e.v.e.l.o.p...t.x.t...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.........................@Z\|...K.J.........`.......X.......549163...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Feature List.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Tue Apr 23 19:27:11 2024, mtime=Tue Apr 23 19:27:11 2024, atime=Tue Dec 2 14:12:32 2008, length=2241, window=hide
Category:	dropped
Size (bytes):	1110
Entropy (8bit):	4.6034484806113944
Encrypted:	false
SSDEEP:	24:8Vk4/khhEEHdOEfKkjPyA7dqdthLdtFoUUnqDqygm:8VkykhdHdOWjPR7dqdt9dtF9ayg
MD5:	B0783BED4BF6F194DE61C4C5908E2E40
SHA1:	6E82B648065BDAF5F93AE293A87C304D75E1F13F
SHA-256:	DD7F0702426D927C9B74536E781D9D3ED8D83852C487D99B60CD2733F60B48EF
SHA-512:	DFC970B15D6BBABC87E22E0E6ADDA295B66737BD608D4CBD31E18FD55F83E18A1FEE9D6D406D8BF0B18658D9A93E64E94A401565BEBF335C05D3200175823CB9
Malicious:	false
Preview:	L..................F.... ..................e.T..........................{....P.O. .:i.....+00.../C:\.....................1......Xe...PROGRA~2.........O.I.Xe.....................V.....B..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....N.1......Xg...ZOC5..:......Xe..Xg...........................p2..Z.O.C.5.....f.2......9.y .Features.txt..J......Xf..Xf...............................F.e.a.t.u.r.e.s...t.x.t.......W...............-.......V............2.[.....C:\Program Files (x86)\ZOC5\Features.txt....F.e.a.t.u.r.e. .L.i.s.t.@.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.F.e.a.t.u.r.e.s...t.x.t...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.........................@Z\|...K.J.........`.......X.......549163...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Homepage EmTec.URL

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.673677798013546
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWMtqRAbABGQEZag0S4jAGyGyn:J254vVG/4xtOFJQgr48Gynn
MD5:	6CB3E336D452A00ED1EE66A8886AAB21
SHA1:	96AD0F7E342A722E9AE3749DA30B995F0D6BACBA
SHA-256:	C130FC959C7B75B2D84BD4C5DC7CFC340DB4F5E9DCD1792513B17D7178A0783F
SHA-512:	F2BAE454150217334E1566D15C46D849EF55DCFAE3B50FEF6BD42AF8EFA4F8B1005E4E8579D4EC020FDB85D8D99BADF1F865E4E7F0C39EDB15C92B73AC5E7B31
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,2..[InternetShortcut]..IDList=..URL=http://www.emtec.com/..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Homepage ZOC.URL

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	dropped
Size (bytes):	124
Entropy (8bit):	4.835334506388458
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWMtqRAbABGQEZag0S4jAGyGO/vn:J254vVG/4xtOFJQgr48Gyh/v
MD5:	FA75E6151DC036CFD990FC017EF0455F
SHA1:	2CC2510A963C07688D5B27778AF8CC435CDD39F2
SHA-256:	E6FADD46EEEED71D8742881A7DFD53489C0EF3869AEA87246A3BA45755663D2F
SHA-512:	9BA6E444964A307A5ACA017FA23E8B27D39E928C1623CA879B652A62AE2E7294FFCF1E44499C6463BE2D97F4E057ED02E69783D86BBC369941EC740A81EC4985
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,2..[InternetShortcut]..IDList=..URL=http://www.emtec.com/zoc/index.html..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Order Info.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Tue Apr 23 19:27:12 2024, mtime=Tue Apr 23 19:27:12 2024, atime=Tue Dec 2 14:12:32 2008, length=1989, window=hide
Category:	dropped
Size (bytes):	1106
Entropy (8bit):	4.601181314073569
Encrypted:	false
SSDEEP:	24:83hEEHdOEfKkjSXjjyA7dX2DJdtTPdtFoUUnqXqygm:83dHdOWjkPR7V2DJdtzdtF9+yg
MD5:	8EBC3AC48A8DD3BACBD8126350D21D57
SHA1:	3D8B588223C3EBCD33D610F6FB5BFA3BEE81FA38
SHA-256:	FBB635938939F6BC519B2D2093E30DBA9BB38EE5D031A84BD3E3303EDFFDBD29
SHA-512:	3DA5A7E1FCB3FC06728123C7730469EEA8BF083EF7A47C9163218312C0E003BF5C581A777E243C3A55FFE489B457F1A941CF652CDFFCBB6B22D1D640FDF1B92E
Malicious:	false
Preview:	L..................F.... ..._.S....._.S........e.T..........................{....P.O. .:i.....+00.../C:\.....................1......Xe...PROGRA~2.........O.I.Xe.....................V.....B..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....N.1......Xg...ZOC5..:......Xe..Xg...........................p2..Z.O.C.5.....f.2......9.y .Register.txt..J......Xg..Xg......B........................R.e.g.i.s.t.e.r...t.x.t.......W...............-.......V............2.[.....C:\Program Files (x86)\ZOC5\Register.txt....O.r.d.e.r. .I.n.f.o.@.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.R.e.g.i.s.t.e.r...t.x.t...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.........................@Z\|...K.J.........`.......X.......549163...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Order ZOC.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Tue Apr 23 19:27:11 2024, mtime=Tue Apr 23 19:27:11 2024, atime=Tue Dec 2 14:12:32 2008, length=116152, window=hide
Category:	dropped
Size (bytes):	1085
Entropy (8bit):	4.56615611481461
Encrypted:	false
SSDEEP:	24:87z/hEEHdOEfKkjVA69MidtsdtFoUUnqrqygm:8P/dHdOWj+69BdtsdtF9Syg
MD5:	E3C8441A37459AC8E6D638D619A575A6
SHA1:	A690F4778E751E99E07B3068813F107052DC5956
SHA-256:	198C3C59B337D23D5BDF499228AFBCBF9FC8C3F25832D2A05D2F24713F1E6EAB
SHA-512:	6AB327436CB2C9E5C06D99E4ADCCB44E4F0C5012F8A5C117BF951FA7634EE229E523D7D7BF595D66B10B5E8DE589D32A419E5A785A39DCE23F64136528BF1B16
Malicious:	false
Preview:	L..................F.... ...7.L.....7.L........e.T..........................q....P.O. .:i.....+00.../C:\.....................1......Xe...PROGRA~2.........O.I.Xe.....................V.....B..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....N.1......Xg...ZOC5..:......Xe..Xg...........................p2..Z.O.C.5.....\.2......9.y .order.exe.D......Xf..Xf......B........................o.r.d.e.r...e.x.e.......T...............-.......S............2.[.....C:\Program Files (x86)\ZOC5\order.exe....O.r.d.e.r. .Z.O.C.=.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.o.r.d.e.r...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.........................@Z\|...K.J.........`.......X.......549163...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Readme.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Tue Apr 23 19:27:12 2024, mtime=Tue Apr 23 19:27:12 2024, atime=Tue Dec 2 14:12:32 2008, length=4520, window=hide
Category:	dropped
Size (bytes):	1086
Entropy (8bit):	4.603264787045148
Encrypted:	false
SSDEEP:	24:8GhEEHdOEfKkjSnaA5ddtVKdtFoUUnqXoiqygm:8GdHdOWjSnJ5ddtodtF9+yg
MD5:	FAA57185FE438991FC4C5E6F68229A99
SHA1:	2C9B0E5118E3EFC1AB9A638C36ADA1928077C46A
SHA-256:	B2237F2CC834A691877CC09DB028FBD96E6633F477F0F4C6658A863204E5CD7B
SHA-512:	28BAEEEB8626B5AE533EFBCB0FFDD17D3893FC451D88EBEFFE7A163DF11AED4D4A05537686B13EFF394F06C73F8A17661D0ECBB869D9C718A797B6BEFB2F623B
Malicious:	false
Preview:	L..................F.... ..._.S....._.S........e.T..........................u....P.O. .:i.....+00.../C:\.....................1......Xe...PROGRA~2.........O.I.Xe.....................V.....B..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....N.1......Xg...ZOC5..:......Xe..Xg...........................p2..Z.O.C.5.....`.2......9.y .Readme.txt..F......Xg..Xg......B........................R.e.a.d.m.e...t.x.t.......U...............-.......T............2.[.....C:\Program Files (x86)\ZOC5\Readme.txt....R.e.a.d.m.e.>.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.R.e.a.d.m.e...t.x.t...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.........................@Z\|...K.J.........`.......X.......549163...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Uninstall ZOC.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Tue Apr 23 19:27:12 2024, mtime=Tue Apr 23 19:27:12 2024, atime=Tue Apr 23 19:27:12 2024, length=632248, window=hide
Category:	dropped
Size (bytes):	1983
Entropy (8bit):	3.2872853130828465
Encrypted:	false
SSDEEP:	24:8SQ/hEEHdOEfKkjRA69XRidttdtDedt8Et88UUnqHqygm:8l/dHdOWji69XEdttdtDedt8Et8pOyg
MD5:	F7E031B599F1EEC042DFC4BECDC02EC6
SHA1:	11D265E73C1959B9CBF679EE73CDAE54F9059794
SHA-256:	F0D48E817BFDAE85D833D9744FF29E23B6448CFE098B41CF3E0F72DA13CD7ADE
SHA-512:	0387FE68E37BD7C4C065242D8D3DBAD75D743A12209240736DCD8A81DC7C8679B9C66E3750F75FB08D65DD260F898A7A3646FC37B138D23E757B5F09642CD65E
Malicious:	false
Preview:	L..................F.@.. ....E.......E.......E..............................q....P.O. .:i.....+00.../C:\.....................1......Xe...PROGRA~2.........O.I.Xe.....................V.....B..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....N.1......Xg...ZOC5..:......Xe..Xg...........................p2..Z.O.C.5.....\.2......Xg. .Setup.exe.D......Xg..Xg..............................S.e.t.u.p...e.x.e.......T...............-.......S............2.[.....C:\Program Files (x86)\ZOC5\Setup.exe....U.n.i.n.s.t.a.l.l. .Z.O.C.=.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.S.e.t.u.p...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5...-.r.e.m.o.v.e. .Z.O.C.5.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.s.e.t.u.p...e.x.e.........%ProgramFiles%\ZOC5\setup.exe..........................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\Version History.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Tue Apr 23 19:27:12 2024, mtime=Tue Apr 23 19:27:12 2024, atime=Tue Dec 2 14:12:32 2008, length=24806, window=hide
Category:	dropped
Size (bytes):	1116
Entropy (8bit):	4.606505189576835
Encrypted:	false
SSDEEP:	24:82wD3hEEHdOEfKkjv9yA7SMdtdRdtFoUUnqnqygm:82wbdHdOWjv9R7SMdtdRdtF9Oyg
MD5:	49FF351E0706C1EE67FE3E0FFC5E8574
SHA1:	7042BB5360FE5BEE677B739650C7A7956C3D371D
SHA-256:	B7150957E313D74CEB9BA34ED9E9D13CFF63F6B696E6441433446559C12009D5
SHA-512:	E6FC386827C5C2FE92BB71E175DAB6BCABE2D360B275F61DA6F886FC1F5E2C0A2C84F1F63C6CF7133EFA69EC5DDF3CD4CF5DFCB285B3265BB47868E11657E140
Malicious:	false
Preview:	L..................F.... .....y.......y........e.T...`......................{....P.O. .:i.....+00.../C:\.....................1......Xe...PROGRA~2.........O.I.Xe.....................V.....B..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....N.1......Xg...ZOC5..:......Xe..Xg...........................p2..Z.O.C.5.....f.2..`...9.y .Versions.txt..J......Xg..Xg......B........................V.e.r.s.i.o.n.s...t.x.t.......W...............-.......V............2.[.....C:\Program Files (x86)\ZOC5\Versions.txt....V.e.r.s.i.o.n. .H.i.s.t.o.r.y.@.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.V.e.r.s.i.o.n.s...t.x.t...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.........................@Z\|...K.J.........`.......X.......549163...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\ZOC Command Line Parameters.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=23, Archive, ctime=Sat Dec 7 08:10:00 2019, mtime=Tue Apr 23 19:27:23 2024, atime=Sat Dec 7 08:10:00 2019, length=16384, window=hide
Category:	dropped
Size (bytes):	1986
Entropy (8bit):	3.2943549112386434
Encrypted:	false
SSDEEP:	24:8Tt/ei05jEQAhhb/QH+/8dtpMHpbNdtRbtE4qzqygm:8TZPznbszdt8bNdtRbt9yg
MD5:	4758C395286C395F9CA645B1569B1B91
SHA1:	D9DB398E3780DA0C4B1E15B37EFBCB890FE6D148
SHA-256:	4652A57F6F2D8EF3BD93A0871DB0B421D9E8133971D60952F816AF16C7DE97A9
SHA-512:	1426B0CBD1E24B3E65527C9B0C4B4D95E27A6CB7B6C7B68A446D437541B0AC630807B1ACEC737AF31021DFD821368608E756EE2B0C88A20CCDA390A6590DDF19
Malicious:	false
Preview:	L..................F.@.. .....}......,.......}.....@......................3....P.O. .:i.....+00.../C:\...................V.1.....DW.r..Windows.@......OwH.XY.....3......................`.W.i.n.d.o.w.s.....Z.1......XW...System32..B......OwH.XY...............................S.y.s.t.e.m.3.2.....T.2..@...OAI .hh.exe..>......OAI.Xl...../...........\|.........zF..h.h...e.x.e.......I...............-.......H............2.[.....C:\Windows\System32\hh.exe....Z.O.C. .C.o.m.m.a.n.d. .L.i.n.e. .P.a.r.a.m.e.t.e.r.s.2.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.h.h...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.-.m.k.:.@.M.S.I.T.S.t.o.r.e.:.z.o.c...c.h.m.:.:./.h.t.m.l./.t.o.p.i.c.-.1.0.2.4.0...h.t.m.l.'.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.s.h.e.l.l.3.2...d.l.l.........%ProgramFiles%\ZOC5\shell32.dll.....................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\ZOC Help File.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=23, Archive, ctime=Sat Dec 7 08:10:00 2019, mtime=Tue Apr 23 19:27:23 2024, atime=Sat Dec 7 08:10:00 2019, length=16384, window=hide
Category:	dropped
Size (bytes):	1882
Entropy (8bit):	3.241858879090757
Encrypted:	false
SSDEEP:	24:8TT/ei05jEQAhhPw7+/8dtWqdtRbtE4qzqygm:8TzPznbwdtWqdtRbt9yg
MD5:	6E3034811BBE95108B717484047212C0
SHA1:	6164E5A4C58559170E032AF2B81A6A7A6CA384E2
SHA-256:	0E436169A90352790960B7FCC68B4EE8ADF0F7C5648A15383AFE1C56DB823A9B
SHA-512:	E960A285EBC9047A05E7B29DB1F3AFD42D57F95B40DADB9B6893F5C509EF959C084C52769514F16243779E5CD54F1BBA1802F9209E062D3321067B1EA73C4536
Malicious:	false
Preview:	L..................F.@.. .....}....n.".......}.....@......................3....P.O. .:i.....+00.../C:\...................V.1.....DW.r..Windows.@......OwH.XY.....3......................`.W.i.n.d.o.w.s.....Z.1......XW...System32..B......OwH.XY...............................S.y.s.t.e.m.3.2.....T.2..@...OAI .hh.exe..>......OAI.Xl...../...........\|.........zF..h.h...e.x.e.......I...............-.......H............2.[.....C:\Windows\System32\hh.exe....Z.O.C. .H.e.l.p. .F.i.l.e.2.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.h.h...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5...z.o.c...c.h.m.'.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.s.h.e.l.l.3.2...d.l.l.........%ProgramFiles%\ZOC5\shell32.dll.............................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\ZOC Quick Start Guides.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=23, Archive, ctime=Sat Dec 7 08:10:00 2019, mtime=Tue Apr 23 19:27:23 2024, atime=Sat Dec 7 08:10:00 2019, length=16384, window=hide
Category:	dropped
Size (bytes):	1976
Entropy (8bit):	3.2984006456132944
Encrypted:	false
SSDEEP:	24:8Tt/ei05jEQAhhjQ+/8dtpMHpbLdtRbtE4qzqygm:8TZPznbj8dt8bLdtRbt9yg
MD5:	69642849C5C1C2B8646878A51356D2FB
SHA1:	79A32046240CE158D488538EB2B910CCB252B5F6
SHA-256:	778FE7B9A1C75D8E5534C0DBD02F60E795AE36E401EB0533A439D71E29B7C018
SHA-512:	DD767793BB6CDE03AF5CE7CA1615EA8550347030E95ABD59473A71851729C0BB13EC963B73E4404F8D2306ED408A7D27DA08B2BCCF36EF39902E28B2E930DC6A
Malicious:	false
Preview:	L..................F.@.. .....}......,.......}.....@......................3....P.O. .:i.....+00.../C:\...................V.1.....DW.r..Windows.@......OwH.XY.....3......................`.W.i.n.d.o.w.s.....Z.1......XW...System32..B......OwH.XY...............................S.y.s.t.e.m.3.2.....T.2..@...OAI .hh.exe..>......OAI.Xl...../...........\|.........zF..h.h...e.x.e.......I...............-.......H............2.[.....C:\Windows\System32\hh.exe....Z.O.C. .Q.u.i.c.k. .S.t.a.r.t. .G.u.i.d.e.s.2.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.h.h...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.-.m.k.:.@.M.S.I.T.S.t.o.r.e.:.z.o.c...c.h.m.:.:./.h.t.m.l./.t.o.p.i.c.-.1.0.2.2.0...h.t.m.l.'.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.s.h.e.l.l.3.2...d.l.l.........%ProgramFiles%\ZOC5\shell32.dll...............................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZOC Terminal 5.1\ZOC V5.LNK

Download File

Process:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Tue Apr 23 19:27:12 2024, mtime=Tue Apr 23 19:27:12 2024, atime=Tue Dec 2 14:12:46 2008, length=193976, window=hide
Category:	dropped
Size (bytes):	1067
Entropy (8bit):	4.619991148111069
Encrypted:	false
SSDEEP:	24:8gAhEEHdOEfKWU7A6DZdtUdtFoUUnqTqygm:83dHdO8t69dtUdtF96yg
MD5:	434000FA03D8F6ADEF8306FD35550E36
SHA1:	6B497967BEA844F7392C1396E81384B0CB634A81
SHA-256:	A73B6CA1E09CB7B3DB82507C2883BFFFB0143C8E12E06605FDC07531DF981B2B
SHA-512:	999CF4C942A41691548ECDBF32CC181ECA8CAE52D7B7706F54991F49E9ED4339C648D36EDDB66CFE7481378E41A85581200B88748E32633D210A0E5E22E85C62
Malicious:	false
Preview:	L..................F.... ...?3......?3.......+Wn.T..........................k....P.O. .:i.....+00.../C:\.....................1......Xe...PROGRA~2.........O.I.Xe.....................V.....B..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....N.1......Xg...ZOC5..:......Xe..Xg...............................Z.O.C.5.....V.2......9.y .zoc.exe.@......Xg..Xg......B........................z.o.c...e.x.e.......R...............-.......Q............2.[.....C:\Program Files (x86)\ZOC5\zoc.exe....Z.O.C. .V.5.;.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.\.z.o.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.Z.O.C.5.........................@Z\|...K.J.........`.......X.......549163...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.994205663318143
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
File size:	3'113'216 bytes
MD5:	a3bd864b819f0dc53482b5e06ffef509
SHA1:	9a2594c8af8a053d698c1d96bf828286846cc066
SHA256:	a7b222438781b93d33725b049c45112df2f76e267af62406098613e635dc3c31
SHA512:	d303221365f16077306f125b74205c556f966f1012987ccea51af5e271d09cd8cd20ff72ec87fcda8109e03c73694225914d5669e2faa246ccdb975ae1bc1a85
SSDEEP:	49152:6c/aaEhWJZDGBYUI/xz2jKDdRYm0lGK85unKygx2Uv6/t90eQpQgi1+D+IaeIBF/:6Gaa9JZDiKYjKD/YZG7Yncx274eQyPHR
TLSH:	3BE533885633ED7AD15141333098EFB617F1EF1518AAC88EBB244929DF572EE13E6348
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b..............<q......<b.....y.Q.........;....<a......<p......<t.....Rich............PE..L...Wz.I...........................

File Icon


Icon Hash:	274f191311591130

Static PE Info

General

Entrypoint:	0x402877
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x492E7A57 [Thu Nov 27 10:45:43 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	213fe6a5665e289e7aca3924945b347c

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	07/07/2008 02:00:00 25/08/2010 01:59:59
Subject Chain	CN=Markus Schmidt, OU=SECURE APPLICATION DEVELOPMENT, O=Markus Schmidt, L=Nuernberg, S=Bayern, C=DE
Version:	3
Thumbprint MD5:	ECBB447782CBBD6DC5A773BD2056A187
Thumbprint SHA-1:	0FD932F6AC4D3E4581ADBB4232A8EC271F23726E
Thumbprint SHA-256:	905ECE5619EFD348A08ED6E460695A3642482924585BFF3DCC36A195C2732F24
Serial:	6DA9806F04CEC108C0A2D73642DC4A1F

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 44h
push esi
call dword ptr [0040B0A0h]
mov esi, eax
mov al, byte ptr [esi]
cmp al, 22h
jne 00007FA360B6B913h
cmp al, 22h
je 00007FA360B6B91Fh
inc esi
mov al, byte ptr [esi]
test al, al
jne 00007FA360B6B8F7h
cmp al, 22h
jne 00007FA360B6B915h
jmp 00007FA360B6B912h
cmp al, 20h
jle 00007FA360B6B90Fh
inc esi
cmp byte ptr [esi], 00000020h
jnle 00007FA360B6B8FCh
jmp 00007FA360B6B907h
cmp al, 20h
jnle 00007FA360B6B909h
inc esi
mov al, byte ptr [esi]
test al, al
jne 00007FA360B6B8F7h
and dword ptr [ebp-18h], 00000000h
lea eax, dword ptr [ebp-44h]
push eax
call dword ptr [0040B09Ch]
test byte ptr [ebp-18h], 00000001h
je 00007FA360B6B908h
movzx eax, word ptr [ebp-14h]
jmp 00007FA360B6B905h
push 0000000Ah
pop eax
push eax
push esi
push 00000000h
push 00000000h
call dword ptr [0040B098h]
push eax
call 00007FA360B6B7D8h
int3
mov eax, dword ptr [esp+04h]
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
ret
push esi
push 00000004h
push 00001000h
push 00000104h
push 00000000h
call dword ptr [0040B018h]
mov esi, eax
test esi, esi
jne 00007FA360B6B904h
pop esi
ret
push dword ptr [esp+0Ch]
push esi
call dword ptr [0040B024h]
mov eax, dword ptr [esp+08h]
mov ecx, dword ptr [eax]
test ecx, ecx
jne 00007FA360B6B90Ah
and dword ptr [esi+00000100h], ecx
jmp 00007FA360B6B908h
mov dword ptr [esi+00000100h], ecx
inc dword ptr [eax+04h]
mov dword ptr [eax], esi
xor eax, eax
inc eax
pop esi
ret
mov eax, dword ptr [esp+04h]

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[C++] VS2005 build 50727
[ C ] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd204	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x2250	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2f6b48	0x15b8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb1d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xceb0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9c64	0x9e00	f7b84c3f1dc25d7e22c666f6548ad36d	False	0.6220579509493671	data	6.61047516640524	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x2a8a	0x2c00	15f0cfe6a55e16bab3d0c93e8dd75f29	False	0.4401633522727273	data	5.6882335066903105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x84a4	0x2200	4de969b913bd695cf78bb6a0fc0f6aac	False	0.22633272058823528	data	2.5090067713654047	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x17000	0x2250	0x2400	a437ead2b0a8b525663cba45f271624f	False	0.5009765625	data	4.937794448544168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x17300	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.5676972281449894
RT_ICON	0x181a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.7193140794223827
RT_ICON	0x18a50	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.2073699421965318
RT_DIALOG	0x17190	0x16a	data	0.5939226519337016
RT_GROUP_ICON	0x18fb8	0x30	data	0.875
RT_MANIFEST	0x18fe8	0x261	XML 1.0 document, ASCII text, with CRLF line terminators	0.5697865353037767

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	VirtualAlloc, lstrlenA, VirtualFree, lstrcpyA, lstrcmpA, GetFileAttributesA, lstrcatA, GetSystemDirectoryA, GetTempPathA, GetCurrentDirectoryA, ExpandEnvironmentStringsA, CreateDirectoryA, GetFullPathNameA, ReadFile, SetFilePointer, CreateFileA, DeleteFileA, RemoveDirectoryA, Sleep, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, WriteFile, GetPrivateProfileStringA, GetLastError, GetTempFileNameA, GetModuleFileNameA, GetCurrentProcess, CreateThread, WaitForSingleObject, CreateProcessA, SetCurrentDirectoryA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, FormatMessageA, CloseHandle, ExitProcess, GetPrivateProfileIntA, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStdHandle, DeleteCriticalSection, HeapFree, RtlUnwind, GetProcAddress, TlsGetValue, TlsSetValue, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, MultiByteToWideChar, InitializeCriticalSection, HeapAlloc, HeapReAlloc, SetStdHandle, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LoadLibraryA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
USER32.dll	DialogBoxParamA, EndDialog, SetWindowTextA, ShowWindow, GetDlgItem, SetDlgItemTextA, SendMessageA, PostMessageA, wsprintfA, MessageBoxA, DestroyWindow
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegQueryValueExA

Target ID:	0
Start time:	22:26:54
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe"
Imagebase:	0x400000
File size:	3'113'216 bytes
MD5 hash:	A3BD864B819F0DC53482B5E06FFEF509
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	22:26:57
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Local\Temp\~emtec~354033\setup.exe
Wow64 process (32bit):	true
Commandline:	.\setup.exe
Imagebase:	0x400000
File size:	632'248 bytes
MD5 hash:	51F4C23DB5D7F30E4F2B50AED1851339
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.8%
Total number of Nodes:	1289
Total number of Limit Nodes:	13

Executed Functions

Function 00401E6C Relevance: 119.4, APIs: 43, Strings: 25, Instructions: 374
stringfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401EA3
_memset.LIBCMT ref: 00401EB7
_memset.LIBCMT ref: 00401EC5
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00401EE9
GetTempPathA.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 00401EF0
GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop,?,?,?,?,?,?,00000000,00000000), ref: 00401F01
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00401F07
GetModuleFileNameA.KERNEL32(00000000,00414F20,00000104,?,?,?,?,?,?,00000000,00000000), ref: 00401F1A
CreateFileA.KERNELBASE(00414F20,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00401F2D
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00401F42
SetFilePointer.KERNELBASE(000000FD,00000000,00000001,?,?,?,?,?,?,00000000,00000000), ref: 00401F7B
ReadFile.KERNELBASE(?,00000004,?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00401FA1
SetFilePointer.KERNELBASE(000000FD,00000000,00000001,?,?,?,?,?,?,00000000,00000000), ref: 00401FE8
ReadFile.KERNELBASE(?,00000004,?,00000000,Could not read the source SFX.,?,?,?,?,?,?,00000000,00000000), ref: 0040200E
SetFilePointer.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00402032
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?,?,?,?,00000000,00000000), ref: 00402044
ReadFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040205C
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,00000000), ref: 0040206A
GetTempFileNameA.KERNELBASE(?,0040B5E0,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00402085
CreateFileA.KERNELBASE(?,40000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040209E
WriteFile.KERNELBASE(00000000,?,?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 004020C5
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 004020D1
GetPrivateProfileIntA.KERNEL32(0040B5E0,ZipSize,00000000,?), ref: 004020EB
GetPrivateProfileIntA.KERNEL32(0040B5E0,Delete,00000000,?), ref: 00402100
GetPrivateProfileIntA.KERNEL32(0040B5E0,NoGUI,00000000,?), ref: 00402115
GetPrivateProfileIntA.KERNEL32(0040B5E0,Debug,00000000,?), ref: 0040212A
GetPrivateProfileStringA.KERNEL32(0040B5E0,Name,Unnamed Archive,ZOC Installation,000000FF,?), ref: 00402153
GetPrivateProfileStringA.KERNEL32(0040B5E0,Exec,0040B280,.\setup.exe\,000000FF,?), ref: 00402171
GetPrivateProfileStringA.KERNEL32(0040B5E0,DefaultPath,0040B280,C:\Users\user\AppData\Local\Temp\~emtec~354033,00000104,?), ref: 0040218F
GetPrivateProfileStringA.KERNEL32(0040B5E0,Intro,0040B280,004143C0,00000400,?), ref: 004021AD
GetPrivateProfileStringA.KERNEL32(0040B5E0,AutoExtract,FALSE,?,00000006,?), ref: 004021C7
GetPrivateProfileStringA.KERNEL32(0040B5E0,OpenFolder,FALSE,?,00000006,?), ref: 004021E1
GetPrivateProfileStringA.KERNEL32(0040B5E0,URL,0040B280,00410910,00000080,?), ref: 004021FF
GetPrivateProfileStringA.KERNEL32(0040B5E0,Author,0040B280,00410E10,000000FF,?), ref: 0040221D
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033,?,?,?,?,?,?,00000000,00000000), ref: 00402267
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033,$curdir$,?,?,?,?,?,?,00000000,00000000), ref: 0040228C
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040229A
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033,?,?,?,?,?,?,?,00000000,00000000), ref: 004022A1
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033\,C:\Users\user\AppData\Local\Temp\~emtec~354033,?,?,?,?,?,?,00000000,00000000), ref: 004022A9
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033,00000000,?,?,?,?,?,?,00000000,00000000), ref: 004022B4
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033\,00000000,?,?,?,?,?,?,00000000,00000000), ref: 004022C4
VirtualFree.KERNELBASE(00000000,00008000,?,?,?,?,?,?,00000000,00000000), ref: 004022F0
DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,00000000,00000000), ref: 004022FD

Strings

AutoExtract, xrefs: 004021C1
Exec, xrefs: 0040216B
$curdir$, xrefs: 00402286
Debug, xrefs: 00402124
DefaultPath, xrefs: 00402189
OpenFolder, xrefs: 004021DB
Can't write temp file, xrefs: 004020AE
Name, xrefs: 0040214D
Unnamed Archive, xrefs: 00402148
ZOC Installation, xrefs: 00402143
C:\Users\user\Desktop, xrefs: 00401EF6
OA, xrefs: 00401F0E
FALSE, xrefs: 004021BC, 004021D6
C:\Users\user\AppData\Local\Temp\~emtec~354033, xrefs: 0040217F, 00402261, 00402266, 0040228B, 0040228E, 004022A0, 004022A3, 004022AB, 004022B3
NoGUI, xrefs: 0040210F
.\setup.exe\, xrefs: 00402161
Could not get file info. This archive is likely corrupted., xrefs: 0040231B
Intro, xrefs: 004021A7
Author, xrefs: 00402217
C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 004022A4, 004022B6, 004022BB, 004022C3
$temp$, xrefs: 0040227F
Could not read the source SFX., xrefs: 00401FA7
URL, xrefs: 004021F9
Delete, xrefs: 004020FA
ZipSize, xrefs: 004020E5

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$PrivateProfile$String$lstrcpy$Pointer$ReadTemp_memset$CreateCurrentNamePathVirtuallstrlen$AllocCloseDeleteDirectoryFreeHandleModuleProcessWrite
String ID: OA$$curdir$$$temp$$.\setup.exe\$Author$AutoExtract$C:\Users\user\AppData\Local\Temp\~emtec~354033$C:\Users\user\AppData\Local\Temp\~emtec~354033\$C:\Users\user\Desktop$Can't write temp file$Could not get file info. This archive is likely corrupted.$Could not read the source SFX.$Debug$DefaultPath$Delete$Exec$FALSE$Intro$Name$NoGUI$OpenFolder$URL$Unnamed Archive$ZOC Installation$ZipSize
API String ID: 3255873264-1124220831
Opcode ID: df61d446c2bfc078714f80d42b1de2b837ac060e2c40b2def2cfc33245c28dce
Instruction ID: 1a3fabdc81bed6bcdf13e4d3adf4703258411a5fcca0f91ac66744013bc12ab1
Opcode Fuzzy Hash: df61d446c2bfc078714f80d42b1de2b837ac060e2c40b2def2cfc33245c28dce
Instruction Fuzzy Hash: 67C191B1581248BEEB219BA09C49FEF3B6CEF45704F14407BF905B61E0D7B85A448BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402C68 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b36aa0aa2268c91353dfe6a5efdf39a749a29305728033311bb681a434b3eee
Instruction ID: 62788a7c821a69d6522376510c136064b83e62b8c1f062fc13667314c3e4bad1
Opcode Fuzzy Hash: 8b36aa0aa2268c91353dfe6a5efdf39a749a29305728033311bb681a434b3eee
Instruction Fuzzy Hash: B9425D71910609EFCB24CF69C584AAEBBF5FF08315F10852EE85AA7680D378EA51DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040142E Relevance: 77.3, APIs: 22, Strings: 22, Instructions: 311
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401465
_memset.LIBCMT ref: 00401479
VirtualAlloc.KERNELBASE(00000000,00000105,00001000,00000004,?,?,?,759183C0,C:\Users\user\AppData\Local\Temp\~emtec~354033,00000000), ref: 0040148E

Part of subcall function 004010BE: VirtualAlloc.KERNELBASE(00000000,004014A0,00001000,00000004,00000103,00000000,0040149F,?,00000001,?,?,?,759183C0,C:\Users\user\AppData\Local\Temp\~emtec~354033,00000000), ref: 004010D2

lstrcatA.KERNEL32(?,0040B2D4,?,?,?,759183C0,C:\Users\user\AppData\Local\Temp\~emtec~354033,00000000), ref: 004014B8
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 004014FE
_memset.LIBCMT ref: 00401545

Part of subcall function 004013D7: RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,00000103,?,00000000,00000103), ref: 004013F2
Part of subcall function 004013D7: RegQueryValueExA.ADVAPI32(?,?,00000000), ref: 0040141D
Part of subcall function 004013D7: RegCloseKey.ADVAPI32(?), ref: 00401426

lstrcpyA.KERNEL32(?,?), ref: 00401781
lstrcatA.KERNEL32(?,?), ref: 0040178F
lstrcatA.KERNEL32(?,0040B2D4), ref: 00401799
lstrcpyA.KERNEL32(?,00000000), ref: 004017BA
lstrlenA.KERNEL32(?), ref: 004017E0
lstrcpyA.KERNEL32(?,00000000), ref: 004017F6

Part of subcall function 004011F0: lstrlenA.KERNEL32(0040B454,?,00000104,?,?,004014E4,?,0040B454,0040B450,00000104), ref: 004011FF
Part of subcall function 004011F0: lstrlenA.KERNEL32(?,?,?,004014E4,?,0040B454,0040B450,00000104,?,?,?,?,?,?,759183C0,C:\Users\user\AppData\Local\Temp\~emtec~354033), ref: 00401206
Part of subcall function 004011F0: lstrcmpA.KERNEL32(0040B454,?,?,?,004014E4,?,0040B454,0040B450,00000104,?,?,?,?,?,?,759183C0), ref: 00401211
Part of subcall function 004011F0: lstrlenA.KERNEL32(0040B450,0040B2D4,?,?,004014E4,?,0040B454,0040B450,00000104,?,?,?,?,?,?,759183C0), ref: 00401236
Part of subcall function 004011F0: VirtualAlloc.KERNELBASE(00000000,004014E4,00001000,00000004,?,?,004014E4,?,0040B454,0040B450,00000104), ref: 00401250

Strings

AppData, xrefs: 00401682
%curdir%, xrefs: 00401628
%sendto%, xrefs: 0040158E
%quicklaunch%, xrefs: 00401652
C:\Program Files, xrefs: 004016F1
C:\Users\user\AppData\Local\Temp\~emtec~354033, xrefs: 0040144A
%desktop%, xrefs: 00401569
%startmenu%, xrefs: 00401521
ProgramFilesDir, xrefs: 0040172F
Startup, xrefs: 004015F0
C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 00401618
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 0040170A
%startup%, xrefs: 004015D8
%sysdir%, xrefs: 00401758
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004016A0
%targetdir%, xrefs: 00401607
SendTo, xrefs: 004015A6
Favorites, xrefs: 004015CB
%programfiles%, xrefs: 004016E0
Programs, xrefs: 00401551
Desktop, xrefs: 00401581
%favorites%, xrefs: 004015B3

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$AllocVirtual_memsetlstrcatlstrcpy$CloseEnvironmentExpandOpenQueryStringsValuelstrcmp
String ID: %curdir%$%desktop%$%favorites%$%programfiles%$%quicklaunch%$%sendto%$%startmenu%$%startup%$%sysdir%$%targetdir%$AppData$C:\Program Files$C:\Users\user\AppData\Local\Temp\~emtec~354033$C:\Users\user\AppData\Local\Temp\~emtec~354033\$Desktop$Favorites$ProgramFilesDir$Programs$SOFTWARE\Microsoft\Windows\CurrentVersion$SendTo$Startup$\Microsoft\Internet Explorer\Quick Launch
API String ID: 674325901-2026946969
Opcode ID: 37606a7f0e300fb1ec33e0d94ee46084ceb86371dc2b888ebe7b25e597868a81
Instruction ID: 818a044053bc86c3c00416b233e70c77056a4a10d8390d6c9c2741c9cc04c5f5
Opcode Fuzzy Hash: 37606a7f0e300fb1ec33e0d94ee46084ceb86371dc2b888ebe7b25e597868a81
Instruction Fuzzy Hash: CBA11171A44348AEEF24DBA19C45FEA376CEB05704F64003BB945F61D2EB7896048B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402516 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 126
stringprocesssynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(.\setup.exe\), ref: 00402539
_memset.LIBCMT ref: 0040255E
_memset.LIBCMT ref: 00402572
_memset.LIBCMT ref: 0040257E
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004025A4
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 004025B1

Part of subcall function 0040142E: _memset.LIBCMT ref: 00401465
Part of subcall function 0040142E: _memset.LIBCMT ref: 00401479
Part of subcall function 0040142E: VirtualAlloc.KERNELBASE(00000000,00000105,00001000,00000004,?,?,?,759183C0,C:\Users\user\AppData\Local\Temp\~emtec~354033,00000000), ref: 0040148E
Part of subcall function 0040142E: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 004014FE
Part of subcall function 0040142E: lstrcpyA.KERNEL32(?,00000000), ref: 004017BA
Part of subcall function 0040142E: lstrlenA.KERNEL32(?), ref: 004017E0
Part of subcall function 0040142E: lstrcpyA.KERNEL32(?,00000000), ref: 004017F6

lstrcpyA.KERNEL32(?,00000000), ref: 004025C2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004025EB
ShowWindow.USER32(00000000), ref: 004025FC
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00402607
CloseHandle.KERNEL32(?), ref: 00402616
CloseHandle.KERNEL32(?), ref: 0040261B
_memset.LIBCMT ref: 0040262C
wsprintfA.USER32 ref: 00402641
MessageBoxA.USER32(00000000,?,Error,00000010), ref: 00402656
SetCurrentDirectoryA.KERNEL32(?), ref: 00402663
CreateThread.KERNEL32(00000000,00000000,004019CB,00000000,00000000,?), ref: 0040267B

Strings

%s could not be executed., xrefs: 0040263B
.\setup.exe\, xrefs: 00402533, 00402538, 004025B3
C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 00402583, 00402588, 004025AA
Error, xrefs: 0040264C

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memset$CurrentDirectorylstrcpy$CloseCreateHandlelstrlen$AllocEnvironmentExpandMessageObjectProcessShowSingleStringsThreadVirtualWaitWindowwsprintf
String ID: %s could not be executed.$.\setup.exe\$C:\Users\user\AppData\Local\Temp\~emtec~354033\$Error
API String ID: 3102551066-3267213050
Opcode ID: 5a357493f7fb41afaa1c40f1ac1d43d1f4d4a268ec120d6fdf9a306d60c53d09
Instruction ID: cbabd2bb027e95d25c02f5acb2326d93657106e7ec2713227161370b751db991
Opcode Fuzzy Hash: 5a357493f7fb41afaa1c40f1ac1d43d1f4d4a268ec120d6fdf9a306d60c53d09
Instruction Fuzzy Hash: 5A4152B190014DAFDB20AFA4DD89EDF37ACEB08354F004437F915F61A1DB789A448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BDD Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 212
filestringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401C22
VirtualAlloc.KERNELBASE(00000000,0000FFFF,00001000,00000004,?,?,?,?,?,?,?,?,75A73EB0,C:\Users\user\AppData\Local\Temp\~emtec~354033\,75920F00), ref: 00401C60
wsprintfA.USER32 ref: 00401CAD
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,75A73EB0), ref: 00401CC4

Part of subcall function 00401039: GetLastError.KERNEL32(75923550,759234C0), ref: 00401061
Part of subcall function 00401039: GetLastError.KERNEL32(00000400,0040B280,00000000,00000000), ref: 00401077
Part of subcall function 00401039: FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 00401081
Part of subcall function 00401039: wsprintfA.USER32 ref: 0040109A
Part of subcall function 00401039: MessageBoxA.USER32(00000000,?,FreeExtractor Error,00000010), ref: 004010B3

wsprintfA.USER32 ref: 00401CF0
GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 00401D11
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,75A73EB0), ref: 00401D2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401D4F
lstrlenA.KERNEL32(?), ref: 00401D8A
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401DBE
WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00401DFD
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00401E11
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00401E1C
SetFileTime.KERNELBASE(?,00000000,00000000,?), ref: 00401E2B
FindCloseChangeNotification.KERNELBASE(?), ref: 00401E34
VirtualFree.KERNELBASE(?,00000000,00004000), ref: 00401E43

Strings

%s%s, xrefs: 00401CA7, 00401CEA
Could not get file info. This archive is likely corrupted., xrefs: 00401C49
C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 00401BFF
Could not extract the current file., xrefs: 00401DC8

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Time$wsprintf$CreateErrorLastMessageVirtuallstrcpy$AllocChangeCloseDateFindFormatFreeFullLocalNameNotificationPathWrite_memsetlstrlen
String ID: %s%s$C:\Users\user\AppData\Local\Temp\~emtec~354033\$Could not extract the current file.$Could not get file info. This archive is likely corrupted.
API String ID: 1880198518-305127722
Opcode ID: 737c467f5faa1c5a6a6d6caa50c70dcba2893829461d2469f259e14798b719e7
Instruction ID: 7067d0a0fd5be49f7b50004b7e9254ef6b91271585893d8c31040e999677030c
Opcode Fuzzy Hash: 737c467f5faa1c5a6a6d6caa50c70dcba2893829461d2469f259e14798b719e7
Instruction Fuzzy Hash: 5D711FB1D4014EABDB209BA4DD45EFF7BBCEF04344F104436F615B61A1D7389A448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402325 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 150
windowsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033\,0040B2D4), ref: 0040234E
GetFullPathNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033\,00000104,C:\Users\user\AppData\Local\Temp\~emtec~354033\,00000000), ref: 0040235D

Part of subcall function 00405049: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 0040506D
Part of subcall function 00405049: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 0040508B

Sleep.KERNELBASE(000001F4), ref: 0040238B
GetDlgItem.USER32(000003EF), ref: 004023B4
SendMessageA.USER32(00000000,00000401,00000000,?), ref: 004023D3
wsprintfA.USER32 ref: 00402427
SetDlgItemTextA.USER32(000003FA,?), ref: 0040243E
Sleep.KERNELBASE(00000032), ref: 00402446
SendMessageA.USER32(?,00000402,?,00000000), ref: 00402490
SendMessageA.USER32(?,00000402,?,00000000), ref: 004024CA
Sleep.KERNELBASE(0000012C), ref: 004024D1
PostMessageA.USER32(00000111,000003EC,00000000), ref: 004024E4

Part of subcall function 00401039: GetLastError.KERNEL32(75923550,759234C0), ref: 00401061
Part of subcall function 00401039: GetLastError.KERNEL32(00000400,0040B280,00000000,00000000), ref: 00401077
Part of subcall function 00401039: FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 00401081
Part of subcall function 00401039: wsprintfA.USER32 ref: 0040109A
Part of subcall function 00401039: MessageBoxA.USER32(00000000,?,FreeExtractor Error,00000010), ref: 004010B3

Strings

Could not read SFX info. It's likely corrupt., xrefs: 0040239F
Building Installation Environment ..., xrefs: 00402421
Could not get file info. This archive is likely corrupted., xrefs: 00402502
C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 00402348, 0040234D, 00402356, 0040235C, 00402363, 00402448
Could not extract the current file., xrefs: 0040250C

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$SendSleep$ErrorFileItemLastwsprintf$CreateFormatFullNamePathPointerPostTextlstrcat
String ID: Building Installation Environment ...$C:\Users\user\AppData\Local\Temp\~emtec~354033\$Could not extract the current file.$Could not get file info. This archive is likely corrupted.$Could not read SFX info. It's likely corrupt.
API String ID: 1293832600-1003013652
Opcode ID: 8de3f1bb66b49ee0ff8f7b079aae17b94fe05722ada9e11a35cd559533b799ad
Instruction ID: 69f63de8c50ffa58a3254667d955117a6c463ecd59ab2f25f977ad8beffe7c13
Opcode Fuzzy Hash: 8de3f1bb66b49ee0ff8f7b079aae17b94fe05722ada9e11a35cd559533b799ad
Instruction Fuzzy Hash: 5A419171950218BFEF10ABA1DE4AEEE7778EF08715F104036FA01B51E1D7B959009B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401813 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401847
_memset.LIBCMT ref: 0040185B
GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00401871
lstrlenA.KERNEL32(?,?,?,?,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00401893
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 004018A7
lstrcatA.KERNEL32(?,0040B2D4,?,?,?,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 004018B9
GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,?,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 004018C9
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 004018E8
lstrcatA.KERNEL32(?,0040B2D4,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00401887

Part of subcall function 004012EB: lstrlenA.KERNEL32(00401510,0040B2D4,?,00000104,00401510,?,0040B2D4,00000000), ref: 004012F5

lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00401908

Strings

C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 0040182F

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$FullNamePath_memsetlstrcat$CreateDirectorylstrcpy
String ID: C:\Users\user\AppData\Local\Temp\~emtec~354033\
API String ID: 2697513820-4213018283
Opcode ID: a3f2baf4ffaf07aae129d54dc5a3167d5ce247f874da67bab38c9c92332b4cb5
Instruction ID: c64920feef3fd70422c0ee4afce9e6ed662e7a93599af01e7b63ac33e804fe4c
Opcode Fuzzy Hash: a3f2baf4ffaf07aae129d54dc5a3167d5ce247f874da67bab38c9c92332b4cb5
Instruction Fuzzy Hash: A631D0B2901248ABEB30AFB59D88EDF77ACEF45344F10443AAA19E7152E73496058F64

Uniqueness

Uniqueness Score: -1.00%

Function 004027B6 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32(?,00000000,?,004028E3,00000000), ref: 004027CC

Part of subcall function 00401E6C: _memset.LIBCMT ref: 00401EA3
Part of subcall function 00401E6C: _memset.LIBCMT ref: 00401EB7
Part of subcall function 00401E6C: _memset.LIBCMT ref: 00401EC5
Part of subcall function 00401E6C: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00401EE9
Part of subcall function 00401E6C: GetTempPathA.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 00401EF0
Part of subcall function 00401E6C: GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop,?,?,?,?,?,?,00000000,00000000), ref: 00401F01
Part of subcall function 00401E6C: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00401F07
Part of subcall function 00401E6C: GetModuleFileNameA.KERNEL32(00000000,00414F20,00000104,?,?,?,?,?,?,00000000,00000000), ref: 00401F1A
Part of subcall function 00401E6C: CreateFileA.KERNELBASE(00414F20,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00401F2D
Part of subcall function 00401E6C: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00401F42
Part of subcall function 00401E6C: ReadFile.KERNELBASE(?,00000004,?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00401FA1
Part of subcall function 00401E6C: ReadFile.KERNELBASE(?,00000004,?,00000000,Could not read the source SFX.,?,?,?,?,?,?,00000000,00000000), ref: 0040200E

Part of subcall function 004013BB: GetFileAttributesA.KERNELBASE(?,004016BE,?), ref: 004013BF

DialogBoxParamA.USER32(00000066,00000000,0040269D,00000000), ref: 0040281B
WaitForSingleObject.KERNEL32(?,00001388,?,004028E3,00000000), ref: 0040283D
CloseHandle.KERNEL32(?,004028E3,00000000), ref: 00402845
WaitForSingleObject.KERNEL32(?,00001388,?,004028E3,00000000), ref: 00402852
CloseHandle.KERNEL32(?,004028E3,00000000), ref: 0040285A
WaitForSingleObject.KERNEL32(?,00001388,?,004028E3,00000000), ref: 00402867
CloseHandle.KERNEL32(?,004028E3,00000000), ref: 0040286F

Part of subcall function 00401813: _memset.LIBCMT ref: 00401847
Part of subcall function 00401813: _memset.LIBCMT ref: 0040185B
Part of subcall function 00401813: GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00401871
Part of subcall function 00401813: lstrcatA.KERNEL32(?,0040B2D4,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00401887
Part of subcall function 00401813: lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,00000000,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00401908

Part of subcall function 00401039: GetLastError.KERNEL32(75923550,759234C0), ref: 00401061
Part of subcall function 00401039: GetLastError.KERNEL32(00000400,0040B280,00000000,00000000), ref: 00401077
Part of subcall function 00401039: FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 00401081
Part of subcall function 00401039: wsprintfA.USER32 ref: 0040109A
Part of subcall function 00401039: MessageBoxA.USER32(00000000,?,FreeExtractor Error,00000010), ref: 004010B3

Strings

Couldn't create output directory., xrefs: 00402801
C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 004027E4, 004027E9, 004027F6

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$_memset$CloseHandleObjectSingleWait$CurrentErrorLastMessageNamePathReadlstrlen$AttributesCreateDialogDirectoryFormatFullModuleParamPointerProcessTemplstrcatwsprintf
String ID: C:\Users\user\AppData\Local\Temp\~emtec~354033\$Couldn't create output directory.
API String ID: 3263903487-3614768603
Opcode ID: 8696fcb03184804f0f24fbe45bad661be33e71de10099a232f558d14175ec8f0
Instruction ID: 4ca3e2172306d8441907a0a894a9c08b5848724510cc59735dc340afc297f246
Opcode Fuzzy Hash: 8696fcb03184804f0f24fbe45bad661be33e71de10099a232f558d14175ec8f0
Instruction Fuzzy Hash: 371177B56102046BD7217B36EE89D5B7BACEF80784711843AF804F32F0DBB89D008A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040269D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EndDialog.USER32(?,00000000), ref: 004026F1
CreateThread.KERNELBASE(00000000,00000000,Function_00002516,00000000,00000000,?), ref: 00402715
EndDialog.USER32(?,00000001), ref: 00402736
CreateThread.KERNELBASE(00000000,00000000,Function_00002325,00000000,00000000,?), ref: 0040274D
SetWindowTextA.USER32(?,ZOC Installation), ref: 00402770
PostMessageA.USER32(?,00000111,0000000B,00000000), ref: 00402780
ShowWindow.USER32(00000005), ref: 0040278E
PostMessageA.USER32(00000111,000003ED,00000000), ref: 004027A9

Strings

ZOC Installation, xrefs: 0040275E

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDialogMessagePostThreadWindow$ShowText
String ID: ZOC Installation
API String ID: 45217082-3218763524
Opcode ID: dbc5ac1d0c7c481cdeb8b5b9e4502041b959a42bf153dcb64720112c3ec234ac
Instruction ID: b903888f525894a0ce4ba5cc17fa31e332851c468d2553657f96f822baa69666
Opcode Fuzzy Hash: dbc5ac1d0c7c481cdeb8b5b9e4502041b959a42bf153dcb64720112c3ec234ac
Instruction Fuzzy Hash: 64215CB1551208BFE7108F74DE4CAB73AA8E748791F508432F901FA2E0D3F989819A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004011F0 Relevance: 10.1, APIs: 8, Instructions: 71
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(0040B454,?,00000104,?,?,004014E4,?,0040B454,0040B450,00000104), ref: 004011FF
lstrlenA.KERNEL32(?,?,?,004014E4,?,0040B454,0040B450,00000104,?,?,?,?,?,?,759183C0,C:\Users\user\AppData\Local\Temp\~emtec~354033), ref: 00401206
lstrcmpA.KERNEL32(0040B454,?,?,?,004014E4,?,0040B454,0040B450,00000104,?,?,?,?,?,?,759183C0), ref: 00401211
lstrlenA.KERNEL32(0040B450,0040B2D4,?,?,004014E4,?,0040B454,0040B450,00000104,?,?,?,?,?,?,759183C0), ref: 00401236
VirtualAlloc.KERNELBASE(00000000,004014E4,00001000,00000004,?,?,004014E4,?,0040B454,0040B450,00000104), ref: 00401250
lstrcpyA.KERNEL32(00000000,?,?,?,004014E4,?,0040B454,0040B450,00000104,?,?,?,?,?,?,759183C0), ref: 0040126C
lstrcpyA.KERNEL32(00000001,0040B450,?,?,?,004014E4), ref: 00401288
VirtualFree.KERNELBASE(0040B450,00000000,00008000,?,?,?,004014E4), ref: 00401294

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$Virtuallstrcpy$AllocFreelstrcmp
String ID:
API String ID: 1979252130-0
Opcode ID: c8a411b3f2c4ad60fd71c5fcb8efb33f4cda4e5d6d35f89723b3214fb952243d
Instruction ID: 96d4167f46ff1ee276c3b00bc8b0778e44d999f8b3ec90ea23a610dc3e31eb9a
Opcode Fuzzy Hash: c8a411b3f2c4ad60fd71c5fcb8efb33f4cda4e5d6d35f89723b3214fb952243d
Instruction Fuzzy Hash: E1216A35600209AFDF119FA4DD44BAE3F65EF44390F10407AF915B62A0D774D915ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404934 Relevance: 9.3, APIs: 6, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(004051A3,0824748B,00000000,00000000,00000000,00000000,004051A3), ref: 0040495B

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0545b2a60ac735d96d4d7965a776e0a1d23aeecac35a3f0ed0c8ee50446b3489
Instruction ID: 6a869b3b57545260727cb0a2e342219a61a0c94c9ce3c898661590064a9b3964
Opcode Fuzzy Hash: 0545b2a60ac735d96d4d7965a776e0a1d23aeecac35a3f0ed0c8ee50446b3489
Instruction Fuzzy Hash: 71A133B6904209EEEB20DFA4D941BAE77B9EF80350F24417BEA51B72D4E7359D00DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00405049 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 0040506D

Part of subcall function 00404803: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,00000000,00000080,?), ref: 00404832

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 0040508B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00405163
VirtualAlloc.KERNELBASE(00000000,00000080,00001000,00000004,?,C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 0040518B

Strings

C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 00405055

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$AllocCloseCreateHandleVirtual
String ID: C:\Users\user\AppData\Local\Temp\~emtec~354033\
API String ID: 4021238690-4213018283
Opcode ID: aa05d3edf7b293831859d043f8d8499699b64315b0b51bad616b354aa5fc12fa
Instruction ID: 803072996f6395c0e7fb430fc1d7df9bc2105f5e7eefd168186a6777c12adcea
Opcode Fuzzy Hash: aa05d3edf7b293831859d043f8d8499699b64315b0b51bad616b354aa5fc12fa
Instruction Fuzzy Hash: 614190729056186EEB20DEA59D41BBF77ACDB45370F20023BFD20F61C0E7789D058A98

Uniqueness

Uniqueness Score: -1.00%

Function 00404803 Relevance: 7.6, APIs: 5, Instructions: 102
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,00000000,00000080,?), ref: 00404832
VirtualAlloc.KERNELBASE(00000000,00000404,00001000,00000004), ref: 00404856
SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 004048A3
ReadFile.KERNELBASE(00000000,?,00000404,00000000,00000000), ref: 004048B7
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00404908

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$PointerVirtual$AllocFreeRead
String ID:
API String ID: 3108635511-0
Opcode ID: 1e3b1115f09fb707520bb097aff1c435f8e54bf8fb8e6104146ea58a9e433ec8
Instruction ID: 5ecc3bd628a34f2ccc3d53b58d58b24b39d4eda0cd5caec076c4673e0f20c642
Opcode Fuzzy Hash: 1e3b1115f09fb707520bb097aff1c435f8e54bf8fb8e6104146ea58a9e433ec8
Instruction Fuzzy Hash: D63192B6A00284ABDB20AF65CC44B6F7B60AB84714F14887AE615BB2D0D3749941DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004051E3 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000006C,00001000,00000004,?,?,00401CFC,?), ref: 00405233
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004,?,?,?,?,?,?,?,?,75A73EB0,C:\Users\user\AppData\Local\Temp\~emtec~354033\,75920F00), ref: 0040524C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,75A73EB0,C:\Users\user\AppData\Local\Temp\~emtec~354033\,75920F00), ref: 0040526F

Strings

1.1.3, xrefs: 004052A7

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: 1.1.3
API String ID: 3668210933-2347784635
Opcode ID: 1b9aeeef757dac2b6c1a55c5fc68f503e511110812d7a0824588dbc47ad4780b
Instruction ID: af21e68c9badbd50f5d4c5867e97fd73f4a8a2ebcfaedd261536af9858537d59
Opcode Fuzzy Hash: 1b9aeeef757dac2b6c1a55c5fc68f503e511110812d7a0824588dbc47ad4780b
Instruction Fuzzy Hash: AE313AB1A04B06AFD724DF29D980A56BBE8FB08314B10093EE656E6B81D734F550CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004051AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\~emtec~354033\,004024B2,?,?), ref: 004051CB
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004051D9

Strings

C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 004051AE

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindFreeNotificationVirtual
String ID: C:\Users\user\AppData\Local\Temp\~emtec~354033\
API String ID: 560371109-4213018283
Opcode ID: 4ab138d56a7379c63b628201f5af0c4c13f37c6e9f6ad2a8887551ed27003bbe
Instruction ID: 7285a0c4f2d92058e360dfddef20c3b7d3ca5475ae935d08b3b1d3249586ceb0
Opcode Fuzzy Hash: 4ab138d56a7379c63b628201f5af0c4c13f37c6e9f6ad2a8887551ed27003bbe
Instruction Fuzzy Hash: 3FE0C232409B20AEEA222B14BC08B9B3790EF09324F11092AF160B90E4D7786C848ECC

Uniqueness

Uniqueness Score: -1.00%

Function 00404FCD Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 00404FE2

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\~emtec~354033\
API String ID: 0-4213018283
Opcode ID: e034e5556bc388b5e779c22109ac397b86efc0eb0e6c071a31e0b7db90e1fc4e
Instruction ID: 20f687011fcf1791211a9634d7707005dbe2747c4b6f258ed0e572a13b45f968
Opcode Fuzzy Hash: e034e5556bc388b5e779c22109ac397b86efc0eb0e6c071a31e0b7db90e1fc4e
Instruction Fuzzy Hash: CA015EB1508715AFDB389F15D88486BB3E8EB48325B20493FF166E2690D775EC408E68

Uniqueness

Uniqueness Score: -1.00%

Function 004028F0 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 27memorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000104,00001000,00000004,C:\Users\user\AppData\Local\Temp\~emtec~354033\,0040246C,00414AE8,?), ref: 004028FF
lstrcpyA.KERNEL32(00000000,?), ref: 00402912

Strings

C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 004028F0

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtuallstrcpy
String ID: C:\Users\user\AppData\Local\Temp\~emtec~354033\
API String ID: 4117716100-4213018283
Opcode ID: bcaf8bb63931681b9ca47130f7b022dc2ce4c2f67fdb7ee1458d5594e61d9d3e
Instruction ID: 0840543de2989a88ca697b9d14da5a8e60263cd651b7ad0e20701b82c5fa3048
Opcode Fuzzy Hash: bcaf8bb63931681b9ca47130f7b022dc2ce4c2f67fdb7ee1458d5594e61d9d3e
Instruction Fuzzy Hash: 59E09BB16553109FD7264F10E908BE737A0EF45762F01446DF695AA3D0C3B088418AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E53 Relevance: 3.1, APIs: 2, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8cac7fb6169c97dbc0e3d7f97242558d8744404fb42789dee7ce39cc4eba96
Instruction ID: 9f43172cbffd2757e157e29dd93894b4af6743593de9866573e11b76725491bb
Opcode Fuzzy Hash: 7b8cac7fb6169c97dbc0e3d7f97242558d8744404fb42789dee7ce39cc4eba96
Instruction Fuzzy Hash: 9E5119B1900706DFCB309F69C98085BB7F5BF843147218A3FE696A7A90D738E944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404CBA Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00401CFC,500040B2,00000000,00000000,?,00000000,?,?,?,0040521D,00401CFC,00401CFC,?,00000104,00000000), ref: 00404CDD

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6e66ab15bb024579e4937df28d883a405a12aa104972a77bda4480837ebe67bc
Instruction ID: 1c560504153a65f87d7a498a28a53e97ad314c0e97c6f4fd8ca7b978515e137d
Opcode Fuzzy Hash: 6e66ab15bb024579e4937df28d883a405a12aa104972a77bda4480837ebe67bc
Instruction Fuzzy Hash: BF5192B6204204EFEB21CEA5D98096A77E9EFC5364B34057BEB50E72D0E735ED409B18

Uniqueness

Uniqueness Score: -1.00%

Function 00404711 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00000001,00000000,00000000,?,?,?,004047A1,00000000,?,00000000,00000000,?,?,004050A2), ref: 00404725

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 95a32e419c05aa302803649531c120a5e6e864f4569269e8a9cd6754ae34fbd8
Instruction ID: 31e718e927d5592d7190d26589b0e5bc9632fe5188b9ea9386b4a4f7d65233bc
Opcode Fuzzy Hash: 95a32e419c05aa302803649531c120a5e6e864f4569269e8a9cd6754ae34fbd8
Instruction Fuzzy Hash: 31E01AB5204108BFEB098B64CC16BAE7BACDB45344F4040B9B902E62D0EBB5DE45CA64

Uniqueness

Uniqueness Score: -1.00%

Function 004013BB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,004016BE,?), ref: 004013BF

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8caed6b9972a23968236a57ecfee80e31415ced2e774ab9d1578709467e66c2d
Instruction ID: f1cc98af387dd7fd2f9c77ec672864b50cdc4a033f0996c9240ac066445e8b89
Opcode Fuzzy Hash: 8caed6b9972a23968236a57ecfee80e31415ced2e774ab9d1578709467e66c2d
Instruction Fuzzy Hash: EDC09272820404A6EA101734AD4902E35E1FB91736BE48BF5F175E08F0C739C829B669

Uniqueness

Uniqueness Score: -1.00%

Function 004010BE Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,004014A0,00001000,00000004,00000103,00000000,0040149F,?,00000001,?,?,?,759183C0,C:\Users\user\AppData\Local\Temp\~emtec~354033,00000000), ref: 004010D2

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ecca1f0ab0cdaded683cd294faa6dddf3beb1caf0d4529479c24439f10543d75
Instruction ID: d31f515c08cc0c3c98d6e680e27f2706f61cbba694047fbd2b04043c5077b04b
Opcode Fuzzy Hash: ecca1f0ab0cdaded683cd294faa6dddf3beb1caf0d4529479c24439f10543d75
Instruction Fuzzy Hash: E8E02B361042C05AC3228A2D88C1B976BD99BCA710F14806EF2C4D7691C6B208858365

Uniqueness

Uniqueness Score: -1.00%

Function 004052F4 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00405307

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 35a26a88bda27b3e8a52bbe6f083c8f6a87bc6bbf2b07d18d031be8817683a04
Instruction ID: 2330009775a580402cc4fb9e482472cbe34082369fe5739f92b2a5dea1c4b7ab
Opcode Fuzzy Hash: 35a26a88bda27b3e8a52bbe6f083c8f6a87bc6bbf2b07d18d031be8817683a04
Instruction Fuzzy Hash: E5C09B712443017FE914CB40DE46F167794D7D4751F008404F358DD0D0C2B095408659

Uniqueness

Uniqueness Score: -1.00%

Function 0040530E Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00405319

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a5856b4697b908be054a4ac72a5414c51910e8e6471a67c9f41b8b29c04436bf
Instruction ID: 43064bf31c4af6517e82ec928997074ea404778ef87d2f11be693db213543b9f
Opcode Fuzzy Hash: a5856b4697b908be054a4ac72a5414c51910e8e6471a67c9f41b8b29c04436bf
Instruction Fuzzy Hash: 97A00230A94745ABEE619F10DE0AF2A7A61FB88B01F304864B2A1790F0DBB1641CDF4D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A2BD Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,00413E80,00408C97,00413E80,Microsoft Visual C++ Runtime Library,00012010), ref: 0040A2EA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040A306

Part of subcall function 0040673B: TlsGetValue.KERNEL32(00000000,004067B0,00000000,0040A2CB,00000000,00000000,00000314,?,?,?,00413E80,00408C97,00413E80,Microsoft Visual C++ Runtime Library,00012010), ref: 00406748
Part of subcall function 0040673B: TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00413E80,00408C97,00413E80,Microsoft Visual C++ Runtime Library,00012010), ref: 0040675F

GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A323

Part of subcall function 0040673B: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00413E80,00408C97,00413E80,Microsoft Visual C++ Runtime Library,00012010), ref: 00406774
Part of subcall function 0040673B: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040678F

GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A338
__invoke_watson.LIBCMT ref: 0040A359

Part of subcall function 004058C2: _memset.LIBCMT ref: 0040594E
Part of subcall function 004058C2: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 0040596C
Part of subcall function 004058C2: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00405976
Part of subcall function 004058C2: UnhandledExceptionFilter.KERNEL32(00413E80,?,?,00000000), ref: 00405980
Part of subcall function 004058C2: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 0040599B
Part of subcall function 004058C2: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 004059A2

Part of subcall function 004067B2: TlsGetValue.KERNEL32(?,004059CC), ref: 004067BF
Part of subcall function 004067B2: TlsGetValue.KERNEL32(FFFFFFFF,?,004059CC), ref: 004067D6

Part of subcall function 004067B2: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004059CC), ref: 004067EB
Part of subcall function 004067B2: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00406806

GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0040A36D
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040A385
__invoke_watson.LIBCMT ref: 0040A3F8

Strings

GetProcessWindowStation, xrefs: 0040A37F
USER32.DLL, xrefs: 0040A2E5
GetUserObjectInformationA, xrefs: 0040A367
MessageBoxA, xrefs: 0040A300

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2940365033-1046234306
Opcode ID: 7535dc95bca35e8515447b33f3995a6085b2fd547173bcfe7f17b26d5951e0ea
Instruction ID: fb75f07dada1393bf471aa4606fccdf42b34b645b5060d37196be1893b94f689
Opcode Fuzzy Hash: 7535dc95bca35e8515447b33f3995a6085b2fd547173bcfe7f17b26d5951e0ea
Instruction Fuzzy Hash: D041A879900314AACF11AFB5EC8D96F7BA8EB54304B14853FE411F31D1DB7C96A08A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401039 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(75923550,759234C0), ref: 00401061
GetLastError.KERNEL32(00000400,0040B280,00000000,00000000), ref: 00401077
FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 00401081
wsprintfA.USER32 ref: 0040109A
MessageBoxA.USER32(00000000,?,FreeExtractor Error,00000010), ref: 004010B3

Strings

An error prevents this program from continuing: %s %s, xrefs: 00401094
FreeExtractor Error, xrefs: 004010A5

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastMessage$Formatwsprintf
String ID: An error prevents this program from continuing: %s %s$FreeExtractor Error
API String ID: 1581998817-4084750130
Opcode ID: acb655983f01ccbc4432a74fe19c605360c92e51bac16d86cd417deff0586d3d
Instruction ID: cceed217cb06599c6bea3e27b0279c81086081636dd7b3d71e1a28751e90d1bf
Opcode Fuzzy Hash: acb655983f01ccbc4432a74fe19c605360c92e51bac16d86cd417deff0586d3d
Instruction Fuzzy Hash: 5B0144B0940218FBE7209B659E09FAA7B7CDB04B41F5000B5FB84BB1D0D7B469858BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405320 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040577D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00405792
UnhandledExceptionFilter.KERNEL32(H9A), ref: 0040579D
GetCurrentProcess.KERNEL32(C0000409), ref: 004057B9
TerminateProcess.KERNEL32(00000000), ref: 004057C0

Strings

H9A, xrefs: 00405798

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: H9A
API String ID: 2579439406-2392324566
Opcode ID: f3f983a565a634118f86a5c31206162df798c8c9aee7372c059c73b85cdff77a
Instruction ID: 57dfa1f30706d692dc90ede94f4937a1f385ef2fac3a762102a9ca2c1f0a59cd
Opcode Fuzzy Hash: f3f983a565a634118f86a5c31206162df798c8c9aee7372c059c73b85cdff77a
Instruction Fuzzy Hash: BA21F2B4515304EFD710DF58EE846857BA4FF08396F10903AE549A7BA1E7B44A84CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A75A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000A71D), ref: 0040A75F

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 62ce11549e5746e1c56843aadc80f163991ebec6f0de7f7a3d821c5877fe52f7
Instruction ID: 479729f7af4ba4fc7a668e51885c1e6a7ddd50a5672cc172fac87352e107537b
Opcode Fuzzy Hash: 62ce11549e5746e1c56843aadc80f163991ebec6f0de7f7a3d821c5877fe52f7
Instruction Fuzzy Hash: 0190026026220046CE1117745E2D60A25E0AE9860275144B16112E61D5DB7480105D5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040411E Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55e8cef4ead66dbed7c29c400053208fb80856e2e7f565912a24ab0806c1605
Instruction ID: f3b80663a6165fa8ad55d1a235edb86501d0df6e93bd80599857d8be7be0a23f
Opcode Fuzzy Hash: c55e8cef4ead66dbed7c29c400053208fb80856e2e7f565912a24ab0806c1605
Instruction Fuzzy Hash: F8D139B1A102588FCF18CF68C8805AD7BE5FF99354B25826AFD15A7394D374E881CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00402A88 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a56591039af48e6e42cb9e98d333cb850fe6655379670edaf9c767c4dbc8b6
Instruction ID: 41c1e8b651adb9bc2f54ebd6148bc50d1c3c1122979b0627e3caf2e8fa5d4ef8
Opcode Fuzzy Hash: 09a56591039af48e6e42cb9e98d333cb850fe6655379670edaf9c767c4dbc8b6
Instruction Fuzzy Hash: BE218622E106B316CB0D9EFE69C4122E7A0DB4F3227164176DDD4770A1D6B8ED2089D8

Uniqueness

Uniqueness Score: -1.00%

Function 004019CB Relevance: 45.7, APIs: 19, Strings: 7, Instructions: 153sleepwindowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(000003EF), ref: 004019EE
SetDlgItemTextA.USER32(000003F7,00414AE8), ref: 00401A1F
SetDlgItemTextA.USER32(000003F9,Removing temp files), ref: 00401A31
SetDlgItemTextA.USER32(000003FA,Cleaning up ...), ref: 00401A43
SendMessageA.USER32(00000401,00000401,00000000,?), ref: 00401A64
SetDlgItemTextA.USER32(000003F8,The extracted files are being removed.), ref: 00401A76
Sleep.KERNEL32(000000C8), ref: 00401A86
wsprintfA.USER32 ref: 00401ABB
wsprintfA.USER32 ref: 00401AD5
SetDlgItemTextA.USER32(000003FA,?), ref: 00401AF1
RemoveDirectoryA.KERNEL32(00000000), ref: 00401B20
DeleteFileA.KERNEL32(00000000), ref: 00401B3A
SendMessageA.USER32(?,00000402,00000000,00000000), ref: 00401B60
Sleep.KERNEL32(00000032), ref: 00401B64
_strlen.LIBCMT ref: 00401B7D
_strlen.LIBCMT ref: 00401B8A
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\~emtec~354033\), ref: 00401B95
Sleep.KERNEL32(000000C8), ref: 00401BAD
PostMessageA.USER32(00000111,0000001F,00000000), ref: 00401BC2

Strings

%s%s, xrefs: 00401AB5
Cleaning up ..., xrefs: 00401A33
The extracted files are being removed., xrefs: 00401A66
JA, xrefs: 004019F4
Deleting %s ..., xrefs: 00401ACF
C:\Users\user\AppData\Local\Temp\~emtec~354033\, xrefs: 00401A92, 00401AB0, 00401B89, 00401B94
Removing temp files, xrefs: 00401A21

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Item$Text$MessageSleep$DirectoryRemoveSend_strlenwsprintf$DeleteFilePost
String ID: %s%s$C:\Users\user\AppData\Local\Temp\~emtec~354033\$Cleaning up ...$Deleting %s ...$Removing temp files$The extracted files are being removed.$JA
API String ID: 1276955235-254564783
Opcode ID: d2f8ba33f8bde57fb984576adea1bc4c563aa837c2e928137c83c24265c30714
Instruction ID: 018cfaeb45447ecf13b2acfa7123d574b2b1dd0aeef0a2152d6557e7c74a5fb2
Opcode Fuzzy Hash: d2f8ba33f8bde57fb984576adea1bc4c563aa837c2e928137c83c24265c30714
Instruction Fuzzy Hash: FE51D270544304AFE711AB70ED49FAB3BA8EB40745F00403AF640B61F2DBB85A41CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408B35 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 00408BA1
__invoke_watson.LIBCMT ref: 00408BB2
GetModuleFileNameA.KERNEL32(00000000,00413E99,00000104), ref: 00408BCE
_strcpy_s.LIBCMT ref: 00408BE3
__invoke_watson.LIBCMT ref: 00408BF6
_strlen.LIBCMT ref: 00408BFF
_strlen.LIBCMT ref: 00408C0C
__invoke_watson.LIBCMT ref: 00408C39
_strcat_s.LIBCMT ref: 00408C4C
__invoke_watson.LIBCMT ref: 00408C5D
_strcat_s.LIBCMT ref: 00408C6E
__invoke_watson.LIBCMT ref: 00408C7F
GetStdHandle.KERNEL32(000000F4,?,?,00000000,76EC5E70,00000003,00408D01,000000FC,0040897C,00000001,00000000,00000000,?,0040620A,?,00000001), ref: 00408C9E
_strlen.LIBCMT ref: 00408CBF
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,0040620A,?,00000001,?,00406563,00000018,0040D028,0000000C,004065F2,?), ref: 00408CC9

Strings

..., xrefs: 00408C1D
Runtime Error!Program: , xrefs: 00408B90
Microsoft Visual C++ Runtime Library, xrefs: 00408C8C
<program name unknown>, xrefs: 00408BD8

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 1879448924-4022980321
Opcode ID: 5e9343f13591cded3f6552505266235912c0705e655521e4fa6f8cc2ebe2dc33
Instruction ID: 594bb38951b2c435f25d05a6fd36c9204c2ab34fdf1c0c1e92fa44a5d5f10645
Opcode Fuzzy Hash: 5e9343f13591cded3f6552505266235912c0705e655521e4fa6f8cc2ebe2dc33
Instruction Fuzzy Hash: F53113A2A553156AE62036218E4AB2B362C9B20358F14013FFD85B12D3EF7D891541FE

Uniqueness

Uniqueness Score: -1.00%

Function 00406852 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,0040D068,0000000C,00406963,00000000,00000000,?,00000000,00405A22,004063E2,00000001,004066EA,?,00000000), ref: 00406863
GetProcAddress.KERNEL32(?,EncodePointer), ref: 00406897
GetProcAddress.KERNEL32(?,DecodePointer), ref: 004068A7
InterlockedIncrement.KERNEL32(0040F818), ref: 004068C9
__lock.LIBCMT ref: 004068D1
___addlocaleref.LIBCMT ref: 004068F0

Strings

DecodePointer, xrefs: 0040689F
EncodePointer, xrefs: 00406889
KERNEL32.DLL, xrefs: 0040685E

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: 62227c4c7599d968a19aa212d8ea303ef7cb03e68bb1b70dc341199583a9e4cd
Instruction ID: b17cabcd69524e07b574707f6cfc9f44af6e743911dd95d64703bafbafa7d369
Opcode Fuzzy Hash: 62227c4c7599d968a19aa212d8ea303ef7cb03e68bb1b70dc341199583a9e4cd
Instruction Fuzzy Hash: 1E113D719407019EEB20AF76D945B5ABBE0EF44314F10853FA8AAB36D0DB799904CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040818D Relevance: 10.7, APIs: 7, Instructions: 158COMMON

Download Yara Rule

APIs

getSystemCP.LIBCMT ref: 004081A6

Part of subcall function 00408113: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00408120
Part of subcall function 00408113: GetOEMCP.KERNEL32(00000000), ref: 0040813A

setSBCS.LIBCMT ref: 004081B8

Part of subcall function 00407E90: _memset.LIBCMT ref: 00407EA3

IsValidCodePage.KERNEL32(-00000030), ref: 004081FE
GetCPInfo.KERNEL32(00000000,?), ref: 00408211
_memset.LIBCMT ref: 00408229
setSBUpLow.LIBCMT ref: 004082FC

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
String ID:
API String ID: 2658552758-0
Opcode ID: 5f22f2d49870a45d1b2c2018c7fe8595ea5d80fa3937b46ec80ff7f6d6a7ed22
Instruction ID: 1ed4ce6d81da85f2ed7b4bc36fe1caa4676ecf64e385ac523a8b50ab09fb8ca0
Opcode Fuzzy Hash: 5f22f2d49870a45d1b2c2018c7fe8595ea5d80fa3937b46ec80ff7f6d6a7ed22
Instruction Fuzzy Hash: 4E51E3309046148BDF25DF65C9802BABBA4EF44704F1884BFDCC5BF282CA3D9846CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040673B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,004067B0,00000000,0040A2CB,00000000,00000000,00000314,?,?,?,00413E80,00408C97,00413E80,Microsoft Visual C++ Runtime Library,00012010), ref: 00406748
TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00413E80,00408C97,00413E80,Microsoft Visual C++ Runtime Library,00012010), ref: 0040675F
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00413E80,00408C97,00413E80,Microsoft Visual C++ Runtime Library,00012010), ref: 00406774
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040678F

Strings

EncodePointer, xrefs: 00406789
KERNEL32.DLL, xrefs: 0040676F

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 1929421221-3682587211
Opcode ID: 0b77ce69fa150788a8d1e40656aca41f106f77314867c607be1724de2d60cb87
Instruction ID: a3fbd99c55abf2678559b948ba62fee479a011887d2bad7d3359df70f305cee5
Opcode Fuzzy Hash: 0b77ce69fa150788a8d1e40656aca41f106f77314867c607be1724de2d60cb87
Instruction Fuzzy Hash: 9CF0F6301002139FC6216B34ED4096B3A95EF40364B264132F815F32F0DB3DCC15969D

Uniqueness

Uniqueness Score: -1.00%

Function 004067B2 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,004059CC), ref: 004067BF
TlsGetValue.KERNEL32(FFFFFFFF,?,004059CC), ref: 004067D6
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004059CC), ref: 004067EB
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00406806

Strings

DecodePointer, xrefs: 00406800
KERNEL32.DLL, xrefs: 004067E6

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 1929421221-629428536
Opcode ID: c19a475c749cb2b678dee1554f8b715236311ff3061ccd97e74c6964073a074b
Instruction ID: d3cfe3a3369e22c72968ec91ecf9b2cffd73badc70383e7dd90a82bded04ed60
Opcode Fuzzy Hash: c19a475c749cb2b678dee1554f8b715236311ff3061ccd97e74c6964073a074b
Instruction Fuzzy Hash: C4F090315066139BC6216F34EE00A6B7A94EF44794B16C532F816F32F0DB39CC29DAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405C86 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00405CA4

Part of subcall function 004065D9: __mtinitlocknum.LIBCMT ref: 004065ED
Part of subcall function 004065D9: __amsg_exit.LIBCMT ref: 004065F9
Part of subcall function 004065D9: EnterCriticalSection.KERNEL32(?,?,?,00408A98,00000004,0040D1A8,0000000C,00406250,?,?,00000000,00000000,00000000,0040693A,00000001,00000214), ref: 00406601

___sbh_find_block.LIBCMT ref: 00405CAF
___sbh_free_block.LIBCMT ref: 00405CBE
HeapFree.KERNEL32(00000000,?,0040CF80,0000000C,004065BA,00000000,0040D028,0000000C,004065F2,?,?,?,00408A98,00000004,0040D1A8,0000000C), ref: 00405CEE
GetLastError.KERNEL32(?,00408A98,00000004,0040D1A8,0000000C,00406250,?,?,00000000,00000000,00000000,0040693A,00000001,00000214,?,00000000), ref: 00405CFF

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: dada409390ecfa9c54666b147273ea1a38f9bd2a9250a5f3f48a168545383979
Instruction ID: c56f20e2ecbc05d485a3b5cbd851e2410fb01009081eaaa340d504d71d576bdf
Opcode Fuzzy Hash: dada409390ecfa9c54666b147273ea1a38f9bd2a9250a5f3f48a168545383979
Instruction Fuzzy Hash: E1018471904B11AAEB206BB1AD0AB5F3764EF00364F20413FF411B62C0DA7C95408E5C

Uniqueness

Uniqueness Score: -1.00%

Function 004013D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,00000103,?,00000000,00000103), ref: 004013F2
RegQueryValueExA.ADVAPI32(?,?,00000000), ref: 0040141D
RegCloseKey.ADVAPI32(?), ref: 00401426

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004013E8

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 3677997916-2036018995
Opcode ID: dc35a899928f6c4f1c4cca54cec9c2eb41d900b44d8b3982cafb415258b8ab5b
Instruction ID: fe376bb4e881d873306a744fad5fbf7f06eb9a7a9377bdf935b1d8e408fca26e
Opcode Fuzzy Hash: dc35a899928f6c4f1c4cca54cec9c2eb41d900b44d8b3982cafb415258b8ab5b
Instruction Fuzzy Hash: ADF0157890020CFFEF009F90ED49FDEBBB8EB04708F1040A0BA14B51A0D3B59A589B98

Uniqueness

Uniqueness Score: -1.00%

Function 004094C7 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004094F7
__isleadbyte_l.LIBCMT ref: 0040952B
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?), ref: 0040955C
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?), ref: 004095CA

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0c35b61afad96c21275ec05caaab146f7039f171d759ef604e72ddbf32abea77
Instruction ID: 96594215dd7ffc5ae7e9843afee9b77695da558d63cfa781b6e75a7e70e305ba
Opcode Fuzzy Hash: 0c35b61afad96c21275ec05caaab146f7039f171d759ef604e72ddbf32abea77
Instruction Fuzzy Hash: 3631D032A04256EFDB21DF65CC809AA7BB4FF01310F15857AE461AB2E2E334DD41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040806F Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00406988: __amsg_exit.LIBCMT ref: 00406996

__amsg_exit.LIBCMT ref: 0040809B
__lock.LIBCMT ref: 004080AB
InterlockedDecrement.KERNEL32(?), ref: 004080C8
InterlockedIncrement.KERNEL32(0040F818), ref: 004080F3

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__lock
String ID:
API String ID: 4129207761-0
Opcode ID: c81fff5e46d9b6d9a0ae035ce2f47a58c69b72d7c3bfb3762a894c53349fd8b8
Instruction ID: 6a7b75b83f8ad490ceb977d2997f914ff208c601beacb443a90cb82e981a60da
Opcode Fuzzy Hash: c81fff5e46d9b6d9a0ae035ce2f47a58c69b72d7c3bfb3762a894c53349fd8b8
Instruction Fuzzy Hash: DC017931A406219BDB31AB669A4675E76A0BF00714F02813FE851B77C1CF3C68898BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00406911 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00405A22,004063E2,00000001,004066EA,?,00000000,?,?,?,?,004067FC,?,004059CC), ref: 00406913

Part of subcall function 00406820: TlsGetValue.KERNEL32(00000000,00406926,?,00000000,00405A22,004063E2,00000001,004066EA,?,00000000,?,?,?,?,004067FC), ref: 00406827
Part of subcall function 00406820: TlsSetValue.KERNEL32(00000000,00000000,00405A22,004063E2,00000001,004066EA,?,00000000,?,?,?,?,004067FC,?,004059CC), ref: 00406848

__calloc_crt.LIBCMT ref: 00406935

Part of subcall function 0040623D: __calloc_impl.LIBCMT ref: 0040624B
Part of subcall function 0040623D: Sleep.KERNEL32(00000000), ref: 00406262

Part of subcall function 004067B2: TlsGetValue.KERNEL32(?,004059CC), ref: 004067BF
Part of subcall function 004067B2: TlsGetValue.KERNEL32(FFFFFFFF,?,004059CC), ref: 004067D6

Part of subcall function 00406852: GetModuleHandleA.KERNEL32(KERNEL32.DLL,0040D068,0000000C,00406963,00000000,00000000,?,00000000,00405A22,004063E2,00000001,004066EA,?,00000000), ref: 00406863
Part of subcall function 00406852: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00406897
Part of subcall function 00406852: GetProcAddress.KERNEL32(?,DecodePointer), ref: 004068A7
Part of subcall function 00406852: InterlockedIncrement.KERNEL32(0040F818), ref: 004068C9
Part of subcall function 00406852: __lock.LIBCMT ref: 004068D1
Part of subcall function 00406852: ___addlocaleref.LIBCMT ref: 004068F0

GetCurrentThreadId.KERNEL32 ref: 00406965
SetLastError.KERNEL32(00000000,?,00000000,00405A22,004063E2,00000001,004066EA,?,00000000,?,?,?,?,004067FC,?,004059CC), ref: 0040697D

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
String ID:
API String ID: 1081334783-0
Opcode ID: 197b897f0e6162e4cbdd773ed252e9d33462d2a4db24d6a15071660457619522
Instruction ID: 6c4fa5f7ddfc670567b34fc89d08a269a6c1714e42c3e2b07c60ccb35bc3ae58
Opcode Fuzzy Hash: 197b897f0e6162e4cbdd773ed252e9d33462d2a4db24d6a15071660457619522
Instruction Fuzzy Hash: BFF028335027229AD2313B797C05A5B2E64DF04770B12413FF522B65E2CF3AC85156DC

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,7591E010), ref: 00401011
DestroyWindow.USER32(00010424,7591E010), ref: 0040101D
CloseHandle.KERNEL32(00000124), ref: 0040102A
ExitProcess.KERNEL32 ref: 00401032

Memory Dump Source

Source File: 00000000.00000002.3263720451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263698053.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263741147.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263760147.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263780399.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263819707.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DestroyWindow$CloseExitHandleProcess
String ID:
API String ID: 2085989030-0
Opcode ID: 365949bbb6c7abfec14263c5219434f77d95f52c6a6ecca140b888bf338354f3
Instruction ID: 96b95684d812e480a4c5c6016df89f69a7a307c478ed915f810d26511944f79d
Opcode Fuzzy Hash: 365949bbb6c7abfec14263c5219434f77d95f52c6a6ecca140b888bf338354f3
Instruction Fuzzy Hash: 1BE0E6716512109FD7209F74AD48F9737DCEB447507054432B410F7561C778D8405AEC

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: setup.exePID: 5424, Parent PID: 5840COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	65

Executed Functions

Function 0040459C Relevance: 66.3, APIs: 13, Strings: 24, Instructions: 1523
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 004045BE

Part of subcall function 00419640: __EH_prolog3.LIBCMT ref: 00419647

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Part of subcall function 00401855: __EH_prolog3.LIBCMT ref: 0040185C

Part of subcall function 0041036C: __EH_prolog3.LIBCMT ref: 00410373
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103B5
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103E2

Strings

Programgroup entry or desktop icon, xrefs: 00405452
StartmenuOpts, xrefs: 00404691, 00404CDB, 00405806
IniKey, xrefs: 00404BCB, 00404D93, 0040567D
ActiveSyncInstall, xrefs: 004045D4
DesktopIcon, xrefs: 004046E2
SUCCEEDED(hres), xrefs: 004051CD, 00405461
UninstallStartmenu, xrefs: 00404BF9, 0040570E
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00404BE1, 00405696
UninstallStartmenuFiles, xrefs: 00405724
$PROGRAM, xrefs: 00404D43
AddToFirewall, xrefs: 0040576F, 00405798
.\install.cpp, xrefs: 004051C8, 0040545C
AppName, xrefs: 00404D1C, 004057EE
UninstallDesktopFiles, xrefs: 0040574E
https://, xrefs: 00404F47
\pcinstall.ini", xrefs: 00404626
StartmenuName, xrefs: 00404B78
;setup.exe;-remove , xrefs: 00404D87
%PATH%\, xrefs: 004050B8
StartmenuUninstall, xrefs: 00404C8D
%s\%s.URL, xrefs: 00405522
;setup.exe:1, xrefs: 00404DB0
http://, xrefs: 00404F1D
%s\%s.LNK, xrefs: 00405334

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$H_prolog3_LoadString
String ID: $PROGRAM$%PATH%\$%s\%s.LNK$%s\%s.URL$.\install.cpp$;setup.exe:1$;setup.exe;-remove $ActiveSyncInstall$AddToFirewall$AppName$DesktopIcon$IniKey$Programgroup entry or desktop icon$SUCCEEDED(hres)$Software\Microsoft\Windows\CurrentVersion\Uninstall\$StartmenuName$StartmenuOpts$StartmenuUninstall$UninstallDesktopFiles$UninstallStartmenu$UninstallStartmenuFiles$\pcinstall.ini"$http://$https://
API String ID: 602430170-2849904513
Opcode ID: b70959cc3f6bb3ac1629c1c9806d09290a2d603c25369a0d8c0fc9dc2263dca9
Instruction ID: 8c970af3518d0a7d5a58cb4cb6b63acb034bd12b84b2d9891eb5c2cfdd5ceac7
Opcode Fuzzy Hash: b70959cc3f6bb3ac1629c1c9806d09290a2d603c25369a0d8c0fc9dc2263dca9
Instruction Fuzzy Hash: 8ED26170900249EEDB11EBA5CD55BDDB7B8AF15308F1040EAE509B71C2EB785B88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00436D80 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<self>, xrefs: 00436D9C
./\, xrefs: 00436E41

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID:
String ID: ./\$<self>
API String ID: 0-2752795735
Opcode ID: 6c61b2d8ab86ed15cc8f8fe62cff2ace8c9248f0a8f2fcb4e5fe1f6f377d8d2c
Instruction ID: e7ff84fc5d36c0c8e5c6d82c32746597add1f11ba7aa71e19d2bd0d1197126e0
Opcode Fuzzy Hash: 6c61b2d8ab86ed15cc8f8fe62cff2ace8c9248f0a8f2fcb4e5fe1f6f377d8d2c
Instruction Fuzzy Hash: 4DA16DB180061AAEDB20DFE5C8459AEB7F8BF0C315F10512FF558D7681E7399980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004381D7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

./\, xrefs: 00438298

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID:
String ID: ./\
API String ID: 0-3176372042
Opcode ID: ceef4eaa34b6fab665cd07b4cb1b64e6bc2fd36f8451f982be12028f423f2701
Instruction ID: bd17b2a4a290f96856132e9c7d83e05b60895767ea32bdd059b6d00adc49d811
Opcode Fuzzy Hash: ceef4eaa34b6fab665cd07b4cb1b64e6bc2fd36f8451f982be12028f423f2701
Instruction Fuzzy Hash: 8AA15CB1800709AEDB20DFA6C8459AEB7B8BF0C315F14112FF518D7681EB399990CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004311A5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004311BF

Part of subcall function 00437FAD: __FF_MSGBANNER.LIBCMT ref: 00437FD0
Part of subcall function 00437FAD: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00442DC2,?,00000001,?,0044340E,00000018,00469F50,0000000C,0044349D,?), ref: 00438025

_strlen.LIBCMT ref: 004311D0
_malloc.LIBCMT ref: 004311D9
_strcat.LIBCMT ref: 004311ED
FindFirstFileA.KERNEL32(00000000,?,?,00000001), ref: 00431204
_strcat.LIBCMT ref: 0043122F

Part of subcall function 00437ED0: __lock.LIBCMT ref: 00437EEE
Part of subcall function 00437ED0: ___sbh_find_block.LIBCMT ref: 00437EF9
Part of subcall function 00437ED0: ___sbh_free_block.LIBCMT ref: 00437F08
Part of subcall function 00437ED0: RtlFreeHeap.NTDLL(00000000,?,00469980,0000000C,00443465,00000000,00469F50,0000000C,0044349D,?,?,?,004388FB,00000004,004699E0,0000000C), ref: 00437F38
Part of subcall function 00437ED0: GetLastError.KERNEL32(?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214,?,00000000), ref: 00437F49

Strings

/*.*, xrefs: 004311E6

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Heap_malloc_strcat$AllocateErrorFileFindFirstFreeLast___sbh_find_block___sbh_free_block__lock_strlen
String ID: /*.*
API String ID: 2393211415-1014195128
Opcode ID: 18e43807012b488647ef3b887e3e461ad87c85ccb9f7fc811f8dfb976a31b40e
Instruction ID: a0e2f963d810af93d2f59520ce96502a40403bb3dd4492aaefa3f1c77d5d02b8
Opcode Fuzzy Hash: 18e43807012b488647ef3b887e3e461ad87c85ccb9f7fc811f8dfb976a31b40e
Instruction Fuzzy Hash: 0B1106725046086AC620B772AC47AEF73ACDF8C329F10246FF541E61C1EE2CA9414A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00432BAB Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 388COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 00432FE9
_fprintf.LIBCMT ref: 0043304D

Strings

(incomplete d-tree) , xrefs: 0043303F
(incomplete l-tree) , xrefs: 00432FDB

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf
String ID: (incomplete d-tree) $(incomplete l-tree)
API String ID: 1654120334-3591168323
Opcode ID: e907933ab87bf7202f6ef9e93de2d1da675b9480760fdc5e7afa7cdf95f8d45c
Instruction ID: 77b37662b1eab55379af4c61d1956d709ff12aeca5052708ca6ea76875f6e133
Opcode Fuzzy Hash: e907933ab87bf7202f6ef9e93de2d1da675b9480760fdc5e7afa7cdf95f8d45c
Instruction Fuzzy Hash: 28D1E432E04115ABEB15DF58DE825AD77B0FB08320F60253BD412A7251D7FC9A42EB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00412278 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00412297
GetUserNameA.ADVAPI32(?,?), ref: 004122CD

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$NameUser_strlen
String ID:
API String ID: 379490859-0
Opcode ID: 197ebbf71497717f49edd3b26586395ca79a64f99eb8cb7c96b1d72c873f96a4
Instruction ID: 51d8c02a3e452236ea62c045287dcdd6b5c174194c0f54e7e323023768c79a7c
Opcode Fuzzy Hash: 197ebbf71497717f49edd3b26586395ca79a64f99eb8cb7c96b1d72c873f96a4
Instruction Fuzzy Hash: 2F118B71A002489BDB10EF95D945BEDB7B8FF58305F10402BE905E7281DBB89B08CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402F9C Relevance: 97.6, APIs: 4, Strings: 51, Instructions: 1341
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00402FBE
_memset.LIBCMT ref: 00402FE5

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Part of subcall function 00418658: GetDlgItem.USER32(?,?), ref: 00418670

Part of subcall function 00415A8E: SetWindowTextA.USER32(?,00000000), ref: 00415A95

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00419640: __EH_prolog3.LIBCMT ref: 00419647

Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA08
Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA13
Part of subcall function 0040F9F8: _strncpy.LIBCMT ref: 0040FAA9

Part of subcall function 00413FD0: __EH_prolog3.LIBCMT ref: 00413FD7
Part of subcall function 00413FD0: MessageBoxA.USER32(00000001,?,?,00010024), ref: 00414077

PostMessageA.USER32(?,00000111,00000095,?), ref: 00404367

Part of subcall function 0042D81A: __EH_prolog3.LIBCMT ref: 0042D83C
Part of subcall function 0042D81A: _malloc.LIBCMT ref: 0042D879
Part of subcall function 0042D81A: _memset.LIBCMT ref: 0042D8A1
Part of subcall function 0042D81A: _memset.LIBCMT ref: 0042D8EA
Part of subcall function 0042D81A: _strcat.LIBCMT ref: 0042D8F9
Part of subcall function 0042D81A: _strcat.LIBCMT ref: 0042D96F
Part of subcall function 0042D81A: _strcat.LIBCMT ref: 0042D97F
Part of subcall function 0042D81A: _strcat.LIBCMT ref: 0042D98B

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 00410A1E: _strerror.LIBCMT ref: 00410A39

Part of subcall function 004107B9: __EH_prolog3.LIBCMT ref: 004107C0
Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410829
Part of subcall function 004107B9: _strlen.LIBCMT ref: 00410835

Part of subcall function 004010D1: _strlen.LIBCMT ref: 004010E1

Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410809

SendMessageA.USER32(?,00000409,00000095,00000000), ref: 00404311

Part of subcall function 0040F93F: _strlen.LIBCMT ref: 0040F95F

Part of subcall function 00413D44: __EH_prolog3.LIBCMT ref: 00413D4B

Part of subcall function 0041338D: _strlen.LIBCMT ref: 00413396
Part of subcall function 0041338D: RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 004133A9

Part of subcall function 0041036C: __EH_prolog3.LIBCMT ref: 00410373
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103B5
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103E2

Strings

<NULL>, xrefs: 004032AE, 004032EB
IniKey, xrefs: 00403E3E, 00403E43, 00403E54
HE, xrefs: 00403FAD
AppVersion, xrefs: 00403EB4, 00403EB9, 00403F8E
.\install.cpp, xrefs: 00403398
{null}, xrefs: 00403BE1
StartmenuName, xrefs: 00403E96
Publisher, xrefs: 00403F4B
EmTec Innovative Software, xrefs: 00403F46
UninstallProtect, xrefs: 004040AA
Emtec Service-Control, xrefs: 004031AA, 004041EB
/STOP, xrefs: 004031B9
DisplayIcon, xrefs: 00403F1A
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00403E6A
Version, xrefs: 00403F98
notepad %1, xrefs: 00403CE9
AddToFirewall, xrefs: 004040B4, 004040B9, 004040C5
NoCopyComplete, xrefs: 00404234
\Shell\open, xrefs: 00403BF6
UninstallString, xrefs: 0040400A
command, xrefs: 00403C15, 00403CC0
UninstallFiles, xrefs: 00404060
\Setup.exe" -remove ", xrefs: 00403FBF
UninstallRootClasses, xrefs: 0040408C
http://www.emtec.com, xrefs: 00403F5B
SETUP::ActualCopy Application Service was stopped, xrefs: 004031E5
.1i, xrefs: 00403384
service.exe, xrefs: 00403136, 00403192, 00404178, 004041CD
CopyToDest, xrefs: 004035BC
DisplayName, xrefs: 00403EAA
UninstallPath, xrefs: 00404076
AppName, xrefs: 004033FC, 00403F70, 00403F84
UninstallEmail, xrefs: 004040DF, 004040E4, 004040F9, 0040410C, 0040411C
$JE, xrefs: 0040328F
AskOverwrite, xrefs: 00403221, 0040329F
DisplayVersion, xrefs: 00403EC9
$FILE, xrefs: 004033E8
URLInfoAbout, xrefs: 00403F60
FileTypes, xrefs: 00403760
/START, xrefs: 004041FA
{textedit}, xrefs: 00403C90
DefaultIcon, xrefs: 00403B80
$PROGRAM, xrefs: 0040340D
UninstallIcon, xrefs: 00403EEF
ProtectedFiles, xrefs: 0040325B, 004032DC, 00404096
SETUP::ActualCopy Application Service was restarted, xrefs: 00404217
total>0, xrefs: 0040339D
0JE, xrefs: 00403285
UninstallFirewall, xrefs: 004040D5
dummy.tmp, xrefs: 004034C9
\Shell\edit, xrefs: 00403CA1

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_strlen$_memset_strcat$Message$_strpbrk$H_prolog3_ItemLoadPostSendStringTextValueWindow_malloc_strerror_strncpy
String ID: $FILE$$JE$$PROGRAM$.1i$.\install.cpp$/START$/STOP$0JE$<NULL>$AddToFirewall$AppName$AppVersion$AskOverwrite$CopyToDest$DefaultIcon$DisplayIcon$DisplayName$DisplayVersion$EmTec Innovative Software$Emtec Service-Control$FileTypes$IniKey$NoCopyComplete$ProtectedFiles$Publisher$SETUP::ActualCopy Application Service was restarted$SETUP::ActualCopy Application Service was stopped$Software\Microsoft\Windows\CurrentVersion\Uninstall\$StartmenuName$URLInfoAbout$UninstallEmail$UninstallFiles$UninstallFirewall$UninstallIcon$UninstallPath$UninstallProtect$UninstallRootClasses$UninstallString$Version$\Setup.exe" -remove "$\Shell\edit$\Shell\open$command$dummy.tmp$http://www.emtec.com$notepad %1$service.exe$total>0${null}${textedit}$HE
API String ID: 2694233176-2180281922
Opcode ID: 84c6aca34f0b3936eb679bd04520edeadd9020b077ec5783c4441aaf15ec6853
Instruction ID: b8973d8d56120797ba2c2e2f7acd054044bcdcef3ecf45719923b16e40596e60
Opcode Fuzzy Hash: 84c6aca34f0b3936eb679bd04520edeadd9020b077ec5783c4441aaf15ec6853
Instruction Fuzzy Hash: 95C2B470900248AEDF15EBA5CD56BEDBBB4AF15308F1040EEE549771C2DB781B88CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00430253 Relevance: 84.5, APIs: 18, Strings: 30, Instructions: 493COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 00430413
_fprintf.LIBCMT ref: 0043048A
_fprintf.LIBCMT ref: 004304D7
_fprintf.LIBCMT ref: 004304FF
_fprintf.LIBCMT ref: 004305A9
_fprintf.LIBCMT ref: 00430619
_fprintf.LIBCMT ref: 00430648
_fprintf.LIBCMT ref: 004306AD
_fprintf.LIBCMT ref: 004306E9
_fprintf.LIBCMT ref: 00430775
_fprintf.LIBCMT ref: 00430701

Part of subcall function 0043A91C: __stbuf.LIBCMT ref: 0043AA2A
Part of subcall function 0043A91C: __output_l.LIBCMT ref: 0043AA3A
Part of subcall function 0043A91C: __ftbuf.LIBCMT ref: 0043AA44

_fprintf.LIBCMT ref: 00430873
_fprintf.LIBCMT ref: 00430895
_fprintf.LIBCMT ref: 004302BC

Part of subcall function 0043BD9D: _flsall.LIBCMT ref: 0043BDB1

_fprintf.LIBCMT ref: 00430360
_fprintf.LIBCMT ref: 004303AC
__setmode.LIBCMT ref: 004303D4
_fprintf.LIBCMT ref: 004308E1

Strings

invalid compressed data for explode format, xrefs: 004304EB, 004304F0
not enough memory to inflate , xrefs: 00430390
unshrinking, xrefs: 00430699
exploding, xrefs: 00430476
%s: unknown compression method, xrefs: 0043063A
extracting, xrefs: 00430761
testing, xrefs: 004302A8
OK, xrefs: 004308C0
warning, xrefs: 00430547, 00430578
inflating, xrefs: 0043034C
unreducing, xrefs: 00430605
not enough memory for inflate operation, xrefs: 004303F8
error: %s%s, xrefs: 0043039E, 004304C9
not enough memory to explode , xrefs: 004304BB
invalid compressed (imploded) data for , xrefs: 004304C2, 004304C8
[text] , xrefs: 0043033D, 00430467, 004305F6, 0043068A, 00430752
error: not enough memory for unshrink operation, xrefs: 004306F3
%-22s , xrefs: 00430865
(&, xrefs: 00430522
[binary], xrefs: 00430344, 0043034A, 0043046E, 00430474, 004305FD, 00430603, 00430691, 00430697, 00430759, 0043075F
%0", xrefs: 00430739
error: %s, xrefs: 00430405, 004304F1
[empty] , xrefs: 00430741
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 0043028D, 004302A7, 0043034B, 0043039C, 00430475, 004304C7, 00430558, 00430604, 00430639, 00430698, 004306DA, 00430760, 00430864
not enough memory for explode operation, xrefs: 004304E4
invalid compressed (deflated) data for , xrefs: 00430397, 0043039D
error, xrefs: 0043054E, 00430567, 0043057F, 00430594
bad CRC %08lx (should be %08lx), xrefs: 00430887
error: not enough memory to unshrink %s, xrefs: 004306DB
invalid compressed data for inflate format, xrefs: 004303FF, 00430404

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$__ftbuf__output_l__setmode__stbuf_flsall
String ID: error: %s$ error: not enough memory for unshrink operation$ error: %s%s$ error: not enough memory to unshrink %s$ OK$ bad CRC %08lx (should be %08lx)$%-22s $%0"$%s: unknown compression method$(&$C:/Program Files (x86)/ZOC5/zocdll.dll$[binary]$[empty] $[text] $error$exploding$extracting$inflating$invalid compressed (deflated) data for $invalid compressed (imploded) data for $invalid compressed data for explode format$invalid compressed data for inflate format$not enough memory for explode operation$not enough memory for inflate operation$not enough memory to explode $not enough memory to inflate $testing$unreducing$unshrinking$warning
API String ID: 2252193178-2337029885
Opcode ID: 3a5c38b79f7d0337f7fa3d274560e002c7536fce832844044433610eb756468b
Instruction ID: f98fa1241759f8f3fd6589edfc9a9ced3c98f6cdedd0027dd89bf7be1ec3c639
Opcode Fuzzy Hash: 3a5c38b79f7d0337f7fa3d274560e002c7536fce832844044433610eb756468b
Instruction Fuzzy Hash: D6E1C9F1E04204A7DB247B569C6772B3258DB59308F24693FF81096262E77DDC508BAF

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE3 Relevance: 67.5, APIs: 6, Strings: 32, Instructions: 1042
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4.00, xrefs: 00406353
Shared Tools, xrefs: 00405F8B
DAO350, xrefs: 0040612A
IniKey, xrefs: 004065DE
Path, xrefs: 00406063, 004060E7, 00406157
Software\Microsoft, xrefs: 00405F71
DeleteAfterExtract, xrefs: 00406852
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 00406287
360.dll, xrefs: 0040618B
CheckDll, xrefs: 00405EC6, 00405ECB, 00405EE6
AppVersion, xrefs: 00406364, 00406555
UninstallPath, xrefs: 0040662F
AppName, xrefs: 00406313, 00406318, 0040653A, 004067D2, 004069DD, 00406A2A, 00406A97
NoFinalPopup, xrefs: 0040698E
Advertise, xrefs: 004065B8
open, xrefs: 00406AE5
dao350.dll, xrefs: 004060A5
350.dll, xrefs: 00406190
IdBmp, xrefs: 00406779
InstallPath, xrefs: 004066B4
setup.cfg, xrefs: 00405E6B
ActiveSyncInstall, xrefs: 0040626F
SharedFilesDir, xrefs: 00405FC4
dao360, xrefs: 00405F23
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 004065ED
$PROGRAM, xrefs: 004069EE
dao360.dll, xrefs: 0040602A
EmTec, xrefs: 004067E3
DAO\dao360.dll, xrefs: 00405FEC
CEAppMgr.exe, xrefs: 0040628C
ZOC, xrefs: 0040630A, 00406A92
Software\Microsoft\Shared Tools, xrefs: 00406013, 0040608E, 00406116

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$H_prolog3_LoadMessageString
String ID: $PROGRAM$350.dll$360.dll$4.00$ActiveSyncInstall$Advertise$AppName$AppVersion$CEAppMgr.exe$CheckDll$DAO350$DAO\dao360.dll$DeleteAfterExtract$EmTec$IdBmp$IniKey$InstallPath$NoFinalPopup$Path$Shared Tools$SharedFilesDir$Software\Microsoft$Software\Microsoft\Shared Tools$Software\Microsoft\Windows\CurrentVersion\App Paths\$Software\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallPath$ZOC$dao350.dll$dao360$dao360.dll$open$setup.cfg
API String ID: 2861373015-3100200597
Opcode ID: d44c1a1f9003fb53ded10cddaef1ffa514f58d3870bea01ccf9bff98e2265c8f
Instruction ID: 9aa44ed71816b2e81ef25f1dc77192e51f0c507da4186b09ad16b9ff8ae4388d
Opcode Fuzzy Hash: d44c1a1f9003fb53ded10cddaef1ffa514f58d3870bea01ccf9bff98e2265c8f
Instruction Fuzzy Hash: 0A927170900258AEDF10EBA5CC85BEDB7B4AF55308F1041AEE509B72D2DB785B88CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004308F0 Relevance: 67.1, APIs: 24, Strings: 14, Instructions: 642COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043092F

Part of subcall function 00437FAD: __FF_MSGBANNER.LIBCMT ref: 00437FD0
Part of subcall function 00437FAD: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00442DC2,?,00000001,?,0044340E,00000018,00469F50,0000000C,0044349D,?), ref: 00438025

_malloc.LIBCMT ref: 0043095A
_strncmp.LIBCMT ref: 004309D3
_fprintf.LIBCMT ref: 00430B49
_fprintf.LIBCMT ref: 00430B60
_fprintf.LIBCMT ref: 00430C3D
__locking.LIBCMT ref: 00430C63
_fprintf.LIBCMT ref: 00430CA5
_strncmp.LIBCMT ref: 00430D05
_fprintf.LIBCMT ref: 00430D2C
_fprintf.LIBCMT ref: 00430D52
__locking.LIBCMT ref: 00430D95
_strncmp.LIBCMT ref: 00430E20
_fprintf.LIBCMT ref: 00430E4A
_fprintf.LIBCMT ref: 00430E98
__locking.LIBCMT ref: 00430FB1
_fprintf.LIBCMT ref: 00431024
_fprintf.LIBCMT ref: 0043106E
_fprintf.LIBCMT ref: 0043112B
_strncmp.LIBCMT ref: 0043114E
_fprintf.LIBCMT ref: 00431169
_fprintf.LIBCMT ref: 0043117F

Strings

skipping: %-22s %svolume label, xrefs: 004310EB
central, xrefs: 00430B77, 00430B96
hard disk , xrefs: 004310D9, 004310E5
%s: bad file comment length, xrefs: 00430BA5
3, xrefs: 00430B29
lseek, xrefs: 00430C90
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 00430981, 00430A88, 00430AD1, 00430B7C, 00430B9B, 00430BA4, 00430E84, 00430EE5, 00430F16, 00430FA1, 004310E6
caution: filename not matched: %s, xrefs: 00431016
local, xrefs: 00430E7F, 00430EE0
EOF, xrefs: 00430CF6, 00430E0C
local header sig, xrefs: 00430D16, 00430D1B, 00430E2D
file #%d: bad local header, xrefs: 00430E3C
(attempting to re-compensate), xrefs: 00430D44, 00430D8E
caution: excluded filename not matched: %s, xrefs: 00431060

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$_strncmp$__locking$_malloc$AllocateHeap
String ID: %s: bad file comment length$file #%d: bad local header$ skipping: %-22s %svolume label$ (attempting to re-compensate)$3$C:/Program Files (x86)/ZOC5/zocdll.dll$EOF$caution: excluded filename not matched: %s$caution: filename not matched: %s$central$hard disk $local$local header sig$lseek
API String ID: 2063179924-3552385710
Opcode ID: 4b0815d1471be1b8d330f1a29e7454fc49d2e7e8850956d712770a76f0c3f06a
Instruction ID: 7a42ba813986abdac79fdaccc26396be98ecfbd03cfb721901379eb5973ddf84
Opcode Fuzzy Hash: 4b0815d1471be1b8d330f1a29e7454fc49d2e7e8850956d712770a76f0c3f06a
Instruction Fuzzy Hash: 5922E6B1A04301ABE720AF559C56B2B72A0FB0C718F24293FF54192262E7BDD851CB5F

Uniqueness

Uniqueness Score: -1.00%

Function 0042E524 Relevance: 67.0, APIs: 22, Strings: 16, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__close.LIBCMT ref: 0042E5F8
_fprintf.LIBCMT ref: 0042E615

Part of subcall function 0042FA3A: __locking.LIBCMT ref: 0042FA68
Part of subcall function 0042FA3A: _fprintf.LIBCMT ref: 0042FCD1
Part of subcall function 0042FA3A: _fprintf.LIBCMT ref: 0042FCE7

__close.LIBCMT ref: 0042E64E
_fprintf.LIBCMT ref: 0042E67F
_fprintf.LIBCMT ref: 0042E6B0
_fprintf.LIBCMT ref: 0042E6DC
_fprintf.LIBCMT ref: 0042E6FD
_fprintf.LIBCMT ref: 0042E733
_fprintf.LIBCMT ref: 0042E765
_printf.LIBCMT ref: 0042E7A5
_fprintf.LIBCMT ref: 0042E7C1
__close.LIBCMT ref: 0042E7CF
_fprintf.LIBCMT ref: 0042E81C
__locking.LIBCMT ref: 0042E83B
_strncmp.LIBCMT ref: 0042E8C9
__locking.LIBCMT ref: 0042E930
_strncmp.LIBCMT ref: 0042E9A9
_fprintf.LIBCMT ref: 0042E9D0
__locking.LIBCMT ref: 0042EA18
_fprintf.LIBCMT ref: 0042EAC7

Part of subcall function 004308F0: _malloc.LIBCMT ref: 0043092F
Part of subcall function 004308F0: _malloc.LIBCMT ref: 0043095A
Part of subcall function 004308F0: _strncmp.LIBCMT ref: 004309D3

_fprintf.LIBCMT ref: 0042EB1C
_fprintf.LIBCMT ref: 0042EB5A

Strings

%s: can't find either %s or %s, so there., xrefs: 0042EB4C
unzip, xrefs: 0042EAFB, 0042EB0D, 0042EB3A, 0042EB4B
%sEmpty zipfile., xrefs: 0042E7A0
Warning: zipfile claims to be second disk of a two-part archive; attempting to process anyway. If no further errors occur, this archive was probably created by PAK v2.51 or earlier. This bug was reported to NoGate in March 1991 and was , xrefs: 0042E672
, xrefs: 0042E793, 0042E79F
error [%s]: start of central directory not found; zipfile corrupt.%s, xrefs: 0042EAB9
error [%s]: NULL central directory offset (attempting to process anyway), xrefs: 0042E726
error [%s]: zipfile is part of multi-disk archive (sorry, not yet supported)., xrefs: 0042E6F0
Zipfile is part of a multi-disk archive, and this is not the disk on which the central zipfile directory begins., xrefs: 0042E6CF
error [%s]: reported length of central directory is %ld bytes too long (Atari STZIP zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating..., xrefs: 0042E9C2
warning [%s]: zipfile is empty, xrefs: 0042E7B4
error [%s]: missing %ld bytes in zipfile (attempting to process anyway), xrefs: 0042E6A3
%s: can't find zipfile directory in %s, %sand can't find %s, period., xrefs: 0042EB0E
zipinfo, xrefs: 0042EB26, 0042EB33
warning [%s]: extra %ld bytes at beginning or within zipfile (attempting to process anyway), xrefs: 0042E758
note: %s may be an executable, not an archive, xrefs: 0042E608

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$__locking$__close_strncmp$_malloc$_printf
String ID: $ Warning: zipfile claims to be second disk of a two-part archive; attempting to process anyway. If no further errors occur, this archive was probably created by PAK v2.51 or earlier. This bug was reported to NoGate in March 1991 and was $ Zipfile is part of a multi-disk archive, and this is not the disk on which the central zipfile directory begins.$error [%s]: zipfile is part of multi-disk archive (sorry, not yet supported).$%s: can't find either %s or %s, so there.$%s: can't find zipfile directory in %s, %sand can't find %s, period.$%sEmpty zipfile.$error [%s]: NULL central directory offset (attempting to process anyway)$error [%s]: missing %ld bytes in zipfile (attempting to process anyway)$error [%s]: reported length of central directory is %ld bytes too long (Atari STZIP zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating...$error [%s]: start of central directory not found; zipfile corrupt.%s$note: %s may be an executable, not an archive$unzip$warning [%s]: extra %ld bytes at beginning or within zipfile (attempting to process anyway)$warning [%s]: zipfile is empty$zipinfo
API String ID: 482896368-4048806653
Opcode ID: 2073a6db50cbfe291eb357363d157dce9144e1d9ac85e737401658ab91b92204
Instruction ID: a788feae371d4ed795b9341df653e05f5699930aa097c3bfb151e1727980cc8a
Opcode Fuzzy Hash: 2073a6db50cbfe291eb357363d157dce9144e1d9ac85e737401658ab91b92204
Instruction Fuzzy Hash: CFE1FAB2B00120ABF720AB66FD06B393765E714718F94083FF901D63A1E6BD9851979F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A575 Relevance: 56.8, APIs: 4, Strings: 28, Instructions: 792
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0040A597

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 004114D2: __EH_prolog3.LIBCMT ref: 004114D9

Part of subcall function 00415B53: KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00415B5A

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Part of subcall function 004180E8: __EH_prolog3.LIBCMT ref: 004180EF

CopyFileA.KERNEL32(?,?,00000001), ref: 0040AD1D
_strlen.LIBCMT ref: 0040ADC0
_sprintf.LIBCMT ref: 0040AEDF

Part of subcall function 00411500: __EH_prolog3.LIBCMT ref: 00411507

Strings

DefaultScriptFolder="%s", xrefs: 0040AC6B
ConfigDataFolder="%s", xrefs: 0040ABE1, 0040B02F
IniKey, xrefs: 0040AD6B
Software\Emtec\, xrefs: 0040AD8C
%APPDATA%\ZOC, xrefs: 0040AB56
%ZOCFILES%, xrefs: 0040ABBE
UserConfigFolder, xrefs: 0040ADA6
Benutzerdateien, xrefs: 0040A672
SetupForceWorkdir, xrefs: 0040AF86, 0040B07F
ZOC5, xrefs: 0040AB9A, 0040AF5C, 0040B063
SharedInstall=yes, xrefs: 0040AC9C
InstallerConfig=yes, xrefs: 0040B03D
Options, xrefs: 0040AE31
admin.ini, xrefs: 0040A5AC
SetupDefaultConfig="%s", xrefs: 0040ACC0
SetupSubsystems="%.3s00000.%.3s00000", xrefs: 0040ACDA
Userfiles, xrefs: 0040A6AF
%ALLUSERPROFILE%, xrefs: 0040AAFE
%USERPROFILE%, xrefs: 0040A5F2, 0040AA8C
Software\EmTec, xrefs: 0040AF61, 0040B068
Script, xrefs: 0040ABFF, 0040AC06, 0040AC54, 0040AE09
SetupCreatedConfig=yes, xrefs: 0040ACAC
$(PATH), xrefs: 0040A76B
%ZOC%, xrefs: 0040B027
ZOC Files, xrefs: 0040A6D9
.bak, xrefs: 0040ACF7
%USERPROFILE%\, xrefs: 0040AAC3
ZOC Dateien, xrefs: 0040A69C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$CallbackCopyDispatcherFileUser_malloc_memset_sprintf
String ID: $(PATH)$%ALLUSERPROFILE%$%APPDATA%\ZOC$%USERPROFILE%$%USERPROFILE%\$%ZOC%$%ZOCFILES%$.bak$Benutzerdateien$ConfigDataFolder="%s"$DefaultScriptFolder="%s"$IniKey$InstallerConfig=yes$Options$Script$SetupCreatedConfig=yes$SetupDefaultConfig="%s"$SetupForceWorkdir$SetupSubsystems="%.3s00000.%.3s00000"$SharedInstall=yes$Software\EmTec$Software\Emtec\$UserConfigFolder$Userfiles$ZOC Dateien$ZOC Files$ZOC5$admin.ini
API String ID: 71786742-4181063893
Opcode ID: a7cce879f70d97694e493b1a54721bac3fc74107b13e623e44bcb2702371d857
Instruction ID: 007c155dc701a5049109458118ed7e2f1e2c093a70a2f0b9d7569d682bff6e45
Opcode Fuzzy Hash: a7cce879f70d97694e493b1a54721bac3fc74107b13e623e44bcb2702371d857
Instruction Fuzzy Hash: 9C628730900249EEDF15EBA5CC55BEE77B4AF14308F1040AEE549771D2EBB81B88DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041238A Relevance: 45.8, APIs: 8, Strings: 18, Instructions: 321
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 004123AC
_memset.LIBCMT ref: 004123D0
_memset.LIBCMT ref: 004123EB

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,?,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,000004E4), ref: 004126F6
RegQueryValueExA.KERNEL32(?,?,00000000,?,00000400,00000400,?,?,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,000004E4), ref: 0041271A
RegCloseKey.KERNEL32(?,?,?,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,000004E4,?,?,?,?,?,00000180), ref: 00412726
ExpandEnvironmentStringsA.KERNEL32(?,?,00000400,?,?,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,000004E4,?,?,?,?,?,00000180), ref: 00412741
_strlen.LIBCMT ref: 0041274E

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004123F9
Startup, xrefs: 00412480
rc==ERROR_SUCCESS, xrefs: 004127EA
Common Startup, xrefs: 00412636
GetSystemPath , xrefs: 004127AF
ProgramFilesDir, xrefs: 004126A0
My Pictures, xrefs: 00412536
Personal, xrefs: 004124D8
SendTo, xrefs: 00412565
Software\Microsoft\Windows\CurrentVersion, xrefs: 00412663
FALSE, xrefs: 004126D5
Common Programs, xrefs: 00412600
Common Documents, xrefs: 004125CA
.\osys_win32.cpp, xrefs: 004126D0, 004127E5
Common AppData, xrefs: 00412594
Desktop, xrefs: 00412507
AppData, xrefs: 004124AC
Programs, xrefs: 00412448

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_memset_strlen$CloseEnvironmentExpandOpenQueryStringsValue
String ID: .\osys_win32.cpp$AppData$Common AppData$Common Documents$Common Programs$Common Startup$Desktop$FALSE$GetSystemPath $My Pictures$Personal$ProgramFilesDir$Programs$SendTo$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Startup$rc==ERROR_SUCCESS
API String ID: 2108205713-3974988360
Opcode ID: bc3437872324f348121421e496166c824316f3774ac5d3a80130687ea5dd406a
Instruction ID: 6db50fa2c725bc0ca0d9b0a6dff28d61342c241ad251f58bc63be78fbc0b1e5f
Opcode Fuzzy Hash: bc3437872324f348121421e496166c824316f3774ac5d3a80130687ea5dd406a
Instruction Fuzzy Hash: 6ED1727480115CEECB14EB91CD55FEEBB78AF15304F5040ABE949B3182DBB81B88DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB4 Relevance: 37.1, APIs: 4, Strings: 17, Instructions: 312
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00409AC2
RegCreateKeyA.ADVAPI32(80000001,Software\Enterprise Alternatives\REXX\ExecOptions,?), ref: 00409F11
RegSetValueExA.KERNEL32(00000004,GlobalSCBs,00000000,00000004,?,00000004), ref: 00409F28
RegCloseKey.ADVAPI32(?), ref: 00409F31

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 004121F3: __EH_prolog3_GS.LIBCMT ref: 004121FA

Part of subcall function 004116AF: __EH_prolog3.LIBCMT ref: 004116BA
Part of subcall function 004116AF: _memset.LIBCMT ref: 004116D5
Part of subcall function 004116AF: _strlen.LIBCMT ref: 004116EA
Part of subcall function 004116AF: _strlen.LIBCMT ref: 004116FF

Part of subcall function 004118F2: __fread_nolock.LIBCMT ref: 004119BA

Strings

script="%ZOCFILES%, xrefs: 00409E57
Colortable.cfg, xrefs: 00409C05
Script, xrefs: 00409B91, 00409BC2
script=", xrefs: 00409E48
Colortable.ini, xrefs: 00409C36
PHONEBK, xrefs: 00409CE9
Options, xrefs: 00409AD4, 00409AD9, 00409B25, 00409B52, 00409C3B, 00409C7A, 00409CAC, 00409D1B, 00409D5B, 00409E07
zochosts.ini, xrefs: 00409E02
GlobalSCBs, xrefs: 00409F20
Path=", xrefs: 00409DA1
*.*, xrefs: 00409B07, 00409B0C, 00409B7C, 00409BF0
Path="%ZOCFILES%, xrefs: 00409DB0
OptionsV4.bak, xrefs: 00409AEB
standard.cfg, xrefs: 00409D56
ZocHosts.ini, xrefs: 00409CA7
Software\Enterprise Alternatives\REXX\ExecOptions, xrefs: 00409F01
ZOCHOSTS.INI, xrefs: 00409C74, 00409C79, 00409D1A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_strlen$_memset$CloseCreateH_prolog3_Value__fread_nolock
String ID: *.*$Colortable.cfg$Colortable.ini$GlobalSCBs$Options$OptionsV4.bak$PHONEBK$Path="$Path="%ZOCFILES%$Script$Software\Enterprise Alternatives\REXX\ExecOptions$ZOCHOSTS.INI$ZocHosts.ini$script="$script="%ZOCFILES%$standard.cfg$zochosts.ini
API String ID: 4233208407-1996282527
Opcode ID: a980a060cd16fc338855aca332d4a3d56e514f8ba3601a4d8d0e6948f65ca49f
Instruction ID: 7315bcbf21e9175190a5d36dfad0cf26e73548311e56c0950ad569a6d9180a70
Opcode Fuzzy Hash: a980a060cd16fc338855aca332d4a3d56e514f8ba3601a4d8d0e6948f65ca49f
Instruction Fuzzy Hash: F9D16570800289EEDF15EFA1CD45BDD7B749F15308F1040ABB90A721D3EB785B98DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00431684 Relevance: 35.5, APIs: 13, Strings: 7, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fprintf.LIBCMT ref: 0043179C
_fprintf.LIBCMT ref: 004317E0
_strcat.LIBCMT ref: 0043186A
_malloc.LIBCMT ref: 0043199B

Part of subcall function 00437FAD: __FF_MSGBANNER.LIBCMT ref: 00437FD0
Part of subcall function 00437FAD: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00442DC2,?,00000001,?,0044340E,00000018,00469F50,0000000C,0044349D,?), ref: 00438025

Part of subcall function 00437ED0: __lock.LIBCMT ref: 00437EEE
Part of subcall function 00437ED0: ___sbh_find_block.LIBCMT ref: 00437EF9
Part of subcall function 00437ED0: ___sbh_free_block.LIBCMT ref: 00437F08
Part of subcall function 00437ED0: RtlFreeHeap.NTDLL(00000000,?,00469980,0000000C,00443465,00000000,00469F50,0000000C,0044349D,?,?,?,004388FB,00000004,004699E0,0000000C), ref: 00437F38
Part of subcall function 00437ED0: GetLastError.KERNEL32(?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214,?,00000000), ref: 00437F49

_fprintf.LIBCMT ref: 004318F1

Part of subcall function 0043BD9D: _flsall.LIBCMT ref: 0043BDB1

_malloc.LIBCMT ref: 00431984

Strings

checkdir warning: current dir path too long, xrefs: 00431A19
checkdir warning: path too long; truncating %s -> %s, xrefs: 004318DB
checkdir error: path too long: %s, xrefs: 0043178E
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 004317C7, 00431814, 004318D6
checkdir: can't create extraction directory: %s, xrefs: 00431BA9
checkdir error: %s exists but is not directory unable to process %s., xrefs: 0043181F
checkdir error: can't create %s unable to process %s., xrefs: 004317D2

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$Heap_malloc$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock_flsall_strcat
String ID: C:/Program Files (x86)/ZOC5/zocdll.dll$checkdir error: %s exists but is not directory unable to process %s.$checkdir error: can't create %s unable to process %s.$checkdir error: path too long: %s$checkdir warning: path too long; truncating %s -> %s$checkdir warning: current dir path too long$checkdir: can't create extraction directory: %s
API String ID: 3750816351-2062303504
Opcode ID: 7a466d29cf8b489a9ed17ad82a267ad34c260a63cea29bd4935bfefb92a53d3c
Instruction ID: c8d797e58c38e7eb2dde99da080c9dc8acf34a939e9bfa94c7b00b58a090aa04
Opcode Fuzzy Hash: 7a466d29cf8b489a9ed17ad82a267ad34c260a63cea29bd4935bfefb92a53d3c
Instruction Fuzzy Hash: 7BF148715082419EE721AB69FC4272A3B90AB1D754F64787FE881C72B2DF7D8841CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 004161D3 Relevance: 33.8, APIs: 8, Strings: 11, Instructions: 583COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004161F2

Strings

SysTabControl32, xrefs: 00416411
SysTreeView32, xrefs: 00416446
SB_PAGEUP==SB_PAGELEFT, xrefs: 004166B3
SB_TOP==SB_LEFT, xrefs: 0041665C
pnm->iItem==-1, xrefs: 004163D6
SB_LINEDOWN==SB_LINERIGHT, xrefs: 0041669E
SB_LINEUP==SB_LINELEFT, xrefs: 00416686
SysListView32, xrefs: 0041638B
SB_BOTTOM==SB_RIGHT, xrefs: 00416671
SB_PAGEDOWN==SB_PAGEDOWN, xrefs: 004166C8
.\windows_win32.cpp, xrefs: 004163D1, 00416656, 0041665B, 00416670, 00416685, 0041669D, 004166B2, 004166C7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3
String ID: .\windows_win32.cpp$SB_BOTTOM==SB_RIGHT$SB_LINEDOWN==SB_LINERIGHT$SB_LINEUP==SB_LINELEFT$SB_PAGEDOWN==SB_PAGEDOWN$SB_PAGEUP==SB_PAGELEFT$SB_TOP==SB_LEFT$SysListView32$SysTabControl32$SysTreeView32$pnm->iItem==-1
API String ID: 431132790-2982637157
Opcode ID: 01df3faaebb6becbacab612baab08749489cc6e1b69bcb6605e341341b348f7c
Instruction ID: 16e92b8ad4f2a20c24b511e742783f21791574b00a9db2419f24c340b4e39c09
Opcode Fuzzy Hash: 01df3faaebb6becbacab612baab08749489cc6e1b69bcb6605e341341b348f7c
Instruction Fuzzy Hash: 9312E270600219ABDB24AF54C889FFE77B4EB04715F21020BF922962D1CB78D985CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402889 Relevance: 33.6, APIs: 10, Strings: 9, Instructions: 395
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 004028B4

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00419640: __EH_prolog3.LIBCMT ref: 00419647

Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA08
Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA13
Part of subcall function 0040F9F8: _strncpy.LIBCMT ref: 0040FAA9

Part of subcall function 00415A8E: SetWindowTextA.USER32(?,00000000), ref: 00415A95

Part of subcall function 0041AFFC: _memset.LIBCMT ref: 0041B01E
Part of subcall function 0041AFFC: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0041B02E
Part of subcall function 0041AFFC: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041B057
Part of subcall function 0041AFFC: DeleteDC.GDI32(00000000), ref: 0041B061
Part of subcall function 0041AFFC: MulDiv.KERNEL32(?,?,00000048), ref: 0041B06F
Part of subcall function 0041AFFC: _strcat.LIBCMT ref: 0041B0BF
Part of subcall function 0041AFFC: CreateFontIndirectA.GDI32(?), ref: 0041B0CB

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00402B6C
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00402B78
SendMessageA.USER32(?,00000030,?,00000001), ref: 00402B87
SendMessageA.USER32(?,00000030,?,00000001), ref: 00402B93
SendMessageA.USER32(?,00000030,00000095,00000001), ref: 00402C7E
SendMessageA.USER32(?,00000030,?,00000001), ref: 00402CFA
DeleteObject.GDI32(?), ref: 00402D05
SendMessageA.USER32(?,00000030,?,00000001), ref: 00402D11
DeleteObject.GDI32(?), ref: 00402D16

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00419FDE: __EH_prolog3.LIBCMT ref: 00419FE5

Strings

Advertise, xrefs: 004028D9
Description, xrefs: 00402C80
Product, xrefs: 00402AE7, 00402C47
Url, xrefs: 00402962
$PROG, xrefs: 00402A9B, 00402B00, 00402BEC, 00402C59
Teaser1, xrefs: 0040297F
Arial, xrefs: 00402B28, 00402B39, 00402B4F
Teaser2, xrefs: 0040299C
AppName, xrefs: 00402A87, 00402BD8

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: MessageSend$H_prolog3$DeleteTextWindow$CreateObject_strlen$CapsDeviceFontIndirectLength_memset_strcat_strncpy
String ID: $PROG$Advertise$AppName$Arial$Description$Product$Teaser1$Teaser2$Url
API String ID: 1348522516-2171997948
Opcode ID: 0c87df0ea48f5f6a6a72e8e9c1f70486dabcfd04d42c342bf61be375e34ab0c4
Instruction ID: 6bcfe3759cc0d5c50ebf4acbe0531e50aeb08d2d398f67e5c8dca8057c04133c
Opcode Fuzzy Hash: 0c87df0ea48f5f6a6a72e8e9c1f70486dabcfd04d42c342bf61be375e34ab0c4
Instruction Fuzzy Hash: D2F14C30900258EEDB15EBA1CD96BEDBB74AF15308F1041AEF509772C2DB781B88DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0042D81A Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0042D83C
_malloc.LIBCMT ref: 0042D879

Part of subcall function 00437FAD: __FF_MSGBANNER.LIBCMT ref: 00437FD0
Part of subcall function 00437FAD: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00442DC2,?,00000001,?,0044340E,00000018,00469F50,0000000C,0044349D,?), ref: 00438025

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

_memset.LIBCMT ref: 0042D8A1
_memset.LIBCMT ref: 0042D8EA
_strcat.LIBCMT ref: 0042D8F9
_strcat.LIBCMT ref: 0042D96F
_strcat.LIBCMT ref: 0042D97F
_strcat.LIBCMT ref: 0042D98B
_strcat.LIBCMT ref: 0042D999
_strcat.LIBCMT ref: 0042D9A9
_strcat.LIBCMT ref: 0042D9B7
_sprintf.LIBCMT ref: 0042DCE0
_sprintf.LIBCMT ref: 0042DD3B
GetActiveWindow.USER32 ref: 0042DD87

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Strings

adr, xrefs: 0042D88E
unzip, xrefs: 0042D964
.\unzipper.cpp, xrefs: 0042D889
-qq, xrefs: 0042D974

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strcat$_memset$H_prolog3_sprintf$ActiveAllocateErrorH_prolog3_HeapLastLoadStringWindow__snprintf_malloc
String ID: -qq$.\unzipper.cpp$adr$unzip
API String ID: 1331862449-3161176882
Opcode ID: af13b878ad57a950adb1b6289bc2ad1736c1a39105a2284ca57bdf05322b9c25
Instruction ID: d2b0f5b27c2b28792ef0bb0d692860312c073bd0c845c37b9a1fbbea4eeee631
Opcode Fuzzy Hash: af13b878ad57a950adb1b6289bc2ad1736c1a39105a2284ca57bdf05322b9c25
Instruction Fuzzy Hash: B202A271D00249AEDF24DFA5DC41AEEBBB4AF05318F10406FE519B31D2EB781A49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043D8D1 Relevance: 30.6, APIs: 20, Instructions: 602fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 0043D91D
__invoke_watson.LIBCMT ref: 0043D938
CreateFileA.KERNEL32(00000080,?,00000080,0000000C,00000001,00000080,00000000,00000109,00000000,00000000), ref: 0043DB21
CreateFileA.KERNEL32(00000080,7FFFFFFF,00000001,0000000C,00000001,00000080,00000000), ref: 0043DB5A
GetLastError.KERNEL32 ref: 0043DB7F
__dosmaperr.LIBCMT ref: 0043DB86
GetFileType.KERNEL32(?), ref: 0043DB9B
GetLastError.KERNEL32 ref: 0043DBC0
__dosmaperr.LIBCMT ref: 0043DBC9
CloseHandle.KERNEL32(?), ref: 0043DBD2
__chsize_nolock.LIBCMT ref: 0043DCB6
CloseHandle.KERNEL32(?), ref: 0043DE35
CreateFileA.KERNEL32(00000080,?,00000001,0000000C,00000003,00000080,00000000), ref: 0043DE52
GetLastError.KERNEL32 ref: 0043DE61
__dosmaperr.LIBCMT ref: 0043DE68
__lseeki64_nolock.LIBCMT ref: 0043DE9B
__lseeki64_nolock.LIBCMT ref: 0043DEB0
__lseeki64_nolock.LIBCMT ref: 0043DF1F
__lseeki64_nolock.LIBCMT ref: 0043DF30
__locking.LIBCMT ref: 0043DFDF

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: File__lseeki64_nolock$CreateErrorLast__dosmaperr$CloseHandle__invoke_watson$Type__chsize_nolock__locking
String ID:
API String ID: 2633173609-0
Opcode ID: d8040c86cb3a28e60c162474d9205a84b198881dd3af79134630275512dbe264
Instruction ID: 8e681b210d4972a56b21e1eb7acd70b5558bd8f129ccf8d57a887fc025425b5b
Opcode Fuzzy Hash: d8040c86cb3a28e60c162474d9205a84b198881dd3af79134630275512dbe264
Instruction Fuzzy Hash: FB222471C002099BEF259F68EC817AEBBB0EF09318F24656BE451972E1C77D8E44CB09

Uniqueness

Uniqueness Score: -1.00%

Function 00406B72 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00406B7C

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0041521D: __EH_prolog3.LIBCMT ref: 0041523F

SetCurrentDirectoryA.KERNEL32(00000000,?,<self>), ref: 00406C2E

Part of subcall function 00408A2B: __EH_prolog3.LIBCMT ref: 00408A47

LoadLibraryA.KERNEL32(SETUPHOOK), ref: 00406C53
GetProcAddress.KERNEL32(00000000,SetupHook), ref: 00406C6B
GetProcAddress.KERNEL32(00000000,NewSetupHook), ref: 00406C93
FreeLibrary.KERNEL32(00000000), ref: 00406CE1

Part of subcall function 004114D2: __EH_prolog3.LIBCMT ref: 004114D9

Part of subcall function 00411793: __EH_prolog3.LIBCMT ref: 0041179A

Strings

ORDER, xrefs: 00406CA9
1.00, xrefs: 00406B89
fpSetupHook, xrefs: 00406C7A
AUTODIR, xrefs: 00406BF8
<self>, xrefs: 00406C07
REMOVE, xrefs: 00406CBA
NewSetupHook, xrefs: 00406C8D
.\main.cpp, xrefs: 00406C75
SetupHook, xrefs: 00406C65
SETUPHOOK, xrefs: 00406C4E
setup, xrefs: 00406B9A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$AddressLibraryProc$CurrentDirectoryFreeLoad_strlen
String ID: .\main.cpp$1.00$<self>$AUTODIR$NewSetupHook$ORDER$REMOVE$SETUPHOOK$SetupHook$fpSetupHook$setup
API String ID: 1123998232-1543003652
Opcode ID: 309c18d1e9187a1de4a3b385ffc00c14d983b356608c7d0228972f04a937a735
Instruction ID: e8c8bde4a98b13452dfdff08d359d4cf8d57635ee00e0135ba212ed533105224
Opcode Fuzzy Hash: 309c18d1e9187a1de4a3b385ffc00c14d983b356608c7d0228972f04a937a735
Instruction Fuzzy Hash: 86419231904258FEDB11EBE1CC46AEE7BB4AF04319F10007FF546B21D2EA785A58CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0042D5C5 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0042D5CC
_strcat.LIBCMT ref: 0042D60A

Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA08
Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA13
Part of subcall function 0040F9F8: _strncpy.LIBCMT ref: 0040FAA9

_strcat.LIBCMT ref: 0042D680
_malloc.LIBCMT ref: 0042D6A9
_memset.LIBCMT ref: 0042D6CC
_strcat.LIBCMT ref: 0042D6EE
_strcat.LIBCMT ref: 0042D6FB
_strcat.LIBCMT ref: 0042D704

Strings

.1i, xrefs: 0042D65D
admin$$$.ini, xrefs: 0042D669
DGE, xrefs: 0042D63D
adr, xrefs: 0042D6B8
unzip, xrefs: 0042D6E6
.\unzipper.cpp, xrefs: 0042D6B3, 0042D720
error==FALSE, xrefs: 0042D725

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strcat$_strlen$H_prolog3_malloc_memset_strncpy
String ID: .1i$.\unzipper.cpp$DGE$admin$$$.ini$adr$error==FALSE$unzip
API String ID: 2404639941-3044078425
Opcode ID: 957441c5de656a85fb750a52ccfeb8806d87f0b682fa1fbbe5595e5da2277911
Instruction ID: 32aec924aa9dd4281c4c8890f05ff9182bcf5fc8e8766424d228b77d24c0e3ef
Opcode Fuzzy Hash: 957441c5de656a85fb750a52ccfeb8806d87f0b682fa1fbbe5595e5da2277911
Instruction Fuzzy Hash: 0B4126B1A00209BBEB15AB61CC42BEE7765AF54308F10443FF656B61D2DBBC1A488A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042EE63 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_signal.LIBCMT ref: 0042EEC9

Part of subcall function 0043D4E4: __malloc_crt.LIBCMT ref: 0043D56D
Part of subcall function 0043D4E4: _siglookup.LIBCMT ref: 0043D593

_signal.LIBCMT ref: 0042EED1

Part of subcall function 0043D4E4: __lock.LIBCMT ref: 0043D5D8
Part of subcall function 0043D4E4: SetConsoleCtrlHandler.KERNEL32(0043D408,00000001,00469C28,00000010,0042EECE,00000002,0042F3DD), ref: 0043D5FB

_signal.LIBCMT ref: 0042EED9

Part of subcall function 0043D4E4: GetLastError.KERNEL32 ref: 0043D617

_strrchr.LIBCMT ref: 0042EEE5
_strncmp.LIBCMT ref: 0042EF38
_fprintf.LIBCMT ref: 0042F0A0
_fprintf.LIBCMT ref: 0042F195
_malloc.LIBCMT ref: 0042F1A9
_malloc.LIBCMT ref: 0042F1BA
_fprintf.LIBCMT ref: 0042F1F4

Strings

caution: not extracting; -d ignored, xrefs: 0042F092
error: can't allocate unzip buffers, xrefs: 0042F1E6
error: must specify directory to which to extract with -d option, xrefs: 0042F187
zipinfo, xrefs: 0042EEFD

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf_signal$_malloc$ConsoleCtrlErrorHandlerLast__lock__malloc_crt_siglookup_strncmp_strrchr
String ID: caution: not extracting; -d ignored$error: can't allocate unzip buffers$error: must specify directory to which to extract with -d option$zipinfo
API String ID: 260867003-1707212946
Opcode ID: 8101a4e038595a8e9cc9da8e5d87a5cb9226bdafc190ef794c413989a87484cb
Instruction ID: 4c2d0009dc099c0dc5bc90f541f4d195f47c623783734b31cd90596527ce5627
Opcode Fuzzy Hash: 8101a4e038595a8e9cc9da8e5d87a5cb9226bdafc190ef794c413989a87484cb
Instruction Fuzzy Hash: 08A1A1B1E04210EFEB20DF25ED916697BB0FB04358BE4443FE5498B261E7789854CB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00401B27 Relevance: 23.3, APIs: 3, Strings: 10, Instructions: 509windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00401B35

Part of subcall function 00419640: __EH_prolog3.LIBCMT ref: 00419647

LoadIconA.USER32(?,?), ref: 00401BDD
SendMessageA.USER32(?,00000170,?,00000000), ref: 00401C0D

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00413E1C: __EH_prolog3.LIBCMT ref: 00413E23
Part of subcall function 00413E1C: MessageBoxA.USER32(?,?,?,00010040), ref: 00413EC4

Strings

WelcomeWarning, xrefs: 00401B3F
IdIcon, xrefs: 00401B8A
WelcomeMsg, xrefs: 00401B56
IniKey, xrefs: 00401C1E
ShowOnly=, xrefs: 00401DBB
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00401C37
DisplayVersion, xrefs: 00401CC7
AppVersion, xrefs: 00401B6E
UninstallPath, xrefs: 00401C91
AppName, xrefs: 00401EE7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Message$IconLoadSend
String ID: AppName$AppVersion$DisplayVersion$IdIcon$IniKey$ShowOnly=$Software\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallPath$WelcomeMsg$WelcomeWarning
API String ID: 831752224-2724193708
Opcode ID: df62f5ab7ebbfb7d53c8abcd936854994903d512c62255d430043d4503c4fe13
Instruction ID: 34ff89323dce27f664638b238515818973703aab81bcf003097b097a6ad95923
Opcode Fuzzy Hash: df62f5ab7ebbfb7d53c8abcd936854994903d512c62255d430043d4503c4fe13
Instruction Fuzzy Hash: D322A231500288EEDF05EFA5C995BDD7BA4AF14308F14407FF909A72D2DB789A88CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043C9BD Relevance: 21.5, APIs: 14, Instructions: 515COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03be929b5d5a9e371779c1354725785aa455f7a6c2e0fbf340785b18a907974
Instruction ID: d5fec7be551cc96bc293c832a5d02dff1b7bb159eba3024a327cd5f8782dcf68
Opcode Fuzzy Hash: e03be929b5d5a9e371779c1354725785aa455f7a6c2e0fbf340785b18a907974
Instruction Fuzzy Hash: 9B1205709043859FDB218F68C8C47BABBF0BF0A304F14659FE462A7392D7799841CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042FA3A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

__locking.LIBCMT ref: 0042FA68
_strncmp.LIBCMT ref: 0042FAB3
__locking.LIBCMT ref: 0042FB42
_strncpy.LIBCMT ref: 0042FBC4
__locking.LIBCMT ref: 0042FC11
_strncpy.LIBCMT ref: 0042FC8C
_fprintf.LIBCMT ref: 0042FCD1
_fprintf.LIBCMT ref: 0042FCE7

Strings

End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive., xrefs: 0042FCD9
[%s], xrefs: 0042FCC3

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __locking$_fprintf_strncpy$_strncmp
String ID: End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive.$[%s]
API String ID: 412722063-500558242
Opcode ID: 31b314e144904c50220397e85762526db0884c6962cb05372dea83a1738b7501
Instruction ID: f544aa839883e0c3ce1e639c4db42a4baef456d43b9c75a2e4656c0257978362
Opcode Fuzzy Hash: 31b314e144904c50220397e85762526db0884c6962cb05372dea83a1738b7501
Instruction Fuzzy Hash: 6381D672A00215AFE710EF65FC85E1A37B4F714718F94083FE50192261E6ACD8159B9F

Uniqueness

Uniqueness Score: -1.00%

Function 00431337 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 75fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C:/Program Files (x86)/ZOC5/zocdll.dll,40000000,00000000,00000000,00000003,00000080,00000000,C:/Program Files (x86)/ZOC5/zocdll.dll,00008000,-001FD774,00000003,00430F6C,0028A470,0048A840,00000000), ref: 00431389
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0042EA9E), ref: 00431396
_fprintf.LIBCMT ref: 004313AB
SetFileAttributesA.KERNEL32(C:/Program Files (x86)/ZOC5/zocdll.dll,00000020,?,?,?,?,?,?,?,?,?,?,?,0042EA9E), ref: 004313E4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0042EA9E,?,?,?,?,?,00000000), ref: 004313F0
_fprintf.LIBCMT ref: 00431405

Strings

C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 00431359, 00431383, 00431388, 004313E3
CreateFile error %d when trying set file time, xrefs: 0043139D
warning (%d): could not set file attributes, xrefs: 004313F7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorFileLast_fprintf$AttributesCreate
String ID: CreateFile error %d when trying set file time$warning (%d): could not set file attributes$C:/Program Files (x86)/ZOC5/zocdll.dll
API String ID: 2104769620-120512618
Opcode ID: ad61ad5d791f19e2f3d679cfb2a535000703b2f1eae252de4471ca324d1cbe7d
Instruction ID: e64aa020561fe7ccdf9ce283c7363267b77e2e95360494611876f853f49e9ced
Opcode Fuzzy Hash: ad61ad5d791f19e2f3d679cfb2a535000703b2f1eae252de4471ca324d1cbe7d
Instruction Fuzzy Hash: 3811E7B2900300BBE7106776BC0EE5B3B6CEB89715F10153BF911D61B2E778CA54866E

Uniqueness

Uniqueness Score: -1.00%

Function 0041521D Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 223librarywindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041523F
LoadLibraryA.KERNEL32(00000000,000004E4,?,000000FF,?,?,00000000), ref: 0041546E
_sprintf.LIBCMT ref: 004154B5
MessageBoxA.USER32(00000000,00000000,EmTec Application,00000010), ref: 004154D2

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

german.dll, xrefs: 0041542C
EmTec Application, xrefs: 004154C7
french.dll, xrefs: 00415401
hungarian.dll, xrefs: 004153D6
DLL not found:%s, xrefs: 004154AF
english.dll, xrefs: 004153A6

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$LibraryLoadMessage_sprintf_strlen
String ID: DLL not found:%s$EmTec Application$english.dll$french.dll$german.dll$hungarian.dll
API String ID: 3044484357-2825539391
Opcode ID: 7facaacf8897e9dcaa5e2f84fbc5dce7ed0496547414fb29263d5ae84b56bb82
Instruction ID: caee6c0818efe8c79d9e7f05dd004153da4021b7e6c5c3daa0d2e77bb3257f0e
Opcode Fuzzy Hash: 7facaacf8897e9dcaa5e2f84fbc5dce7ed0496547414fb29263d5ae84b56bb82
Instruction Fuzzy Hash: 7091627190025CEEDB14EBA5CC55BDDBBB4AF14304F14406FE409A72D2EB785B88CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00431C66 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00431C85
_strrchr.LIBCMT ref: 00431C98
_malloc.LIBCMT ref: 00431CD9
_fprintf.LIBCMT ref: 00431CF6
_strcat.LIBCMT ref: 00431D02
_strncpy.LIBCMT ref: 00431D14
_strcat.LIBCMT ref: 00431DA0
_strcat.LIBCMT ref: 00431DBF

Strings

warning: can't allocate wildcard buffers, xrefs: 00431CE8
setup.fil, xrefs: 00431CFC, 00431D01, 00431D84, 00431D92, 00431D9F, 00431DBE, 00431E40

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strcat$_strrchr$_fprintf_malloc_strncpy
String ID: setup.fil$warning: can't allocate wildcard buffers
API String ID: 786024269-1425694948
Opcode ID: dda1e4e3a06c0037d19c95b80a85899eff6ed4aa450ff7646fb03de6c61145e4
Instruction ID: 18ac241aa0d7ea889e3a1dd735a7e58231b9b450c1dc438301554538f913c340
Opcode Fuzzy Hash: dda1e4e3a06c0037d19c95b80a85899eff6ed4aa450ff7646fb03de6c61145e4
Instruction Fuzzy Hash: B041D675A40502ABD7205FA5BC81A1E3799F71D318FA02EBFF40593271EF39A8418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004025DE Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 202windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004025E5

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Part of subcall function 0040FD54: __fread_nolock.LIBCMT ref: 0040FE13

SendMessageA.USER32(?,000000B1,00000000,00000001), ref: 00402800

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

LICENSEFR.TXT, xrefs: 004026A6
pGE, xrefs: 0040277F
LIZENZ.TXT, xrefs: 0040264A
$PROGRAM, xrefs: 0040274C
AppVersion, xrefs: 00402729
LICENSE.TXT, xrefs: 004026C9
AppName, xrefs: 0040270B

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$H_prolog3_LoadMessageSendString__fread_nolock_strlen
String ID: $PROGRAM$AppName$AppVersion$LICENSE.TXT$LICENSEFR.TXT$LIZENZ.TXT$pGE
API String ID: 2466698719-672165625
Opcode ID: 35dd1014dd1343a6626b53a4b0ce40fa464973a44094ac7941f290fc375fcb94
Instruction ID: 54cd47cb418e1c3dc02692ebe4f2bb76fd78c876bf86f448694d473ef40962ba
Opcode Fuzzy Hash: 35dd1014dd1343a6626b53a4b0ce40fa464973a44094ac7941f290fc375fcb94
Instruction Fuzzy Hash: 9B71B031D00248AADB10EBA5CD96ADD7B78AF55308F24407FF4057B1D2EB785A8CC769

Uniqueness

Uniqueness Score: -1.00%

Function 00402E08 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00402E0F
GetSysColor.USER32 ref: 00402E1D
#8.COMCTL32(00000816,00000000,000000FF,00000001,?,?,?,?,?,0000000F,00000060), ref: 00402E3A

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00419640: __EH_prolog3.LIBCMT ref: 00419647

Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA08
Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA13
Part of subcall function 0040F9F8: _strncpy.LIBCMT ref: 0040FAA9

Part of subcall function 00415A8E: SetWindowTextA.USER32(?,00000000), ref: 00415A95

Part of subcall function 00418658: GetDlgItem.USER32(?,?), ref: 00418670

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

GetWindowLongA.USER32(?,000000F0), ref: 00402EFD
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00402F0F
SendMessageA.USER32(?,00000172,00000000,?), ref: 00402F22

Part of subcall function 0040E59B: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0040E5D8
Part of subcall function 0040E59B: IsDialogMessageA.USER32(?,?), ref: 0040E5F1
Part of subcall function 0040E59B: TranslateMessage.USER32(?), ref: 0040E60A
Part of subcall function 0040E59B: DispatchMessageA.USER32(?), ref: 0040E614

Strings

$PROG, xrefs: 00402E84
FinishMsg, xrefs: 00402EB6
AppName, xrefs: 00402E6F

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$H_prolog3Message$Text$Long_strlen$CallbackColorDialogDispatchDispatcherItemLengthSendTranslateUser_strncpy
String ID: $PROG$AppName$FinishMsg
API String ID: 2718829098-2729695692
Opcode ID: 14aca872e501e2063403c2fe2db6b65d2236df510477297815c4dfcd245777c7
Instruction ID: dd115fd670843b040f317d0be7bcd77409c6acb632aca4a462e1d58c627aecca
Opcode Fuzzy Hash: 14aca872e501e2063403c2fe2db6b65d2236df510477297815c4dfcd245777c7
Instruction Fuzzy Hash: A0418D31900248EFDB01EFA4CC55BED7B74AF58318F10816AF9156B2E2DB785A84CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00418586 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041858D
IsWindow.USER32(?), ref: 004185CA
CreateWindowExA.USER32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00418601

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041863F
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 0041864C

Strings

CONTROL::CONTROL %d, xrefs: 004185D1
.\wincontrols_win32.cpp, xrefs: 0041860F
CONTROL::CONTROL %08x, %d, %s, %s, %x, %x, xrefs: 004185BA
this->hWnd, xrefs: 00418614

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3MessageSendWindow$CreateErrorLast__snprintf_memset
String ID: .\wincontrols_win32.cpp$CONTROL::CONTROL %08x, %d, %s, %s, %x, %x$CONTROL::CONTROL %d$this->hWnd
API String ID: 3039607043-3666184733
Opcode ID: e51b4bc71262457816b80ba3681f367c1ffd1169e973fee25f46f8f0158dd32b
Instruction ID: bfb03d9ba6dc6b579895633e7b42553cd21b1fa58aaa631bcac9200ef742379b
Opcode Fuzzy Hash: e51b4bc71262457816b80ba3681f367c1ffd1169e973fee25f46f8f0158dd32b
Instruction Fuzzy Hash: 9D216DB110020CFFDF126F90CC42EEE3B69FF48759F14401AFD1866262C77999A09BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00419344 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

Part of subcall function 004114D2: __EH_prolog3.LIBCMT ref: 004114D9

Part of subcall function 004108B6: __fsopen.LIBCMT ref: 00410929

_memset.LIBCMT ref: 00419416
_fgets.LIBCMT ref: 00419423
_strlen.LIBCMT ref: 0041942C
_memset.LIBCMT ref: 00419461
_fgets.LIBCMT ref: 0041946E
_strlen.LIBCMT ref: 00419477

Strings

STRINGARRAY::Load %s (%d bytes), xrefs: 004193B2
STRINGARRAY::Load returns %d, %s, xrefs: 004195AC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fgets_memset_strlen$H_prolog3__fsopen
String ID: STRINGARRAY::Load %s (%d bytes)$STRINGARRAY::Load returns %d, %s
API String ID: 2336206254-3875633859
Opcode ID: 43de06a475613c8e072310ed28bb711f99a251f2799ff6c037a94bc3d39d8a9e
Instruction ID: c88afed420bd98e741b6f5d0c50e692a235cae4ce1e4e6f562f32ceb3fdd75bb
Opcode Fuzzy Hash: 43de06a475613c8e072310ed28bb711f99a251f2799ff6c037a94bc3d39d8a9e
Instruction Fuzzy Hash: FE815E7180424DAEDF11EF95CC55AEEBB78BF04308F14416FE915A3282EB385B49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E93E Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E945

Part of subcall function 00418658: GetDlgItem.USER32(?,?), ref: 00418670

Part of subcall function 00415A8E: SetWindowTextA.USER32(?,00000000), ref: 00415A95

SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040E9C8

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040EA02
GetWindowLongA.USER32(?,000000F0), ref: 0040EACD
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040EAE6

Part of subcall function 0041AFFC: _memset.LIBCMT ref: 0041B01E
Part of subcall function 0041AFFC: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0041B02E
Part of subcall function 0041AFFC: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041B057
Part of subcall function 0041AFFC: DeleteDC.GDI32(00000000), ref: 0041B061
Part of subcall function 0041AFFC: MulDiv.KERNEL32(?,?,00000048), ref: 0041B06F
Part of subcall function 0041AFFC: _strcat.LIBCMT ref: 0041B0BF
Part of subcall function 0041AFFC: CreateFontIndirectA.GDI32(?), ref: 0041B0CB

Strings

this->pSubDlg, xrefs: 0040EAA8
Arial, xrefs: 0040E9AD, 0040E9E7
.\setupdialog.cpp, xrefs: 0040EAA3

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$CreateH_prolog3LongMessageSend$CapsDeleteDeviceFontIndirectItemText_memset_strcat
String ID: .\setupdialog.cpp$Arial$this->pSubDlg
API String ID: 507083552-2553413345
Opcode ID: 3b1c11b8771c1552004c54d56913645068d0359fb264b7425f502cac77ced9dc
Instruction ID: b32403f3f6014818c1e2370725d451914b7d4ab88d46bb359e13a3ff4ba19f29
Opcode Fuzzy Hash: 3b1c11b8771c1552004c54d56913645068d0359fb264b7425f502cac77ced9dc
Instruction Fuzzy Hash: E751BF70900648EBEB15EBA5CC86FEEBBB1BF54308F24451EF425272D2DB781A55CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040B12F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B13D

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 004116AF: __EH_prolog3.LIBCMT ref: 004116BA
Part of subcall function 004116AF: _memset.LIBCMT ref: 004116D5
Part of subcall function 004116AF: _strlen.LIBCMT ref: 004116EA
Part of subcall function 004116AF: _strlen.LIBCMT ref: 004116FF

Part of subcall function 00402F64: __EH_prolog3.LIBCMT ref: 00402F6B

Part of subcall function 00410E95: __EH_prolog3.LIBCMT ref: 00410E9C

Strings

standard.zoc, xrefs: 0040B1F0
zoc.exe, xrefs: 0040B195
admin.ini, xrefs: 0040B1BF
phonebk, xrefs: 0040B1A8
standard.cfg, xrefs: 0040B1D3
admin.ini.bak, xrefs: 0040B235
options, xrefs: 0040B1D8, 0040B1DD, 0040B1F5

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$TextWindow_memset$Length
String ID: admin.ini$admin.ini.bak$options$phonebk$standard.cfg$standard.zoc$zoc.exe
API String ID: 773487468-3981018562
Opcode ID: eb46cc07b069481cb8a1f6ddd389c194247f7f4ed6f9e4aa51eb6367e72fdf5a
Instruction ID: ce1fb0557bdbb7dc8e251ddc77d285dacf2b9803592dbffd902ef7ade15c1e18
Opcode Fuzzy Hash: eb46cc07b069481cb8a1f6ddd389c194247f7f4ed6f9e4aa51eb6367e72fdf5a
Instruction Fuzzy Hash: E0516230814299EADF15EBA1DD09BDD7760AF14308F1080AEF90A721C2DB7C5B48DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00416CCB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00416CD2
CreateDialogParamA.USER32(?,?,?,Function_00016AAE), ref: 00416D13
GetWindowLongA.USER32(?,000000F0), ref: 00416D66
GetWindowLongA.USER32(?,000000F4), ref: 00416DA3
SetWindowLongA.USER32(?,000000F4,?), ref: 00416DAF
GetWindowLongA.USER32(?,000000F4), ref: 00416DBA

Strings

this->hWnd, xrefs: 00416D3B
.\windows_win32.cpp, xrefs: 00416D36

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: LongWindow$CreateDialogH_prolog3Param
String ID: .\windows_win32.cpp$this->hWnd
API String ID: 297077043-3646067943
Opcode ID: 9dbf0b744e162af840913ba6ff93459948ec2e821aabb19e05bdf269fda12992
Instruction ID: a49eb8f7bcde1c9b398493ab274794857bd83e1a26a050c027d0c700141b2ea4
Opcode Fuzzy Hash: 9dbf0b744e162af840913ba6ff93459948ec2e821aabb19e05bdf269fda12992
Instruction Fuzzy Hash: D721A270604208EFDB10EF65CD42FDDBBA4AF14718F10811EF869672E2DB799A548B68

Uniqueness

Uniqueness Score: -1.00%

Function 00415564 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041556B

Part of subcall function 00414B50: LoadLibraryW.KERNEL32(kernel32), ref: 00414B5D
Part of subcall function 00414B50: GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00414B70
Part of subcall function 00414B50: GetProcessHeap.KERNEL32(00000000,?,00000004), ref: 00414B8A
Part of subcall function 00414B50: FreeLibrary.KERNEL32(00000000), ref: 00414B96

Part of subcall function 00415521: _malloc.LIBCMT ref: 0041554D
Part of subcall function 00415521: SetUnhandledExceptionFilter.KERNEL32(00414BB3,00415596,00000000,00000000,00000018,004156E5,00000000,?,?,?,00000000), ref: 0041555D

Part of subcall function 00414B31: InitCommonControlsEx.COMCTL32(?), ref: 00414B48

Part of subcall function 0043C7BD: __lock.LIBCMT ref: 0043C7CB
Part of subcall function 0043C7BD: __putenv_helper.LIBCMT ref: 0043C7DA

Part of subcall function 00418355: __aulldiv.LIBCMT ref: 00418377
Part of subcall function 00418355: __aulldiv.LIBCMT ref: 00418384

GetCurrentThreadId.KERNEL32 ref: 004155AD
GetThreadLocale.KERNEL32(00000018,004156E5,00000000,?,?,?,00000000), ref: 004155C6

Part of subcall function 00414341: __EH_prolog3.LIBCMT ref: 00414363
Part of subcall function 00414341: GetCurrentThreadId.KERNEL32 ref: 00414386

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

FreeLibrary.KERNEL32(00000000), ref: 0041561C
FreeLibrary.KERNEL32(10000000), ref: 00415636

Strings

pfnAppMain, xrefs: 004155EA
EMTECAPP instance=%08x gMainThreadId= %08x, xrefs: 004155B9
.\emtec_win32.cpp, xrefs: 004155E5

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Library$FreeH_prolog3Thread$Current__aulldiv$AddressCommonControlsErrorExceptionFilterHeapInitLastLoadLocaleProcProcessUnhandled__lock__putenv_helper__snprintf_malloc_memset
String ID: .\emtec_win32.cpp$EMTECAPP instance=%08x gMainThreadId= %08x$pfnAppMain
API String ID: 234219793-1724602731
Opcode ID: 40c3708ad4fc6a225fae895fc3ab7424863eeba68b93c117ec1d513506cd3cb1
Instruction ID: 379517ac88fc450d4aa335f4aad9d258f321ab61482eb10b10ea367b35ec3128
Opcode Fuzzy Hash: 40c3708ad4fc6a225fae895fc3ab7424863eeba68b93c117ec1d513506cd3cb1
Instruction Fuzzy Hash: 3521D3F0502618EBDB01BF62DC069DE7724EF44709B14442BF918A6163CB7C99D08BEC

Uniqueness

Uniqueness Score: -1.00%

Function 00409F4A Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 284COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409F66

Part of subcall function 00413D44: __EH_prolog3.LIBCMT ref: 00413D4B

RemoveDirectoryA.KERNEL32(80000002,00000000), ref: 0040A22A

Strings

ZOC4, xrefs: 00409FA8, 0040A1AB
UninstallStartmenu, xrefs: 0040A086, 0040A0E5, 0040A15A
ZOC, xrefs: 00409F90, 0040A189
ZOC5, xrefs: 00409FC1
UninstallPath, xrefs: 0040A050, 0040A05B, 0040A0BA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$DirectoryRemove
String ID: UninstallPath$UninstallStartmenu$ZOC$ZOC4$ZOC5
API String ID: 2811140049-1288986489
Opcode ID: 58a93489e64ab4c88a6b6f8653953070633bc7b1f743d2ba428b4ddf36151a8d
Instruction ID: 17799c386a6660d65fa2cbda4ba8ed48106aefcb7ca43bf0960c163977319091
Opcode Fuzzy Hash: 58a93489e64ab4c88a6b6f8653953070633bc7b1f743d2ba428b4ddf36151a8d
Instruction Fuzzy Hash: A5B15231500249DADB10EFA5DD56FDE77A4AF15308F10407EF805A7182EB789B98CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3FA Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 178COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B404

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Part of subcall function 00415A8E: SetWindowTextA.USER32(?,00000000), ref: 00415A95

Part of subcall function 00409F4A: __EH_prolog3.LIBCMT ref: 00409F66

Strings

ZOC4, xrefs: 0040B4D9
SETUP::NewSetupHookZOC %d %d %08x, xrefs: 0040B415
Software\EmTec, xrefs: 0040B4DE, 0040B4E3, 0040B561
HomePath, xrefs: 0040B508
%ZOC%, xrefs: 0040B576
ZOC5, xrefs: 0040B55C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$H_prolog3_LoadStringTextWindow
String ID: %ZOC%$HomePath$SETUP::NewSetupHookZOC %d %d %08x$Software\EmTec$ZOC4$ZOC5
API String ID: 1060891849-3215198484
Opcode ID: e1886ffbe4f27b0528293e069cb4d24d3b475411508254f4a7dfc75dc243af25
Instruction ID: 4f68fd279c41a3709d75f51d946629c1b8aeedb0769f2e78b68e025d57b8369a
Opcode Fuzzy Hash: e1886ffbe4f27b0528293e069cb4d24d3b475411508254f4a7dfc75dc243af25
Instruction Fuzzy Hash: 2D51B331910249EADB14EFA5CC56BDD7760EB15308F10407BF815B32D2E77C5A88CA9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0041F108
_sprintf.LIBCMT ref: 0041F126
LoadMenuA.USER32(?), ref: 0041F15D
CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?), ref: 0041F18E
GetLastError.KERNEL32 ref: 0041F197

Strings

AppWindow%d, xrefs: 0041F120

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateErrorLastLoadMenuWindow_sprintf_strcat
String ID: AppWindow%d
API String ID: 3803719263-4127035878
Opcode ID: 4eff66900bdb46257b2e5daf22bb038aa1524260acc938ce3af280d767851b55
Instruction ID: 00001478ee587ac556fc9e5331d2cb77abfdefb01eb15b3c1b1510a79b121a01
Opcode Fuzzy Hash: 4eff66900bdb46257b2e5daf22bb038aa1524260acc938ce3af280d767851b55
Instruction Fuzzy Hash: FF318C72A00209EFDB10CFA5DC45FDE7BB8FB48319F10842AF905A6251D734E8958B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE97 Relevance: 10.6, APIs: 7, Instructions: 70windowregistryCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(10000000,?), ref: 0041EEC7
LoadIconA.USER32(00000001), ref: 0041EEDC
LoadIconA.USER32(00000001), ref: 0041EEEC
LoadIconA.USER32(00007F00), ref: 0041EEFB
LoadCursorA.USER32(?,00007F00), ref: 0041EF08
GetStockObject.GDI32(00000001), ref: 0041EF2F
RegisterClassA.USER32(00000000), ref: 0041EF42

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Load$Icon$ClassCursorObjectRegisterStock
String ID:
API String ID: 3152414977-0
Opcode ID: 65f1a97166fdc4bad636716a1bf88e99dfbe8a812eeff1e2b6fad7fbbafd9a52
Instruction ID: a34adbc610476f3c7aa2a167c691e13a6c69084eb958ebb2691a92e62715e4dc
Opcode Fuzzy Hash: 65f1a97166fdc4bad636716a1bf88e99dfbe8a812eeff1e2b6fad7fbbafd9a52
Instruction Fuzzy Hash: B5212CB590131A9BDF01DF69D844AEE7BF9EB88351F10042AF905E7350DB75D980CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043143A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(C:/Program Files (x86)/ZOC5/zocdll.dll,00000104,?,?,C:/Program Files (x86)/ZOC5/zocdll.dll,?), ref: 0043147F
_strncpy.LIBCMT ref: 00431495
GetVolumeInformationA.KERNEL32(?,?,00000104,?,?,?,?,00000104), ref: 004314BE
_strncmp.LIBCMT ref: 004314D6

Strings

FAT, xrefs: 004314C9
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 00431456, 0043147E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: FullInformationNamePathVolume_strncmp_strncpy
String ID: C:/Program Files (x86)/ZOC5/zocdll.dll$FAT
API String ID: 300000528-853928189
Opcode ID: f3e5ce56735d64cfa7cf56430faf00c072666d44408ced056fb609970bfa8d11
Instruction ID: 7cae300389a8a9512f72b03f9bca2bc52884c746f5ab3e413ea8d6c422272b49
Opcode Fuzzy Hash: f3e5ce56735d64cfa7cf56430faf00c072666d44408ced056fb609970bfa8d11
Instruction Fuzzy Hash: 4A2193B290414C6EEB21DBF5EC45EEF77BCAF09304F14402BB649D7142EA749208CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00409683 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 313COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040969F

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 00410A1E: _strerror.LIBCMT ref: 00410A39

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Part of subcall function 00419AB4: __EH_prolog3.LIBCMT ref: 00419ABB
Part of subcall function 00419AB4: _strncpy.LIBCMT ref: 00419AF9

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Strings

12#, xrefs: 00409926, 0040997A
11#, xrefs: 004098F5, 00409952, 004099AF, 004099DD, 004099E2, 00409A0A
21#, xrefs: 004098C0
admin.ini, xrefs: 004096A7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$H_prolog3_LoadString_malloc_memset_strerror_strncpy
String ID: 11#$12#$21#$admin.ini
API String ID: 3746180839-1320473499
Opcode ID: 4ed3db8a0ac14692245e977456ab6b374e6a484e509c0598ae217674cf50cc60
Instruction ID: 2ed0038b6a0cbd0d3c2753c9ed9d29faa43c6d59a70b05251dd027d4924237d0
Opcode Fuzzy Hash: 4ed3db8a0ac14692245e977456ab6b374e6a484e509c0598ae217674cf50cc60
Instruction Fuzzy Hash: DFC17430604289EEDB14EBA5C855BDE77A49F15308F1040BFF549A72C2EB7C9E48CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00445B95 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220COMMONLIBRARYCODE

Download Yara Rule

APIs

__sopen_s.LIBCMT ref: 00445E00

Strings

ccs=, xrefs: 00445D5F
UTF-16LE, xrefs: 00445D90
UTF-8, xrefs: 00445D73
UNICODE, xrefs: 00445DAD

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __sopen_s
String ID: UNICODE$UTF-16LE$UTF-8$ccs=
API String ID: 2693426323-2506416105
Opcode ID: 5c676a497ea259d6ba67d3304560f541b80692a9d651f236e122c2b11dbb30ec
Instruction ID: 61f98a9b1ffd488aaf4cb3c19d4b21d652dd0f86e8c427e2dc33e185fb3fe84a
Opcode Fuzzy Hash: 5c676a497ea259d6ba67d3304560f541b80692a9d651f236e122c2b11dbb30ec
Instruction Fuzzy Hash: 6F71B1B1C04B09ABFF158F59C4492AA7BB0AF05318F24C46FE8569A253D7BC8A41CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 00419AB4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00419ABB

Part of subcall function 00418E3F: __EH_prolog3.LIBCMT ref: 00418E46
Part of subcall function 00418E3F: _memset.LIBCMT ref: 00418E77

_strncpy.LIBCMT ref: 00419AF9

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

source.NotNull(), xrefs: 00419B15
.\stringarray.cpp, xrefs: 00419B10
STRINGARRAY, xrefs: 00419AEF

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_memset$ErrorLast__snprintf_strncpy
String ID: .\stringarray.cpp$STRINGARRAY$source.NotNull()
API String ID: 359228034-4264967866
Opcode ID: dc407a318df4dc39bed25a18fcf4e34dcefca314e4881d55c6b7eaf175c6a5e1
Instruction ID: 42805d2052de11cc6a1284fa6eb2b07591b50b0f5546ef0636ec4dbc94d43a22
Opcode Fuzzy Hash: dc407a318df4dc39bed25a18fcf4e34dcefca314e4881d55c6b7eaf175c6a5e1
Instruction Fuzzy Hash: BF21D5B0504289AFDB10DF65C815BDE7BA4AF49304F14405FF845A7282D778AA44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041344A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413451
_calloc.LIBCMT ref: 00413460

Part of subcall function 00438998: __calloc_impl.LIBCMT ref: 004389AB

_calloc.LIBCMT ref: 0041348A
RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000400,00000001,Function_0001344A), ref: 004134A4

Strings

REGISTRY::Read key=%s, ok=%d, error=%d, xrefs: 004134FC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _calloc$H_prolog3QueryValue__calloc_impl
String ID: REGISTRY::Read key=%s, ok=%d, error=%d
API String ID: 3081351211-2483465850
Opcode ID: f7c9373ed7f7b3f174f1f690531e208e3dc5fc196cd9bc62e760b12cccc67613
Instruction ID: 7d92f945dd14ae9b537a0f45a31a942d9c6e563a861cd8578a77ff594b1b85c3
Opcode Fuzzy Hash: f7c9373ed7f7b3f174f1f690531e208e3dc5fc196cd9bc62e760b12cccc67613
Instruction Fuzzy Hash: 38218971D0021AEBDF21AF90CC42BEEBB74BF04719F10542AB6147A182DB795A548B99

Uniqueness

Uniqueness Score: -1.00%

Function 00438EE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00438F1B
CreateThread.KERNEL32(?,?,VYj,00000000,?,?), ref: 00438F5F
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00438F69
__dosmaperr.LIBCMT ref: 00438F81

Strings

VYj, xrefs: 00438F54

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr
String ID: VYj
API String ID: 84609068-2400733075
Opcode ID: 73db33790426ccd2ebf2c4a8a44ac526a0356d27c3abd7b13d409dec45daacd1
Instruction ID: 7ca23f6e9706a0627d4aa147206bbc548581a7cd3dfe87978e4df070516c1e47
Opcode Fuzzy Hash: 73db33790426ccd2ebf2c4a8a44ac526a0356d27c3abd7b13d409dec45daacd1
Instruction Fuzzy Hash: 0A11EF72605308AFEB10BFA5DC8299FB7A6FF08328F20013FF50192191DB3999008A69

Uniqueness

Uniqueness Score: -1.00%

Function 00412A8A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00412AA9
GetLastError.KERNEL32(00000008), ref: 00412ACB
_memset.LIBCMT ref: 00412AED
FormatMessageA.KERNEL32(00001000,00000000,FFFFED99,00000000,00000000,00000100,00000000,?,?,00000008), ref: 00412B0C

Strings

<no error>, xrefs: 00412AD6

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorFormatH_prolog3LastMessage_memset
String ID: <no error>
API String ID: 1789954729-1181488366
Opcode ID: 57e955d7412a2bcc2b51c7457fb2bcb921a37ccfb0daafc4dab1b30ac7e5b93f
Instruction ID: 0e8155c76f8187e68df4c12ac45065b7397ebe3c11ec7ed2401be82d8e1975d8
Opcode Fuzzy Hash: 57e955d7412a2bcc2b51c7457fb2bcb921a37ccfb0daafc4dab1b30ac7e5b93f
Instruction Fuzzy Hash: D0215E7590024CAFDB21EF95DC82BEE77A4FB0C309F40442EAA589B281D7F45A48CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00413C81 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413C88

Part of subcall function 004135EB: __EH_prolog3.LIBCMT ref: 004135F2
Part of subcall function 004135EB: _strlen.LIBCMT ref: 00413622

RegCreateKeyA.ADVAPI32(?,?), ref: 00413CCC
RegOpenKeyExA.KERNEL32(?,?,00000000,-00020007,?,00000000,004545D8,00000000,?,?,00000140), ref: 00413CF0

Strings

.\osys_win32.cpp, xrefs: 00413D03
FALSE, xrefs: 00413D08

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$CreateOpen_strlen
String ID: .\osys_win32.cpp$FALSE
API String ID: 3117078595-21605568
Opcode ID: ef382b0e8a39a9bd7de653f807daa500d0dd5debef5fd4895f80ad225809bf0c
Instruction ID: d04a97daceca04a96a64942b6765013f253ac0c1ac35ce23de7e7430db78ae3b
Opcode Fuzzy Hash: ef382b0e8a39a9bd7de653f807daa500d0dd5debef5fd4895f80ad225809bf0c
Instruction Fuzzy Hash: 82112972900209BBDB24DF60CC829DE37A5EF44316F20813BF916661D1EB3D9F9197A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041317F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 004131AD
_sprintf.LIBCMT ref: 004131C4

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

.\osys_win32.cpp, xrefs: 004131D7
handle= %08x, xrefs: 004131BE
MUTEXSEM::MUTEXSEM delete %08x, xrefs: 00413198

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ChangeCloseErrorFindH_prolog3LastNotification__snprintf_memset_sprintf
String ID: .\osys_win32.cpp$MUTEXSEM::MUTEXSEM delete %08x$handle= %08x
API String ID: 1202404192-3579570256
Opcode ID: 967b2eca234d2c0599882fb784fcdd1642c13698ce73eb1db1e76c7807933af8
Instruction ID: ca53f6a99890a1538eed478a8e3697152db93273f32b545b8d2b1d59201a5b34
Opcode Fuzzy Hash: 967b2eca234d2c0599882fb784fcdd1642c13698ce73eb1db1e76c7807933af8
Instruction Fuzzy Hash: F6F0CD717402087BD710AB519C03F9B77B8EB44B0AF10056FFD45E61C2EBB85B54879A

Uniqueness

Uniqueness Score: -1.00%

Function 00415A9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00415AA5
GetWindowTextLengthA.USER32(?), ref: 00415AB7

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

txt, xrefs: 00415AD9
.\windows_win32.cpp, xrefs: 00415AD2

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$TextWindow$ErrorLastLength__snprintf_malloc_memset_strlen
String ID: .\windows_win32.cpp$txt
API String ID: 3340050389-4102185663
Opcode ID: e5e728fcf6a7811284672095e3f792bf8600da6424630fbb7e7d7cfa2b27859c
Instruction ID: 4e45828bd5e964f62361749d79f87ea796dcb99cfe0af80ed8ae87d7a6e45c5e
Opcode Fuzzy Hash: e5e728fcf6a7811284672095e3f792bf8600da6424630fbb7e7d7cfa2b27859c
Instruction Fuzzy Hash: B0F0C2B5640344FBD710BB61CC4BFAE7674EB44B0AF10941ABA053A1E3C7BC9A4487AC

Uniqueness

Uniqueness Score: -1.00%

Function 004377D6 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00437836
_memcpy_s.LIBCMT ref: 004378A9
__filbuf.LIBCMT ref: 00437934
_memset.LIBCMT ref: 0043797A
_memset.LIBCMT ref: 004379A5

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset$__filbuf_memcpy_s
String ID:
API String ID: 2885843685-0
Opcode ID: cac8cc74f53462be6e7a85d0e7f9c1900b07443b8ac96e572148be52177315ed
Instruction ID: 1f389d0f8b6cf4a85dc384b70e4664b8ee27b78ec3c9cf330c4f0b32099c9cf9
Opcode Fuzzy Hash: cac8cc74f53462be6e7a85d0e7f9c1900b07443b8ac96e572148be52177315ed
Instruction Fuzzy Hash: 795108B0904605EBDF349F69CC48A9FBBB5EF49320F24961BF4A562290D7389A01CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00437ED0 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00437EEE

Part of subcall function 00443484: __mtinitlocknum.LIBCMT ref: 00443498
Part of subcall function 00443484: __amsg_exit.LIBCMT ref: 004434A4
Part of subcall function 00443484: EnterCriticalSection.KERNEL32(?,?,?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214), ref: 004434AC

___sbh_find_block.LIBCMT ref: 00437EF9
___sbh_free_block.LIBCMT ref: 00437F08
RtlFreeHeap.NTDLL(00000000,?,00469980,0000000C,00443465,00000000,00469F50,0000000C,0044349D,?,?,?,004388FB,00000004,004699E0,0000000C), ref: 00437F38
GetLastError.KERNEL32(?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214,?,00000000), ref: 00437F49

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: f413bb8a916d11123bb10b42326439379acc1e8d8534f1446e3fb11749551f51
Instruction ID: ef2c5642fba062339a10148400668541c54fc01c812a85ed4dcd4ecf1aae9f16
Opcode Fuzzy Hash: f413bb8a916d11123bb10b42326439379acc1e8d8534f1446e3fb11749551f51
Instruction Fuzzy Hash: 7701F771809305AAEF346B71AC0975F77B0BF08769F24111FF144562D1CF7C89449A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB5F Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 268COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040EB6A

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Part of subcall function 0040E93E: __EH_prolog3.LIBCMT ref: 0040E945
Part of subcall function 0040E93E: SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040E9C8
Part of subcall function 0040E93E: SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040EA02

Part of subcall function 00418658: GetDlgItem.USER32(?,?), ref: 00418670

Part of subcall function 00415B1D: ShowWindow.USER32(?,?,?,?,0040E5BE,00000001), ref: 00415B48

Part of subcall function 00415A8E: SetWindowTextA.USER32(?,00000000), ref: 00415A95

Part of subcall function 00401A83: GetWindowLongA.USER32(?,000000F0), ref: 00401A8B
Part of subcall function 00401A83: SetWindowLongA.USER32(?,000000F0,?), ref: 00401A9B

Part of subcall function 00415B63: InvalidateRect.USER32(63736544,?,?,00402848,00000000,00000000,00000000,?,00000095), ref: 00415B6E

Strings

steps[step].idstep!=0, xrefs: 0040EBA3
.\setupdialog.cpp, xrefs: 0040EB9E, 0040ED98
FALSE, xrefs: 0040ED9D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$H_prolog3$LongMessageSend$ErrorH_prolog3_InvalidateItemLastLoadRectShowStringText__snprintf_memset
String ID: .\setupdialog.cpp$FALSE$steps[step].idstep!=0
API String ID: 3387891783-1049168567
Opcode ID: 60259771c8b67eef73968983ae732e9a2d1e6bea9a5a8b2deeaa484bee4b6a9d
Instruction ID: 8cbc58493551dba24c4b364f7cfd7d6db8bfef9abb38e9ea9c3295fdc10a4c86
Opcode Fuzzy Hash: 60259771c8b67eef73968983ae732e9a2d1e6bea9a5a8b2deeaa484bee4b6a9d
Instruction Fuzzy Hash: 8AA18C71A00249EFDB14EF61C982EED77A4AF14314F10452EFD15632D2DB78AA54CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004021E2 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 191COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004021EC

Part of subcall function 00419640: __EH_prolog3.LIBCMT ref: 00419647

Part of subcall function 00411500: __EH_prolog3.LIBCMT ref: 00411507

Part of subcall function 00411793: __EH_prolog3.LIBCMT ref: 0041179A

Part of subcall function 0040F93F: _strlen.LIBCMT ref: 0040F95F

Strings

ActiveSyncInstall, xrefs: 004021F6
DGE, xrefs: 004023B6
AppName, xrefs: 00402241, 0040242C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen
String ID: ActiveSyncInstall$AppName$DGE
API String ID: 3239654323-390940481
Opcode ID: 468862d83c5854072f1d462579b01f04f6e6e04a0c2532caa4a39dffbaba8e64
Instruction ID: d0267a21f03077d5019387b17c8dbe5447e42eb08972eadb201e5dd54c21565c
Opcode Fuzzy Hash: 468862d83c5854072f1d462579b01f04f6e6e04a0c2532caa4a39dffbaba8e64
Instruction Fuzzy Hash: A961C130A00244AADB04FBE5CD56BEE76E45B58318F1441BFE509B72C2EFBC5A48876D

Uniqueness

Uniqueness Score: -1.00%

Function 004160BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004160C1
FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 004160DD
GetWindowLongA.USER32(?,000000F0), ref: 00416100

Strings

STATIC, xrefs: 00416120

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$FindH_prolog3Long
String ID: STATIC
API String ID: 700960635-1882779555
Opcode ID: e85cb15b67b3c6a2a446bf95c2105637d5012dde26bd22f2da91d15c55f4a1d0
Instruction ID: 7029a361e118ae793ebdb74637e11e463e56ca73055d190ccd6696bfe8b3a3ad
Opcode Fuzzy Hash: e85cb15b67b3c6a2a446bf95c2105637d5012dde26bd22f2da91d15c55f4a1d0
Instruction Fuzzy Hash: 8231CF71C04249EFCF10DFA5C844ADEBBB4AF05328F15422EE811B72D2CB389A85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCA5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040FCAC

Part of subcall function 004108B6: __fsopen.LIBCMT ref: 00410929

Part of subcall function 0040F07D: _getenv.LIBCMT ref: 0040F08B

Strings

BINARY::Save returns %08x, %d bytes, %s, xrefs: 0040FD26
STRING::Save, xrefs: 0040FCDC
BINARY::Save %s, xrefs: 0040FCBA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3__fsopen_getenv
String ID: BINARY::Save %s$BINARY::Save returns %08x, %d bytes, %s$STRING::Save
API String ID: 2299599311-3174717632
Opcode ID: 121db116028f96b10ad388207ac67b08e47cfcd60519601ee01594cff73d72eb
Instruction ID: 5349615037152d6dfca5f805b8324474dcfef9878c4ea0233a7416020db0d3ff
Opcode Fuzzy Hash: 121db116028f96b10ad388207ac67b08e47cfcd60519601ee01594cff73d72eb
Instruction Fuzzy Hash: E211E531800309EBDB20BBA58C46FDE7A64AF04728F14023FF865761D2DBBD8968865D

Uniqueness

Uniqueness Score: -1.00%

Function 00413D81 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413D88

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

REGISTRY::Constructor failed for app=%s, basekey=%s, user=%d, xrefs: 00413E05
.\osys_win32.cpp, xrefs: 00413DBB
app[0]!='<', xrefs: 00413DC0

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$ErrorLast__snprintf_memset
String ID: .\osys_win32.cpp$REGISTRY::Constructor failed for app=%s, basekey=%s, user=%d$app[0]!='<'
API String ID: 4251183321-992221689
Opcode ID: 4839a2a600c51c62cedf98ed14fc204aad8e1a8268170fb70fbd31cd538ad280
Instruction ID: 3db50c9e2d149d88cbbf6bcb1561818c7d971b06136cf0b1ce46fa9176146c38
Opcode Fuzzy Hash: 4839a2a600c51c62cedf98ed14fc204aad8e1a8268170fb70fbd31cd538ad280
Instruction Fuzzy Hash: 0801D275B00309EBDB21AF558C42EAF7A91AB40705F24440FFD54A7282C77D8EA0C35E

Uniqueness

Uniqueness Score: -1.00%

Function 00435CC1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(DGE,00000000), ref: 00435CFC
GetLastError.KERNEL32 ref: 00435D07
__dosmaperr.LIBCMT ref: 00435D0E

Strings

DGE, xrefs: 00435CF8

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: AttributesErrorFileLast__dosmaperr
String ID: DGE
API String ID: 1932490781-828149971
Opcode ID: 54a3f60cf624be24ca461592a16c2c3a5de0b92e513de29b307f67725d8e87b4
Instruction ID: ac241e7f3626720d6eafc294c19b611df1cee1af7331488348519f32a4b12397
Opcode Fuzzy Hash: 54a3f60cf624be24ca461592a16c2c3a5de0b92e513de29b307f67725d8e87b4
Instruction Fuzzy Hash: 31018670014B105EDB253B75EC0935B77B0AF89339F12655FF4604E2A2CF3D88868B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00413129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,?,?,0041B1B5,00000000,00000000,E5C332AE,?,000001FF,00000000), ref: 00413140

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

this->hmux, xrefs: 0041316A
.\osys_win32.cpp, xrefs: 00413165
MUTEXSEM::MUTEXSEM created %08x, name= %s, xrefs: 0041314D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateErrorH_prolog3LastMutex__snprintf_memset
String ID: .\osys_win32.cpp$MUTEXSEM::MUTEXSEM created %08x, name= %s$this->hmux
API String ID: 3119763698-2287203105
Opcode ID: 25252f86a56b1eb42d35cb9c96674f781d6d210482007860c17c9ee8f2760872
Instruction ID: c4d8f1792cfeb8cbb6223ab1420c5a97f74edf8826c17fcea1056d2b077d6660
Opcode Fuzzy Hash: 25252f86a56b1eb42d35cb9c96674f781d6d210482007860c17c9ee8f2760872
Instruction Fuzzy Hash: 64E06D31684300BFE3105B218C07F56B6A4EB44B1BF15882ABD9CA51D2D2B958A49BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00416AAE Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000EB,?), ref: 00416AD4
PostMessageA.USER32(?,00000501,00000000,00000000), ref: 00416AE2
GetWindowLongA.USER32(?,000000EB), ref: 00416AEB
KiUserCallbackDispatcher.NTDLL(00000002,?,?), ref: 00416B3E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: LongWindow$CallbackDispatcherMessagePostUser
String ID:
API String ID: 4134389970-0
Opcode ID: 231a1ce65a30375c6fc2bf70feab2b9405ba34f371658c75ce3f511b5efff89d
Instruction ID: c25146fd359c7207954cdb449ed60caee1acf02d6e7708ffb1f88a43a2397dd2
Opcode Fuzzy Hash: 231a1ce65a30375c6fc2bf70feab2b9405ba34f371658c75ce3f511b5efff89d
Instruction Fuzzy Hash: 0B117C71600218BBCF218F66CC48DDFBBB9EF89721F01851AF91596261C234D950CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E59B Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00415B1D: ShowWindow.USER32(?,?,?,?,0040E5BE,00000001), ref: 00415B48

Part of subcall function 004160BA: __EH_prolog3.LIBCMT ref: 004160C1
Part of subcall function 004160BA: FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 004160DD
Part of subcall function 004160BA: GetWindowLongA.USER32(?,000000F0), ref: 00416100

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0040E5D8
IsDialogMessageA.USER32(?,?), ref: 0040E5F1
TranslateMessage.USER32(?), ref: 0040E60A
DispatchMessageA.USER32(?), ref: 0040E614

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: MessageWindow$CallbackDialogDispatchDispatcherFindH_prolog3LongShowTranslateUser
String ID:
API String ID: 12264550-0
Opcode ID: fcc6488865a8700f6b9d2a1c0831e60515a05ddd74f867c5afb41a4ee7ccffac
Instruction ID: 90b08ff7e076a266c3855cb06ac5ab85bc5cfd3ae9ebbf9201b9f6da1b58b202
Opcode Fuzzy Hash: fcc6488865a8700f6b9d2a1c0831e60515a05ddd74f867c5afb41a4ee7ccffac
Instruction Fuzzy Hash: A6111971A00209EFDB00EFA5E898EEE77B9FB44309F100875F901EB265DB34A945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00438E60 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0043F8BF: TlsGetValue.KERNEL32(?,00438E66), ref: 0043F8C6
Part of subcall function 0043F8BF: TlsSetValue.KERNEL32(00000000,00438E66), ref: 0043F8E7

Part of subcall function 0043F8A4: TlsGetValue.KERNEL32(?,00438E71,00000000), ref: 0043F8AE

GetLastError.KERNEL32(00000000,?,00000000), ref: 00438E89
ExitThread.KERNEL32 ref: 00438E90
GetCurrentThreadId.KERNEL32 ref: 00438E96
__freefls@4.LIBCMT ref: 00438EB7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Value$Thread$CurrentErrorExitLast__freefls@4
String ID:
API String ID: 3657912857-0
Opcode ID: 2eb80bad42e85dd36758a326ff2621cda8dcc3a9d213b6cb427d90fda558b6d1
Instruction ID: 43a95a8d74b78fb8902c56c190684b4374ba402502624cdf101ccd003bdac401
Opcode Fuzzy Hash: 2eb80bad42e85dd36758a326ff2621cda8dcc3a9d213b6cb427d90fda558b6d1
Instruction Fuzzy Hash: D30121344007019FD708BB71D90A50F77A4AF4C309F20547EB90587262DB7CC8868A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406D1B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406D25
_strlen.LIBCMT ref: 00406D34

Part of subcall function 00418F66: _memset.LIBCMT ref: 00418FAD
Part of subcall function 00418F66: _sprintf.LIBCMT ref: 00418FCA

Part of subcall function 00401A26: __EH_prolog3.LIBCMT ref: 00401A2D

Part of subcall function 00419640: __EH_prolog3.LIBCMT ref: 00419647

Strings

%s_%d, xrefs: 00406EA4

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$H_prolog3__memset_sprintf_strlen
String ID: %s_%d
API String ID: 4104334662-1933919280
Opcode ID: c8e8857e42805affa9e69c6b1954f022bff71b8c47be9b99a5ec28da28535272
Instruction ID: d4933194c617eb94cb1017760cd36be50ef7af7a441f46dc76cff4f05281cc73
Opcode Fuzzy Hash: c8e8857e42805affa9e69c6b1954f022bff71b8c47be9b99a5ec28da28535272
Instruction Fuzzy Hash: FA517074A003499FCF15EFE5C891AEDBBB9AF58308F04402EE406B7282DB3C5995DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD54 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040FE13

Part of subcall function 00412A8A: __EH_prolog3.LIBCMT ref: 00412AA9
Part of subcall function 00412A8A: GetLastError.KERNEL32(00000008), ref: 00412ACB
Part of subcall function 00412A8A: _memset.LIBCMT ref: 00412AED
Part of subcall function 00412A8A: FormatMessageA.KERNEL32(00001000,00000000,FFFFED99,00000000,00000000,00000100,00000000,?,?,00000008), ref: 00412B0C

Strings

BINARY::Load %s (%d bytes), xrefs: 0040FDBC
BINARY::Load returns %8x, %d bytes, %s, xrefs: 0040FE61

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorFormatH_prolog3LastMessage__fread_nolock_memset
String ID: BINARY::Load %s (%d bytes)$BINARY::Load returns %8x, %d bytes, %s
API String ID: 2872010135-701840451
Opcode ID: 1bd51d6ae867132dd4bc130e5b39254b41afeffd2c5a034013890346fc90df36
Instruction ID: 66e30b803e40f794b78be5c228ae4a0b428c8e4a2381642daf79d9341a46e9be
Opcode Fuzzy Hash: 1bd51d6ae867132dd4bc130e5b39254b41afeffd2c5a034013890346fc90df36
Instruction Fuzzy Hash: EC41B632900249ABDB20DB95CC41BEF77A8FF44714F14463EF915A72C2DB789A088B59

Uniqueness

Uniqueness Score: -1.00%

Function 004108B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 00410929

Strings

FILENAME::fsopen(%s, %s, %d), xrefs: 004108C7
FILENAME::fsopen(%s, %s, %d) returns f= %08x, fd= %d, xrefs: 0041094A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __fsopen
String ID: FILENAME::fsopen(%s, %s, %d)$FILENAME::fsopen(%s, %s, %d) returns f= %08x, fd= %d
API String ID: 3646066109-618868067
Opcode ID: 41e9a1897c323f9567159d2b1dfea4594c69c7ed4517174ec08e4936d5c6e437
Instruction ID: a084173e7b20bd82d0c04f90eaed976f86ef40041ff390ac9cadff746f9e38ed
Opcode Fuzzy Hash: 41e9a1897c323f9567159d2b1dfea4594c69c7ed4517174ec08e4936d5c6e437
Instruction Fuzzy Hash: 4D113A7364822536F62030675C42DFB6B5CCF4AB78F15421BFE18A61C2EA9D4CD112DD

Uniqueness

Uniqueness Score: -1.00%

Function 00415D0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00415812: KiUserCallbackDispatcher.NTDLL(?,?,00415D56,?,?,?,?,?,0040E288,?), ref: 0041F1C3

Strings

._A, xrefs: 00415D2F, 00415D3F, 00415D32
WINDOW::~WINDOW auto-destroying %s %d, xrefs: 00415D42

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3TextWindow$CallbackDispatcherLengthUser
String ID: ._A$WINDOW::~WINDOW auto-destroying %s %d
API String ID: 2199925783-1616064182
Opcode ID: 62edb1e4c9d5bc4a4ae7da9edd183e6c9f81ed8e75b6cc79ff54ea8b1f03051f
Instruction ID: f93058108eb8c5dd938239ea88d316022870af8d2a8c30aaacef40bdbaaef868
Opcode Fuzzy Hash: 62edb1e4c9d5bc4a4ae7da9edd183e6c9f81ed8e75b6cc79ff54ea8b1f03051f
Instruction Fuzzy Hash: D3F0F630800788DBCB20FBA1C40A7CC7AB0AF04325F14451EE455632C2C7BC4688D769

Uniqueness

Uniqueness Score: -1.00%

Function 0041338D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00413396
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 004133A9

Strings

REGISTRY::Write String value= %s; data=%s, error=%08x, xrefs: 004133B8

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Value_strlen
String ID: REGISTRY::Write String value= %s; data=%s, error=%08x
API String ID: 3056571664-783069814
Opcode ID: c920a5e635ce3a70a902645fc12082b549a9882381ee13445927ac9d60f59064
Instruction ID: 7e61f05cd10e624271fe7cca08c3808ac3dcce2c47f1d62ab78c74bd5b50fec1
Opcode Fuzzy Hash: c920a5e635ce3a70a902645fc12082b549a9882381ee13445927ac9d60f59064
Instruction Fuzzy Hash: BEE01237540228BBDF212EA1DC06FDABF29EF087B4F118016FE4859191D6B7D96097E4

Uniqueness

Uniqueness Score: -1.00%

Function 0042F203 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__open.LIBCMT ref: 0042F20E
_fprintf.LIBCMT ref: 0042F232

Strings

error: can't open zipfile [ %s ], xrefs: 0042F224

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __open_fprintf
String ID: error: can't open zipfile [ %s ]
API String ID: 2397098119-490673178
Opcode ID: 7edd1610342b3cf6c7ca33c88155f1f83e01b6e7abf2b2500f50b8efe8dbe0f3
Instruction ID: b3aa37ab76c710b9a88f3d08675967784487a0eaae712bf691c78030f242be8b
Opcode Fuzzy Hash: 7edd1610342b3cf6c7ca33c88155f1f83e01b6e7abf2b2500f50b8efe8dbe0f3
Instruction Fuzzy Hash: 79D05BF375560165FB1127726D0771522E4A728304F18147FF511D00A1FEAE94165A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00444834 Relevance: 4.7, APIs: 3, Instructions: 246COMMON

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 004449EE
__invoke_watson.LIBCMT ref: 00444A0B
__invoke_watson.LIBCMT ref: 00444A28

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __invoke_watson
String ID:
API String ID: 3648217671-0
Opcode ID: d8b949001d8c47f8977c71c5924173e39385eaa4798ef9556d0638b29c39d55c
Instruction ID: 0ced8b98219d9ee8ae140f4242dc454246a52aaaaa04a8b9706c453e2c1cea16
Opcode Fuzzy Hash: d8b949001d8c47f8977c71c5924173e39385eaa4798ef9556d0638b29c39d55c
Instruction Fuzzy Hash: 9E71A2B5B007099BEB14DEBDCC817AA73EAEB88368F15852AF914D3350E778DD008759

Uniqueness

Uniqueness Score: -1.00%

Function 0041F015 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000EB), ref: 0041F036
GetWindowLongA.USER32(?,000000EB), ref: 0041F042
DefWindowProcA.USER32(?,00000001,?,?), ref: 0041F09A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$Long$Proc
String ID:
API String ID: 3468714886-0
Opcode ID: 1a6cd706a8c5c37a67967d7fa375e70ac6c87cb1fa8ca4424396bfa51bdb7c44
Instruction ID: 2a18902c380b6b0829200df20d6c3ad4e61d103b88e18afc0032b1f2c5c8fd03
Opcode Fuzzy Hash: 1a6cd706a8c5c37a67967d7fa375e70ac6c87cb1fa8ca4424396bfa51bdb7c44
Instruction Fuzzy Hash: 27116731600208BFCF218F66CC48D9B7FB9FF89721B10882AF91A96262D735D951DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0043D28E Relevance: 4.6, APIs: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,00000109,0043DFFF,00000109), ref: 0043D2D9
GetLastError.KERNEL32 ref: 0043D2E3
__dosmaperr.LIBCMT ref: 0043D312

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 88f49b5288914f81e164e942763d8cc7f54db9dcc7ccecb8cdb5f460294e8fab
Instruction ID: 9bcf908137145d33db6d147d1368f159bcccc99d98a74b10a048d5fced0a3d82
Opcode Fuzzy Hash: 88f49b5288914f81e164e942763d8cc7f54db9dcc7ccecb8cdb5f460294e8fab
Instruction Fuzzy Hash: 3901F93390522055D62522397D05B5B27884F8B738F1A159FFD21D76E3CE6CCC82815E

Uniqueness

Uniqueness Score: -1.00%

Function 00437507 Relevance: 4.5, APIs: 3, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__flush.LIBCMT ref: 0043753A
__freebuf.LIBCMT ref: 00437542
__close.LIBCMT ref: 0043754E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __close__flush__freebuf
String ID:
API String ID: 3722736141-0
Opcode ID: 414d6acc784b4ba750f289462bd0048cf33c0e6a9a5d890fcf3e0de11862eb39
Instruction ID: 4f44819c263fe5c2b31c02208096e6c6fe4148869dd3a7e1bb45803d218af7a1
Opcode Fuzzy Hash: 414d6acc784b4ba750f289462bd0048cf33c0e6a9a5d890fcf3e0de11862eb39
Instruction Fuzzy Hash: E9F028B2D087002ED6342B7F4C4151BA2D84E59338F14961FF6E4D26D2DA3CD90106AD

Uniqueness

Uniqueness Score: -1.00%

Function 0043D07B Relevance: 4.5, APIs: 3, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00004000,00000000,00000109,00004000,00000109,0043DF9F,00000109,00000000,00000000), ref: 0043D0A8
GetLastError.KERNEL32 ref: 0043D0B5
__dosmaperr.LIBCMT ref: 0043D0C4

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: c9cf3a8b02c71cee2872045a8785f7c250c376ae1f0b6df9c92c8e9132b3d1ba
Instruction ID: 348edbf9250ebf09a197b7b2a95d6233d97b3dd5e695b8c390fd372a0197bb8e
Opcode Fuzzy Hash: c9cf3a8b02c71cee2872045a8785f7c250c376ae1f0b6df9c92c8e9132b3d1ba
Instruction Fuzzy Hash: 07F02833915A2156C6251B7CBC0454A7A745F8A738F22271BF130CB2F2DF34C886426A

Uniqueness

Uniqueness Score: -1.00%

Function 00417BF2 Relevance: 4.5, APIs: 3, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417BF9

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

_memset.LIBCMT ref: 00417C32
__snprintf.LIBCMT ref: 00417C49

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3TextWindow$Length__snprintf_memset
String ID:
API String ID: 2898785052-0
Opcode ID: b05517545052e475b43d3d12ef15264e39fa8a52741ba6220bf9784e4832eb78
Instruction ID: c12d38675c08e413c3bea9045cba4f565b1a4942ac6f9a98d6a5ad991de7b21d
Opcode Fuzzy Hash: b05517545052e475b43d3d12ef15264e39fa8a52741ba6220bf9784e4832eb78
Instruction Fuzzy Hash: 6DF06831500B049BCB24EBA1C946F9AB3F4BF0C314F501A5EF58597591DA39FD10D758

Uniqueness

Uniqueness Score: -1.00%

Function 004314FA Relevance: 4.5, APIs: 3, Instructions: 30fileCOMMON

Download Yara Rule

APIs

OpenFile.KERNEL32(00461874,?,00000040), ref: 0043151A
GetLastError.KERNEL32 ref: 00431525
_lclose.KERNEL32(00000000), ref: 0043153A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorFileLastOpen_lclose
String ID:
API String ID: 2717909932-0
Opcode ID: 754965397b30d2d29bba25a312543eb917514aed83775729724602742bb666b1
Instruction ID: 384cb28fe535bb3eb090dd9fcb86b0dfd8f7cd1919867c843e50bc9326ab6741
Opcode Fuzzy Hash: 754965397b30d2d29bba25a312543eb917514aed83775729724602742bb666b1
Instruction Fuzzy Hash: B4F0A770510108AFCB00DFB8EC4DA6E77F8AB5C345F505A65F117D71A0EE38DA404729

Uniqueness

Uniqueness Score: -1.00%

Function 0043BDF9 Relevance: 4.5, APIs: 3, Instructions: 17COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00461874,00000000,00431BA2,00000000,00454616,00461874,00000040), ref: 0043BDFF
GetLastError.KERNEL32 ref: 0043BE09
__dosmaperr.LIBCMT ref: 0043BE18

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast__dosmaperr
String ID:
API String ID: 42539052-0
Opcode ID: 5a528a8fb86dacea2c4ee75187e7f0688dde6160ed4474cdd192512c62e815fc
Instruction ID: b6e57d29ae80253693b0c0cdc4dde857cee21c583823038f01b55a99f6af3e86
Opcode Fuzzy Hash: 5a528a8fb86dacea2c4ee75187e7f0688dde6160ed4474cdd192512c62e815fc
Instruction Fuzzy Hash: 83D0A73020070161DB501735DC0931766A8EB44365F601535B220C81E1FF28C8815049

Uniqueness

Uniqueness Score: -1.00%

Function 00435D5C Relevance: 4.5, APIs: 3, Instructions: 16fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00410ACD,?,00401796,00000000,004545D8,00000000,004545D8,00000000,?,?,00000140), ref: 00435D60
GetLastError.KERNEL32(?,?,00000140), ref: 00435D6A
__dosmaperr.LIBCMT ref: 00435D79

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: 733faec8937750481c0697402ca1d1155b99644dba426a08194df184539b0f81
Instruction ID: 111c3a9a3289340ea5aad4a02370d1bd50e92b20e0323b3724824d429055c1f5
Opcode Fuzzy Hash: 733faec8937750481c0697402ca1d1155b99644dba426a08194df184539b0f81
Instruction Fuzzy Hash: B2D01230211F0196DB551F72EC0C11B76E87F84766F549B7EB069C41E1FF2CC881A519

Uniqueness

Uniqueness Score: -1.00%

Function 0041351C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,?,00000000,?,?,?), ref: 00413540

Strings

REGISTRY::Read key=%s, ok=%d, error=%d, xrefs: 00413568

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: QueryValue
String ID: REGISTRY::Read key=%s, ok=%d, error=%d
API String ID: 3660427363-2483465850
Opcode ID: 27251e4b459a72fe4fb64967b7558cbeb323381c3d8df022c407d2ce510f7337
Instruction ID: 589e9e0ef2ca21d7a06e96ac66a286135cf87189765b562f8c92b9429b044d96
Opcode Fuzzy Hash: 27251e4b459a72fe4fb64967b7558cbeb323381c3d8df022c407d2ce510f7337
Instruction Fuzzy Hash: BF018B7220020EBFEB118F59CC80DFB77AEFF54658B24842EF96587201D271EE508BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041340D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNEL32(?,80000001,00000000,00000004,?,00000004,?,0040B093,SetupForceWorkdir,00000001,80000001,Software\EmTec,ZOC5,00000101,?,004598AC), ref: 0041341F

Strings

REGISTRY::Write DWORD value= %s; data=%ld, error=%08x, xrefs: 00413430

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Value
String ID: REGISTRY::Write DWORD value= %s; data=%ld, error=%08x
API String ID: 3702945584-31729106
Opcode ID: cb4a1bfe68d0dd57bc4cba9a3ab3df2359f092c96d6c98418d77ce0d61db9ffc
Instruction ID: cff67fd6b5b341513b5ffe3f0fb5673008b03afa05cb1283b66c75e31f4a4628
Opcode Fuzzy Hash: cb4a1bfe68d0dd57bc4cba9a3ab3df2359f092c96d6c98418d77ce0d61db9ffc
Instruction Fuzzy Hash: 28E026725043217BD310EE608C06FA7BE94FF44B24F040819BB40890E2C321C828C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00413580 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.KERNEL32(?,004545D8,004545D8,004015FE,00000000,00000000,00000001,004545D8,00000000,?,Software\Emtec\,00000000,?,00000000,004545D8,00000000), ref: 00413587

Strings

REGISTRY::delete value= %s, error=%d, xrefs: 00413594

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: DeleteValue
String ID: REGISTRY::delete value= %s, error=%d
API String ID: 1108222502-2413015584
Opcode ID: 1f20b3e1e7b9a737246411968a4a5b252f901b4d0fca4758ff2cb79291322471
Instruction ID: 80e1e2f5173f069e3279bcda81f90de90a366ca8b1c6934605b5244976bf1045
Opcode Fuzzy Hash: 1f20b3e1e7b9a737246411968a4a5b252f901b4d0fca4758ff2cb79291322471
Instruction Fuzzy Hash: 42D0A7378003307BD6113A709C0AD977E50DF44774F158425BD4C45162D23188A086D6

Uniqueness

Uniqueness Score: -1.00%

Function 00419A87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00418E3F: __EH_prolog3.LIBCMT ref: 00418E46
Part of subcall function 00418E3F: _memset.LIBCMT ref: 00418E77

_strncpy.LIBCMT ref: 00419AA6

Strings

STRINGARRAY, xrefs: 00419A9A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_memset_strncpy
String ID: STRINGARRAY
API String ID: 750080963-3326178087
Opcode ID: a703a858ce71882267a6947c8b2525473058b805b000dce08417588b350d5b88
Instruction ID: 30a5051644ca16f01d054944a8abd7c4050b685dfc0ba830371e6e46f2e6f413
Opcode Fuzzy Hash: a703a858ce71882267a6947c8b2525473058b805b000dce08417588b350d5b88
Instruction Fuzzy Hash: 51D0A77224431066C120A6115C02F97B684CB54751F00842FBF88E2182D778D414569D

Uniqueness

Uniqueness Score: -1.00%

Function 0041566A Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(000004E4), ref: 00415687

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

__strdup.LIBCMT ref: 0041569B

Part of subcall function 00414879: _strcat.LIBCMT ref: 0041489A
Part of subcall function 00414879: _strlen.LIBCMT ref: 004148B6
Part of subcall function 00414879: _strlen.LIBCMT ref: 00414915

Part of subcall function 00415564: __EH_prolog3.LIBCMT ref: 0041556B
Part of subcall function 00415564: GetCurrentThreadId.KERNEL32 ref: 004155AD
Part of subcall function 00415564: GetThreadLocale.KERNEL32(00000018,004156E5,00000000,?,?,?,00000000), ref: 004155C6
Part of subcall function 00415564: FreeLibrary.KERNEL32(00000000), ref: 0041561C
Part of subcall function 00415564: FreeLibrary.KERNEL32(10000000), ref: 00415636

Part of subcall function 00437ED0: __lock.LIBCMT ref: 00437EEE
Part of subcall function 00437ED0: ___sbh_find_block.LIBCMT ref: 00437EF9
Part of subcall function 00437ED0: ___sbh_free_block.LIBCMT ref: 00437F08
Part of subcall function 00437ED0: RtlFreeHeap.NTDLL(00000000,?,00469980,0000000C,00443465,00000000,00469F50,0000000C,0044349D,?,?,?,004388FB,00000004,004699E0,0000000C), ref: 00437F38
Part of subcall function 00437ED0: GetLastError.KERNEL32(?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214,?,00000000), ref: 00437F49

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Free_strlen$H_prolog3LibraryThread$CommandCurrentErrorHeapLastLineLocale___sbh_find_block___sbh_free_block__lock__strdup_strcat
String ID:
API String ID: 3845007995-0
Opcode ID: be49588d7133a9464e767cf412dff28836f6b9125eda6918b8502a011cbe779c
Instruction ID: a05ac1617d2914af050b41238ec6537526c56e1512b01a4540008a2877f3cf4c
Opcode Fuzzy Hash: be49588d7133a9464e767cf412dff28836f6b9125eda6918b8502a011cbe779c
Instruction Fuzzy Hash: E40192B2901118ABD714EB66DC46DEE73BCAF49304F0004AFF545E7192EAB49E848F98

Uniqueness

Uniqueness Score: -1.00%

Function 00431262 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNELBASE(?,?,00000000), ref: 00431296
_strcat.LIBCMT ref: 004312AB

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: FileFindNext_strcat
String ID:
API String ID: 2180751025-0
Opcode ID: 0879bb149a71a5b3740afaf247f3bb87889684eac1e59cd44174e09843cbe108
Instruction ID: 7ecc5d95fdfc4b989bedcf129f547f1d47eab75e28f0d412e38e4a26b23186bc
Opcode Fuzzy Hash: 0879bb149a71a5b3740afaf247f3bb87889684eac1e59cd44174e09843cbe108
Instruction Fuzzy Hash: 89F01D316002089FDB14DB65D945BEA73FCAB0C305F4014AAE546D7160EB78AA858B58

Uniqueness

Uniqueness Score: -1.00%

Function 0044415C Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,00436580,00000001), ref: 0044416D
HeapDestroy.KERNEL32 ref: 004441A3

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 00e54bc5601c8db1dcecbcf9c641cf8ef01e5e5097b4c788e156fca9b670e511
Instruction ID: e060f76ab7e2b11ae6d26f336b23b2be498a8be5a77c88f0096aeaa6eaba9101
Opcode Fuzzy Hash: 00e54bc5601c8db1dcecbcf9c641cf8ef01e5e5097b4c788e156fca9b670e511
Instruction Fuzzy Hash: 5CE065316243419EFB609B356C0D33A36D4A7E03C6F08483AF501C80A0EBB888C09B0D

Uniqueness

Uniqueness Score: -1.00%

Function 00446DF2 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00446E0A

Part of subcall function 00443484: __mtinitlocknum.LIBCMT ref: 00443498
Part of subcall function 00443484: __amsg_exit.LIBCMT ref: 004434A4
Part of subcall function 00443484: EnterCriticalSection.KERNEL32(?,?,?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214), ref: 004434AC

__tzset_nolock.LIBCMT ref: 00446E1B

Part of subcall function 00446706: __lock.LIBCMT ref: 00446728
Part of subcall function 00446706: __invoke_watson.LIBCMT ref: 0044674C
Part of subcall function 00446706: __invoke_watson.LIBCMT ref: 00446767
Part of subcall function 00446706: __invoke_watson.LIBCMT ref: 00446782
Part of subcall function 00446706: ____lc_codepage_func.LIBCMT ref: 0044678A
Part of subcall function 00446706: _strlen.LIBCMT ref: 004467EA
Part of subcall function 00446706: __malloc_crt.LIBCMT ref: 004467F1
Part of subcall function 00446706: _strlen.LIBCMT ref: 00446807

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__malloc_crt__mtinitlocknum__tzset_nolock
String ID:
API String ID: 4249203040-0
Opcode ID: db620c7abce4ea8f708a32fe8a1b1da0a1ac05e43bb6c9a1a82e80c0e7bad6cc
Instruction ID: d3f92b9b270753a169238a8157663aae7681bcb10ec3ade69c26bdc673fde170
Opcode Fuzzy Hash: db620c7abce4ea8f708a32fe8a1b1da0a1ac05e43bb6c9a1a82e80c0e7bad6cc
Instruction Fuzzy Hash: 9BE08634541B10DAE7256FA5960221EB1A06F59B29BB5411FB24026192CA7C0981C75F

Uniqueness

Uniqueness Score: -1.00%

Function 00438DE6 Relevance: 3.0, APIs: 2, Instructions: 16threadCOMMON

Download Yara Rule

APIs

__freeptd.LIBCMT ref: 00438E0E
ExitThread.KERNEL32 ref: 00438E18

Part of subcall function 00447170: __FindPESection.LIBCMT ref: 004471C9

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ExitFindSectionThread__freeptd
String ID:
API String ID: 3875298718-0
Opcode ID: 2a086f67785f3dcdd18eeb00772fde28312441a9031e6542cef63d4706be480b
Instruction ID: 2ba03650aec0e360532fa300027b164fda42a2f1c5362d1cb1d16bda50141788
Opcode Fuzzy Hash: 2a086f67785f3dcdd18eeb00772fde28312441a9031e6542cef63d4706be480b
Instruction Fuzzy Hash: B6D06772505702ABEB5467B2EE0A61A6655AB0431DF14143EF800C87A2EFAC8D84D55E

Uniqueness

Uniqueness Score: -1.00%

Function 00404412 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00404419

Part of subcall function 00415EEF: GetWindowRect.USER32(?,?), ref: 00415F12
Part of subcall function 00415EEF: GetWindow.USER32(?,00000004), ref: 00415F34
Part of subcall function 00415EEF: ScreenToClient.USER32(?,?), ref: 00415F4A
Part of subcall function 00415EEF: ScreenToClient.USER32(?,?), ref: 00415F51

Part of subcall function 00415812: KiUserCallbackDispatcher.NTDLL(?,?,00415D56,?,?,?,?,?,0040E288,?), ref: 0041F1C3

Part of subcall function 00418658: GetDlgItem.USER32(?,?), ref: 00418670

Part of subcall function 00415B77: SetFocus.USER32(?,00416194), ref: 00415B7A

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00415B53: KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00415B5A

Part of subcall function 0040E59B: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0040E5D8
Part of subcall function 0040E59B: IsDialogMessageA.USER32(?,?), ref: 0040E5F1
Part of subcall function 0040E59B: TranslateMessage.USER32(?), ref: 0040E60A
Part of subcall function 0040E59B: DispatchMessageA.USER32(?), ref: 0040E614

Part of subcall function 0041376D: __EH_prolog3.LIBCMT ref: 00413774
Part of subcall function 0041376D: WaitForSingleObject.KERNEL32(?,?), ref: 004137BA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CallbackDispatcherH_prolog3MessageUser$ClientScreenWindow$DialogDispatchFocusItemObjectRectSingleTranslateWait
String ID:
API String ID: 710369278-0
Opcode ID: 3ec58e391bd5617d19a80e14ff3a37f326c996788d20ab31b7695582ee7f8f4f
Instruction ID: 900d354aa22bc8bf2a7884c79a46028e557fbf2354a5ea99fd5c80bd1b31f396
Opcode Fuzzy Hash: 3ec58e391bd5617d19a80e14ff3a37f326c996788d20ab31b7695582ee7f8f4f
Instruction Fuzzy Hash: 5B41A031901748EADB05EBA1D996FDDBBB4AF54304F20815EF4196B2C2DF782B44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004379DC Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00437A09

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: cd0d892c84ea565f5f1e8675416b74c864f42473c1b8e10ac000afd0213ebfd6
Instruction ID: 060cc01450a76f1771a5a7c36a06da5d7a8aa35285ee1a8878e6a665a2545c83
Opcode Fuzzy Hash: cd0d892c84ea565f5f1e8675416b74c864f42473c1b8e10ac000afd0213ebfd6
Instruction Fuzzy Hash: 7A0180B1804209EBDF21BF95CC0298F7B70AF08764F40911BF96415151D7398761DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0041572D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00415734

Part of subcall function 0041F0CA: _strcat.LIBCMT ref: 0041F108
Part of subcall function 0041F0CA: LoadMenuA.USER32(?), ref: 0041F15D
Part of subcall function 0041F0CA: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?), ref: 0041F18E
Part of subcall function 0041F0CA: GetLastError.KERNEL32 ref: 0041F197

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateErrorH_prolog3LastLoadMenuWindow_strcat
String ID:
API String ID: 425637439-0
Opcode ID: 6945bf4231a791310581be158e5b8294eb03d0268fb4041af27ed8b18ce2dadb
Instruction ID: 2ddf42b7de0b2eba909cdf8f5fd2ff9184a60789823cdc2b7e2f5418f9a88917
Opcode Fuzzy Hash: 6945bf4231a791310581be158e5b8294eb03d0268fb4041af27ed8b18ce2dadb
Instruction Fuzzy Hash: D5F0B235100649EBCF125F91CC01ADE3EB2FF08358F01860AFD5426261C77A89B5EF88

Uniqueness

Uniqueness Score: -1.00%

Function 00415B1D Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,?,?,0040E5BE,00000001), ref: 00415B48

Part of subcall function 00415A2E: GetWindowPlacement.USER32(?,00000000,?), ref: 00415A4C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$PlacementShow
String ID:
API String ID: 139272362-0
Opcode ID: 6fe29604f408f3e3991dcf88b7f3797402f0e01163f28d51bfb0c4928cf2bdcf
Instruction ID: b57afe279b2d9a9a7325506455be9162ac02819e91c1667c4c4b5291934d78f1
Opcode Fuzzy Hash: 6fe29604f408f3e3991dcf88b7f3797402f0e01163f28d51bfb0c4928cf2bdcf
Instruction Fuzzy Hash: 23E0C232308A01DAC6301A279D06FDBE6588FD0B61F05412FBA029A290DB68EDC280A9

Uniqueness

Uniqueness Score: -1.00%

Function 00415A5E Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,00000000,?), ref: 00415A7C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: PlacementWindow
String ID:
API String ID: 2154376794-0
Opcode ID: cab5ff8a2c25f07afb483366d6f7c7a116ca7bf6d0b397d4e82a57bafbee6cbd
Instruction ID: 663ffef3a0f8331c8cf7d63ede1c08316def65d09f9e8476dca324b7fe78176d
Opcode Fuzzy Hash: cab5ff8a2c25f07afb483366d6f7c7a116ca7bf6d0b397d4e82a57bafbee6cbd
Instruction Fuzzy Hash: 70E08C32A04208ABDF049B78C909BCAFBF9AB8C725F008524D000BA090E671E5498AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00415A2E Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,00000000,?), ref: 00415A4C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: PlacementWindow
String ID:
API String ID: 2154376794-0
Opcode ID: 9512f8b6d37a034c731d6b4ec949dd33e3f80179afbeec0b4624028038123db4
Instruction ID: 96de784f7552564a2be36dbec5e51b8b3765cf97bf07c4c7806a9efd87af41d4
Opcode Fuzzy Hash: 9512f8b6d37a034c731d6b4ec949dd33e3f80179afbeec0b4624028038123db4
Instruction Fuzzy Hash: 14E08C32A04208ABDF049B78C90ABCABBF9AB8C725F00C524D000BA090E671E4498A69

Uniqueness

Uniqueness Score: -1.00%

Function 004176F0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004176F7

Part of subcall function 004171FE: __EH_prolog3.LIBCMT ref: 00417205

Part of subcall function 00416CCB: __EH_prolog3.LIBCMT ref: 00416CD2
Part of subcall function 00416CCB: CreateDialogParamA.USER32(?,?,?,Function_00016AAE), ref: 00416D13
Part of subcall function 00416CCB: GetWindowLongA.USER32(?,000000F0), ref: 00416D66
Part of subcall function 00416CCB: GetWindowLongA.USER32(?,000000F4), ref: 00416DA3
Part of subcall function 00416CCB: SetWindowLongA.USER32(?,000000F4,?), ref: 00416DAF
Part of subcall function 00416CCB: GetWindowLongA.USER32(?,000000F4), ref: 00416DBA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: LongWindow$H_prolog3$CreateDialogParam
String ID:
API String ID: 1530400305-0
Opcode ID: 8cdfa2c6853abcee6e972212f1604ebe68b5d9213d744201b92a88c709dc2913
Instruction ID: 479f7807814a2dbd7cb25b4561db6a86fe101a313bb8b41a855eebaf7c71437d
Opcode Fuzzy Hash: 8cdfa2c6853abcee6e972212f1604ebe68b5d9213d744201b92a88c709dc2913
Instruction Fuzzy Hash: 23E01A7510060AEBCB05AF50C801B9DBBB1EF18309F10880AF8552B252DBB896699B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00413D44 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413D4B

Part of subcall function 00413C81: __EH_prolog3.LIBCMT ref: 00413C88
Part of subcall function 00413C81: RegCreateKeyA.ADVAPI32(?,?), ref: 00413CCC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Create
String ID:
API String ID: 1257125548-0
Opcode ID: 4d599b041bb927843855f8bc59cc8e9cf08fd41dfaad6fd9acf5ae1649d0131c
Instruction ID: 0ca82d7b148914a2aa659bb97544b74ed51aab1e5687bb7c407e00b6a73e0290
Opcode Fuzzy Hash: 4d599b041bb927843855f8bc59cc8e9cf08fd41dfaad6fd9acf5ae1649d0131c
Instruction Fuzzy Hash: 80E08679500259DBCF16BF01CC0179D3B61BF04315F10841EF9952A1A2CB795A20DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00417067 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041706E

Part of subcall function 00415F69: __EH_prolog3.LIBCMT ref: 00415F70

Part of subcall function 00416E40: __EH_prolog3.LIBCMT ref: 00416E47

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 7dde4096cd7f88ca9e2f8cb5133e91e1cbc27f9b6f2b707e6aee7d3ac7305f22
Instruction ID: c32932c00371641da59e638642824845f122e4919ef3072c9965b820ed86fa03
Opcode Fuzzy Hash: 7dde4096cd7f88ca9e2f8cb5133e91e1cbc27f9b6f2b707e6aee7d3ac7305f22
Instruction Fuzzy Hash: 2CE08CB4400604DBD718AF61C40228C7AA0EB04329F50864EE8A5662C2CB780705CA8D

Uniqueness

Uniqueness Score: -1.00%

Function 00415812 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00415D56,?,?,?,?,?,0040E288,?), ref: 0041F1C3

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c332340674d53c7ca49a75574e02eea224ff6e03a2a99dfa70eb9dac218337dc
Instruction ID: c8d94f3e03e482a1f7156431f3b4eae287662b2c3f5c73da6804fbb0778682c6
Opcode Fuzzy Hash: c332340674d53c7ca49a75574e02eea224ff6e03a2a99dfa70eb9dac218337dc
Instruction Fuzzy Hash: 95C0123A325232A38A285628B8245FB63E48B8C75230548BFB903E6600C998CC82928C

Uniqueness

Uniqueness Score: -1.00%

Function 00418860 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,00000000,?), ref: 00418879

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 87703bffb22cc554ef9922a84ca37afffc30438472d4a8a56763474846d5fbff
Instruction ID: ab8dfda2887aa2d109e95f0a3c42112a518b04e4bb15feffb8aff13da82515ba
Opcode Fuzzy Hash: 87703bffb22cc554ef9922a84ca37afffc30438472d4a8a56763474846d5fbff
Instruction Fuzzy Hash: 68C080B33541007BDB004F20DE03F257B90D77070AF148024F508C40B1D23AC512D611

Uniqueness

Uniqueness Score: -1.00%

Function 00413378 Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(00000000,?,00413C73,004545D8,00401616,00000000,00000000,00000001,004545D8,00000000,?,Software\Emtec\,00000000,?,00000000,004545D8), ref: 00413382

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8218f39c5a9b26a62017d4192a7bc4d6cefc427bcfde67b9ecec0a30dccdbd39
Instruction ID: fe8bd42333294984027d440e480179507402378d6e9669c4babb6abc3611c917
Opcode Fuzzy Hash: 8218f39c5a9b26a62017d4192a7bc4d6cefc427bcfde67b9ecec0a30dccdbd39
Instruction Fuzzy Hash: 16C04C3151831147D7745F18F80479676E86F44713F25096EA991D6180DB64C8C0865C

Uniqueness

Uniqueness Score: -1.00%

Function 0041880F Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000402,00000000,00000000), ref: 0041881D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 635ade492d735b2c15f141b97cbc4f930b453c45bbf91d7f6bf62d1bad89e414
Instruction ID: 9734eced35650e0ebd38f1c2332c880e58fe14df20ea2bd269fb286416386e13
Opcode Fuzzy Hash: 635ade492d735b2c15f141b97cbc4f930b453c45bbf91d7f6bf62d1bad89e414
Instruction Fuzzy Hash: C7B092B1244200BADA014B00CE0AF09BE61ABA4706F50C028B708280F2C2B28462EA08

Uniqueness

Uniqueness Score: -1.00%

Function 00415C23 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,000004F1,?,00000000), ref: 00415C31

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f5ac47f764229e571dcaf820ff7b864e1bdfddbc82daa509caa4bae1608098de
Instruction ID: 25f8cffb7e657dd689ecdddf6987baa777a5ff65df4b86da0cea7a142fb7daa4
Opcode Fuzzy Hash: f5ac47f764229e571dcaf820ff7b864e1bdfddbc82daa509caa4bae1608098de
Instruction Fuzzy Hash: ECB09271284302BADA014B00CD06F19BE21AB94B46F11C024B704580B1C6B280A1DA09

Uniqueness

Uniqueness Score: -1.00%

Function 00437EBD Relevance: 1.5, APIs: 1, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 00437EC7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 055dc9a24320d0e20a7ad1509cf530b65dfebbf7f2211ed701ea3541cf98e005
Instruction ID: 33960f5baa2aca3f65b6118caf62d108932fd6fba44321be8dffc04e717ae0b7
Opcode Fuzzy Hash: 055dc9a24320d0e20a7ad1509cf530b65dfebbf7f2211ed701ea3541cf98e005
Instruction Fuzzy Hash: A4B012B98082007FCA121601AC02B1977526F84710F80C418B79C10170927B8124960B

Uniqueness

Uniqueness Score: -1.00%

Function 00410A5B Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(?,00000000,00410CF0,00000000,0046F8B0,000004E4,00403707,00000000,?,00000001,?,00000000,?,00000002,004545D8,00000000), ref: 00410A62

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8c251f913b04e4dffa1600ca6ad3dcf33aa2748749671557e8ce813dfc5546dd
Instruction ID: 391563293cf73ded635ea3aac7bae0c6d7ddde7eddef31d3fa809ebab3ce1da4
Opcode Fuzzy Hash: 8c251f913b04e4dffa1600ca6ad3dcf33aa2748749671557e8ce813dfc5546dd
Instruction Fuzzy Hash: 69B012F81003009BC604CB20CA08C067B61ABE4305700442DA005451208A32C960EA14

Uniqueness

Uniqueness Score: -1.00%

Function 00415A8E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00415A95

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: a5cab1bff98598f0f40dfea58dbfaf53af51ccea0dcb8066abf6c0ed6eaf4249
Instruction ID: 08597d0c9d303428cf68483acbf88390fa76c0a3ccdc83a6bb1cb2bf19fee1ad
Opcode Fuzzy Hash: a5cab1bff98598f0f40dfea58dbfaf53af51ccea0dcb8066abf6c0ed6eaf4249
Instruction Fuzzy Hash: E0A00275505100ABCB015B50DE05805FE75BB95715715C465F54545035C733C461EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00415B53 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00415B5A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 49452f0df876d2921145f80f2659cb7c28c3b5c6a61844039bd69f04a6fb0d7b
Instruction ID: 0d376ba1d5f85dbd6538efd23592feec9f7b3b6684acc25b0c8d468798200c8a
Opcode Fuzzy Hash: 49452f0df876d2921145f80f2659cb7c28c3b5c6a61844039bd69f04a6fb0d7b
Instruction Fuzzy Hash: 7FA00275504100ABCA015B60DE05809BE71BB95705715C465B54545035C733C562EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00410A52 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00410CBA,004174BE,000000FF,000000FF,Edit,000000FF,000000FF,000000FF,ListBox,000000FF,000000FF,000000FF,Button,00000002,00000003), ref: 00410A54

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3818b7f3ebfb4b59dcb850460bba6183bbb7aad9fe0dc26ddc05c567580d3388
Instruction ID: 0aaa1ea1bbe1ea872f2fa118823579279c0563fc2acb6f4538e39f58630a55df
Opcode Fuzzy Hash: 3818b7f3ebfb4b59dcb850460bba6183bbb7aad9fe0dc26ddc05c567580d3388
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00412A6D Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00414766,00000000,00000000,00000000,?,?), ref: 00412A71

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a1c7110af78753c66d51254993860c29953dfe5dd1b2ea723a78d83534657eed
Instruction ID: 63fe59d21c3204bb36956304e6465891f91a8d1c33931cdb4260937e994dfdac
Opcode Fuzzy Hash: a1c7110af78753c66d51254993860c29953dfe5dd1b2ea723a78d83534657eed
Instruction Fuzzy Hash: 1C9002705442119BCE015B51DF094097A61ABC0746F0054A4B04D4403187318850FA16

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041493A Relevance: 66.7, APIs: 33, Strings: 5, Instructions: 172sleepkeyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000011), ref: 00414983
GetAsyncKeyState.USER32(00000010), ref: 00414991
GetAsyncKeyState.USER32(00000012), ref: 0041499A
Beep.KERNEL32(00000370,00000064), ref: 004149EA
Sleep.KERNEL32(0000000A,?,?,00416B17,00000110,?,?), ref: 004149F4
Beep.KERNEL32(00000294,00000064), ref: 004149FC
Sleep.KERNEL32(0000000A,?,?,00416B17,00000110,?,?), ref: 00414A00
Beep.KERNEL32(000001B8,00000064), ref: 00414A09
Sleep.KERNEL32(0000000A,?,?,00416B17,00000110,?,?), ref: 00414A0D
Beep.KERNEL32(000001B8,00000064), ref: 00414A11
Sleep.KERNEL32(0000000A,?,?,00416B17,00000110,?,?), ref: 00414A15
Beep.KERNEL32(00000370,00000064), ref: 00414A41
Sleep.KERNEL32(0000000A,?,?,00416B17,00000110,?,?), ref: 00414A4B
Beep.KERNEL32(00000294,00000064), ref: 00414A53
Sleep.KERNEL32(0000000A,?,?,00416B17,00000110,?,?), ref: 00414A57
Beep.KERNEL32(000001B8,00000064), ref: 00414A19

Part of subcall function 0041B778: __EH_prolog3.LIBCMT ref: 0041B786

Beep.KERNEL32(00000370,00000064), ref: 00414B2A

Strings

N, xrefs: 0041493A
/LOGIT:CONSOLE, xrefs: 00414A64
/LOGIT, xrefs: 00414AEE
/LOGITCLOSE, xrefs: 00414A27
/LOGITHARD, xrefs: 00414AB1

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Beep$Sleep$AsyncState$H_prolog3
String ID: /LOGIT$/LOGIT:CONSOLE$/LOGITCLOSE$/LOGITHARD$N
API String ID: 1557865341-3950210016
Opcode ID: 9eb3dea194acf08c6233e1d54fff39ce2a6dc6fff11a7d789a5eab56f7a89def
Instruction ID: c5a87f36db212c0bb9e2267d1d77396f30cbf22b73af2f515c19b316c2819d68
Opcode Fuzzy Hash: 9eb3dea194acf08c6233e1d54fff39ce2a6dc6fff11a7d789a5eab56f7a89def
Instruction Fuzzy Hash: 3741957178431CBEF12077B69C46FAB3A5CDBC5FA6F150017B6085E1C18AA4AC81CA7B

Uniqueness

Uniqueness Score: -1.00%

Function 0042394D Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 214networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042396C
_memset.LIBCMT ref: 00423992
_memset.LIBCMT ref: 004239AA

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

_strcat.LIBCMT ref: 004239DB
_strcat.LIBCMT ref: 00423A03
_strlen.LIBCMT ref: 00423A19
_strlen.LIBCMT ref: 00423A31
_memset.LIBCMT ref: 00423AD8
htons.WS2_32(?), ref: 00423AF9
inet_ntoa.WS2_32(?), ref: 00423B07
bind.WS2_32(?,00000002,00000010), ref: 00423B30
getsockname.WS2_32(?,00000010,00000010), ref: 00423B7C

Part of subcall function 0042286C: _memset.LIBCMT ref: 004228FC

htons.WS2_32(?), ref: 00423B8C

Part of subcall function 0042286C: _memset.LIBCMT ref: 00422A33
Part of subcall function 0042286C: _memset.LIBCMT ref: 00422A98
Part of subcall function 0042286C: _memset.LIBCMT ref: 00422AB3
Part of subcall function 0042286C: _memset.LIBCMT ref: 00422AD4
Part of subcall function 0042286C: htons.WS2_32(?), ref: 00422B19
Part of subcall function 0042286C: _strcat.LIBCMT ref: 00422B52

Strings

TCP::Bind before getsockname(), xrefs: 00423B5A
hnm, xrefs: 00423AAE
TCP::Bind after bind() error=%d, xrefs: 00423B37
.\tcpio.cpp, xrefs: 00423AA9
TCP::Bind finished, error=%d, xrefs: 00423B9E
TCP::Bind skt= %d bind to %08x %s %d, xrefs: 00423B17

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset$_strcat_strlenhtons$H_prolog3$bindgetsocknameinet_ntoa
String ID: .\tcpio.cpp$TCP::Bind after bind() error=%d$TCP::Bind before getsockname()$TCP::Bind finished, error=%d$TCP::Bind skt= %d bind to %08x %s %d$hnm
API String ID: 2758594260-3944163508
Opcode ID: 93df0d3a80120af3b001fa63fd6018506adb0642e512ce4edb052ef7572d4360
Instruction ID: a5c210a97aa25492a5f6b20a739c8426c0cc40936e51197e807548abf7265a6c
Opcode Fuzzy Hash: 93df0d3a80120af3b001fa63fd6018506adb0642e512ce4edb052ef7572d4360
Instruction Fuzzy Hash: 467180B2A0024DAFDB20DF95DC85EEF77B8FF08308F50052BF94596192E7789A148B59

Uniqueness

Uniqueness Score: -1.00%

Function 00423BF8 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 172networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00423BFF

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

socket.WS2_32(00000002,00000001,00000000), ref: 00423C94
listen.WS2_32(?,00000020), ref: 00423CD0

Strings

i<ARRAYMAX(TCPIPIO::InSockets), xrefs: 00423D54
TCPIPIO::MakeAcceptSocket allocate index i= %d for skt %d, ourid/port= %d, xrefs: 00423D15
TCPIPIO::MakeAcceptSocket bind ok, xrefs: 00423CC0
TCPIPIO::MakeAcceptSocket this= %08x, this->OurId= %d/'%s', xrefs: 00423C23
TCPIPIO::MakeAcceptSocket InSockets[%d].Port is %d, xrefs: 00423C4E
TCPIPIO::MakeAcceptSocket i= %d, xrefs: 00423C77
.\tcpio.cpp, xrefs: 00423D4B
TCPIPIO::MakeAcceptSocket listen ok, xrefs: 00423CDE
TCPIPIO::MakeAcceptSocket done skt= %d (lasterrorstring= %s), xrefs: 00423E07
TCPIPIO::MakeAcceptSocket skt=%d bind already done, for i= %d InUse= %d now, xrefs: 00423DE7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CurrentH_prolog3Threadlistensocket
String ID: .\tcpio.cpp$TCPIPIO::MakeAcceptSocket InSockets[%d].Port is %d$TCPIPIO::MakeAcceptSocket allocate index i= %d for skt %d, ourid/port= %d$TCPIPIO::MakeAcceptSocket bind ok$TCPIPIO::MakeAcceptSocket done skt= %d (lasterrorstring= %s)$TCPIPIO::MakeAcceptSocket i= %d$TCPIPIO::MakeAcceptSocket listen ok$TCPIPIO::MakeAcceptSocket skt=%d bind already done, for i= %d InUse= %d now$TCPIPIO::MakeAcceptSocket this= %08x, this->OurId= %d/'%s'$i<ARRAYMAX(TCPIPIO::InSockets)
API String ID: 4193879955-1995298848
Opcode ID: f522312f3af26f4c5700e36975618d175f4e22eb4e58c10bc0b57361031a16cc
Instruction ID: f9ecec055b21c823d514bc3d1397ed7d267f8e741ecb02b5bbe852918508ba3f
Opcode Fuzzy Hash: f522312f3af26f4c5700e36975618d175f4e22eb4e58c10bc0b57361031a16cc
Instruction Fuzzy Hash: E451C471A00319AFEB04AF95DC82BBE7374FF04305F50012BF915AA2D2DBB85A54C65D

Uniqueness

Uniqueness Score: -1.00%

Function 00411C5B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00411C62

Part of subcall function 004114D2: __EH_prolog3.LIBCMT ref: 004114D9

_calloc.LIBCMT ref: 00411D00
FindFirstFileA.KERNEL32(000000FF,00454616), ref: 00411D28

Strings

.\osysfile.cpp, xrefs: 00411D0D
this->pResult, xrefs: 00411D12

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$FileFindFirst_calloc
String ID: .\osysfile.cpp$this->pResult
API String ID: 988821745-615981670
Opcode ID: 6ea00ff5a1ddfa8962ea28a2249b242aab0ac198c25c437bae0bb072a254e399
Instruction ID: 7215fe4e75dcef66e8f6694abb576f356704c49b40295f3efc1474d727aafa4d
Opcode Fuzzy Hash: 6ea00ff5a1ddfa8962ea28a2249b242aab0ac198c25c437bae0bb072a254e399
Instruction Fuzzy Hash: 5F21F730900304ABCB10EB66CC45BDEB7E0AF54718F10451EF499A72D2DBB85A88CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00412BBC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,000001FF,00000000), ref: 00412BDF
_memset.LIBCMT ref: 00412BF8
GetLocaleInfoA.KERNEL32(00000400,00001003,?,00000040), ref: 00412C11
GetTimeFormatA.KERNEL32(00000400,00000000,?,?,?,00000040), ref: 00412C28

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

HH:mm:ss, xrefs: 00412BE5

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Time$FormatH_prolog3InfoLocalLocale_memset_strlen
String ID: HH:mm:ss
API String ID: 3034557402-22277939
Opcode ID: a734b880e691f433aca6e3be4a1f37c3fe29db6f398860c97c5f975782edf330
Instruction ID: afadd402ac702130e147f99cdf85fff6fe393bb2bab189aa30bdbb142d9987b2
Opcode Fuzzy Hash: a734b880e691f433aca6e3be4a1f37c3fe29db6f398860c97c5f975782edf330
Instruction Fuzzy Hash: A5113372A00248ABD710DF94DC45FEF73ACBB48705F50043AFB15AA181D775E6488769

Uniqueness

Uniqueness Score: -1.00%

Function 00435782 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043FF45
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043FF5A
UnhandledExceptionFilter.KERNEL32(004625E0), ref: 0043FF65
GetCurrentProcess.KERNEL32(C0000409), ref: 0043FF81
TerminateProcess.KERNEL32(00000000), ref: 0043FF88

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: c6d9dc96ee7dd945e580811be8c017f80d99e4ae875b5a97247acdb81e62bca7
Instruction ID: 81ef6ff9f59dde6cee9de8962edf0fe043e1e3e32b542e34c5fffc1bb9d59061
Opcode Fuzzy Hash: c6d9dc96ee7dd945e580811be8c017f80d99e4ae875b5a97247acdb81e62bca7
Instruction Fuzzy Hash: 4121E2B4811B05EFD700DF65FC89AAC3BA4BB08315F18187EE919A6261E7B45D80CF0E

Uniqueness

Uniqueness Score: -1.00%

Function 0041056C Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410585
_memset.LIBCMT ref: 0041061D
_strcat.LIBCMT ref: 00410655
_strcat.LIBCMT ref: 00410763

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strcat$H_prolog3_memset
String ID:
API String ID: 4125001314-0
Opcode ID: f04c460f3c66b323f4c0ca6465695677bb205fabe6da3b1cefd484406b309b04
Instruction ID: 78cdb62ee02f727c3d5821de16f14d9f3e6c1036ee375c8447cf9d0573f4aad1
Opcode Fuzzy Hash: f04c460f3c66b323f4c0ca6465695677bb205fabe6da3b1cefd484406b309b04
Instruction Fuzzy Hash: 3C714B32504284DFDB15CF29C4816E9BBA2AF99304F28C19FE8954F3C2DB75E949CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00434279 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 403COMMON

Download Yara Rule

Strings

(&, xrefs: 004342EC
%0", xrefs: 004342AC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID:
String ID: %0"$(&
API String ID: 0-2241329031
Opcode ID: 5e519d904099b938a685834d18427809c74232f1a8917cf1e6af2f0603190e44
Instruction ID: ad8138867f8276061344c13e4e95954faf2e4ff1dbc3f2bff0971e52c4c14990
Opcode Fuzzy Hash: 5e519d904099b938a685834d18427809c74232f1a8917cf1e6af2f0603190e44
Instruction Fuzzy Hash: B0F11530A04255EFEB14CF98D9815ED7BB0FB89320F10157BD85293691C37CAA51EB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00433D61 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 403COMMON

Download Yara Rule

Strings

(&, xrefs: 00433DD4
%0", xrefs: 00433D94

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID:
String ID: %0"$(&
API String ID: 0-2241329031
Opcode ID: 7a7aa4377836b73b11d3aaa628385ff9120efbf8dbe8250d5486a8d568e9c7c9
Instruction ID: ac8616b35a1fa8161ef6695b231064841a51b8297868f0c235f5eb63214136ea
Opcode Fuzzy Hash: 7a7aa4377836b73b11d3aaa628385ff9120efbf8dbe8250d5486a8d568e9c7c9
Instruction Fuzzy Hash: F4F11630E04255DFEB14CF94D9815ADBBB0FB48311F5015BBE852A3691C37CAA41EB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00434791 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 360COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00434B3D

Strings

(&, xrefs: 00434BE4
%0", xrefs: 004347B6

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID: %0"$(&
API String ID: 2102423945-2241329031
Opcode ID: bc44f4ddac3258f813b4c1e7d02d9470337ff6db7d37890511765db1f4a62d23
Instruction ID: 1b8ae8a40bbc1579eafbd238087e04f1fb5445504c0ca23ab72ea00a29679695
Opcode Fuzzy Hash: bc44f4ddac3258f813b4c1e7d02d9470337ff6db7d37890511765db1f4a62d23
Instruction Fuzzy Hash: 4DE11630A04254DFEB14DFA8D9806EDBBB0FB85320F10557BD452A3691C3BCAA51EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00434C05 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 360COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00434FB1

Strings

(&, xrefs: 00435058
%0", xrefs: 00434C2A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID: %0"$(&
API String ID: 2102423945-2241329031
Opcode ID: ffe7dcf2a75b5bc65ad97fb74f7de2cf02280730d7bf55522d47d65e0ef31bc6
Instruction ID: ef76c328d074b477158c660fa1aac62972363026b575b6b432f9e022bfdf0150
Opcode Fuzzy Hash: ffe7dcf2a75b5bc65ad97fb74f7de2cf02280730d7bf55522d47d65e0ef31bc6
Instruction Fuzzy Hash: 48E10631A04215DFEB14CFA8D9815EDBBB0FB85320F14157BE412A3691C37CAA52EB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00433876 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 302COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00433B89

Strings

C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 00433880
%0", xrefs: 0043388B

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID: %0"$C:/Program Files (x86)/ZOC5/zocdll.dll
API String ID: 2102423945-3168916105
Opcode ID: 2f08bc05a081b4e17c60e2f96c4941d2c00e39604466be69670b36dbdb6f2c25
Instruction ID: e645e24651784129920d70c45f2bf3f3c4073f50e25921057c9caf7dba3133ad
Opcode Fuzzy Hash: 2f08bc05a081b4e17c60e2f96c4941d2c00e39604466be69670b36dbdb6f2c25
Instruction Fuzzy Hash: 58B104719082508BE314DF29EC8422E7BA0FB45712F44193FE49297251D3FC9A55DB9F

Uniqueness

Uniqueness Score: -1.00%

Function 00421CF7 Relevance: 1.5, APIs: 1, Instructions: 6networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 00421D05

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: aa1f4d768fb0b07c85ead104a4e890ec003cb294416da2b899d95d114cf5e5b3
Instruction ID: 4d33c5ba92b4d64e1347ffb92fadd692690691ab3599a1186399dd306dcbba94
Opcode Fuzzy Hash: aa1f4d768fb0b07c85ead104a4e890ec003cb294416da2b899d95d114cf5e5b3
Instruction Fuzzy Hash: 1EB09232048382EBCB02CF40CC04F1EFBA2BBD4701F050C1CB2A0440B0832280A8EB16

Uniqueness

Uniqueness Score: -1.00%

Function 0042C9CA Relevance: 49.5, APIs: 4, Strings: 24, Instructions: 474COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 0042CA7A
_sprintf.LIBCMT ref: 0042CCC8
_sprintf.LIBCMT ref: 0042CDA7
_strrchr.LIBCMT ref: 0042CE16

Strings

W, xrefs: 0042CC70
, xrefs: 0042CA89
bat, xrefs: 0042CE71
com, xrefs: 0042CE25
R, xrefs: 0042CC67
.r.-... %d.%d, xrefs: 0042CDA1
V, xrefs: 0042CE09
W, xrefs: 0042CC32
R, xrefs: 0042CC48
E, xrefs: 0042CC7D
x, xrefs: 0042CE83
btm, xrefs: 0042CE4B
cmd, xrefs: 0042CE5E
%d.%d, xrefs: 0042CCC2
E, xrefs: 0042CC3F
R, xrefs: 0042CC2A
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 0042CE11
E, xrefs: 0042CC5E
D, xrefs: 0042CC55
exe, xrefs: 0042CE38
u%03d, xrefs: 0042CA70
W, xrefs: 0042CC51
D, xrefs: 0042CC74
D, xrefs: 0042CC36

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _sprintf$_strrchr
String ID: $%d.%d$.r.-... %d.%d$C:/Program Files (x86)/ZOC5/zocdll.dll$D$D$D$E$E$E$R$R$R$V$W$W$W$bat$btm$cmd$com$exe$u%03d$x
API String ID: 1631340146-3203037848
Opcode ID: bd08a0b6a1b2af43a33013441bcfa17bccd552551078c127822d029c233f8adf
Instruction ID: 8b9d8b336f22860296beeb133eea6e7b6b49b48e27f446cac0b0605eb564bd7d
Opcode Fuzzy Hash: bd08a0b6a1b2af43a33013441bcfa17bccd552551078c127822d029c233f8adf
Instruction Fuzzy Hash: C5E12656B082A55EFB118178E4D23FF6FA2CB23366FD4055AC580672C3E15E0A0ED76E

Uniqueness

Uniqueness Score: -1.00%

Function 0042286C Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 439networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004228FC

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 004107B9: __EH_prolog3.LIBCMT ref: 004107C0
Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410829
Part of subcall function 004107B9: _strlen.LIBCMT ref: 00410835

Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410809

Part of subcall function 004010D1: _strlen.LIBCMT ref: 004010E1

_sscanf.LIBCMT ref: 004229FF
_memset.LIBCMT ref: 00422A33
_memset.LIBCMT ref: 00422A98
_memset.LIBCMT ref: 00422AB3
_memset.LIBCMT ref: 00422AD4
htons.WS2_32(?), ref: 00422B19
_strcat.LIBCMT ref: 00422B52
_strcat.LIBCMT ref: 00422B9B
_calloc.LIBCMT ref: 00422BA9
__snprintf.LIBCMT ref: 00422BE9
_memset.LIBCMT ref: 00422CB9
__snprintf.LIBCMT ref: 00422CD3
getservbyname.WS2_32(?,tcp), ref: 00422CE6
htons.WS2_32(?), ref: 00422CF5
_memset.LIBCMT ref: 00422D2E
__snprintf.LIBCMT ref: 00422D4A
_memset.LIBCMT ref: 00422D8D
__snprintf.LIBCMT ref: 00422D9F

Part of subcall function 00421E54: __EH_prolog3.LIBCMT ref: 00421E73
Part of subcall function 00421E54: WSAGetLastError.WS2_32(00000020), ref: 00421E94
Part of subcall function 00421E54: _memset.LIBCMT ref: 00421EB9
Part of subcall function 00421E54: _memset.LIBCMT ref: 00421EC9
Part of subcall function 00421E54: FormatMessageA.KERNEL32(00001000,00000000,?,00000000,00000000,00000100,00000000,?,?,?,?,?,00000020), ref: 00421EDF
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421EE9
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421EFB
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F0B
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F1B
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F27

Strings

<unknown>, xrefs: 00422A79, 00422A9D, 00422AB8, 00422B8F
tcp, xrefs: 00422CDB
TCPIPIO::Resolv dest= %s, no_iptoname= %d, xrefs: 004228DA
.\tcpio.cpp, xrefs: 00422AF2, 00422C1B
%d.%d.%d.%d, xrefs: 004229EB, 00422A1B
:*#, xrefs: 00422913
sizeof(from)==ai->ai_addrlen, xrefs: 00422AF7, 00422C20

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset$_strlen$__snprintf$H_prolog3$_strcat_strpbrkhtons$ErrorFormatLastMessage_calloc_sscanfgetservbyname
String ID: :*#$%d.%d.%d.%d$.\tcpio.cpp$<unknown>$TCPIPIO::Resolv dest= %s, no_iptoname= %d$sizeof(from)==ai->ai_addrlen$tcp
API String ID: 1380253201-615535906
Opcode ID: a0c9e35fb5a77c6cb726132c4d7bf54fef85cc479afd3bc95c692d6b1e554ee5
Instruction ID: a4f1796767292ce5ac12154cf7bb4a2b66e4afed49f29eddc671ec8d3a14cc5f
Opcode Fuzzy Hash: a0c9e35fb5a77c6cb726132c4d7bf54fef85cc479afd3bc95c692d6b1e554ee5
Instruction Fuzzy Hash: A9F1BF7190025DAFDB20DF95CD81EEEBBB8FF08304F50446AF919A7252E7785A44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041380F Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 291processsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413831
_memset.LIBCMT ref: 00413886
_strlen.LIBCMT ref: 00413922
_strlen.LIBCMT ref: 0041392F
_strlen.LIBCMT ref: 00413937
_malloc.LIBCMT ref: 00413941
_sprintf.LIBCMT ref: 00413962
__strdup.LIBCMT ref: 00413970
_memset.LIBCMT ref: 0041398C
_strcat.LIBCMT ref: 004139A3
_memset.LIBCMT ref: 004139B8
_strcat.LIBCMT ref: 004139CC
_memset.LIBCMT ref: 004139E2
_strcat.LIBCMT ref: 004139F9
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 00413A53
WaitForSingleObject.KERNEL32(?,?), ref: 00413A7F
GetExitCodeProcess.KERNEL32(?,?), ref: 00413AAD
CloseHandle.KERNEL32(?), ref: 00413B47
CloseHandle.KERNEL32(?), ref: 00413B51

Strings

"%s" %s, xrefs: 00413955
StartProgram done ok= %d, xrefs: 00413B5F
OSYS::StartProgram rc= %d, xrefs: 00413A5A
OSYS::StartProgram getlasterrorstring returned %s, xrefs: 00413B0B
OSYS::StartProgram GetExitCodeProcess returned %d/%s, xrefs: 00413ACC
%s %s, xrefs: 0041395C
OSYS::StartProgram %s %s (sync= %d), xrefs: 0041390D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset$_strcat_strlen$CloseHandleProcess$CodeCreateExitH_prolog3ObjectSingleWait__strdup_malloc_sprintf
String ID: "%s" %s$%s %s$OSYS::StartProgram %s %s (sync= %d)$OSYS::StartProgram GetExitCodeProcess returned %d/%s$OSYS::StartProgram getlasterrorstring returned %s$OSYS::StartProgram rc= %d$StartProgram done ok= %d
API String ID: 460157589-2564592107
Opcode ID: fe917367b0bc33d998fdebb364a074d108c8b68598e2a7b22ed9481c223aa0d1
Instruction ID: 9f2b3d5c1fd165245e772616ec3f9f7a25e2046d9ef45835da7d579dc45c3d50
Opcode Fuzzy Hash: fe917367b0bc33d998fdebb364a074d108c8b68598e2a7b22ed9481c223aa0d1
Instruction Fuzzy Hash: 50B17BB1D00209AFDF20DF94CC81AEEBBB9FF08305F10412BE955A7281E7795A858B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D400 Relevance: 44.2, APIs: 7, Strings: 18, Instructions: 429timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041D41F

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

__time64.LIBCMT ref: 0041D485

Part of subcall function 0043A1AD: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00418444,?,000001FF), ref: 0043A1B6
Part of subcall function 0043A1AD: __aulldiv.LIBCMT ref: 0043A1D6

Part of subcall function 00438DC2: ___getgmtimebuf.LIBCMT ref: 00438DC3

_strftime.LIBCMT ref: 0041D4AB

Part of subcall function 0043B51C: __Strftime_l.LIBCMT ref: 0043B530

_memset.LIBCMT ref: 0041D4BD
GetTimeZoneInformation.KERNEL32(00000000,?,?,?,?,00454616,000004E4,00454616,000004E4,0000006C), ref: 0041D4C9
_strlen.LIBCMT ref: 0041D52D
_sprintf.LIBCMT ref: 0041D53B

Part of subcall function 0040F93F: _strlen.LIBCMT ref: 0040F95F

Strings

From: , xrefs: 0041D558
%c%02d%02d, xrefs: 0041D527
Content-Type: text/plain, xrefs: 0041D750
Content-Type: multipart/mixed; boundary=", xrefs: 0041D6C4
pGE, xrefs: 0041D5BE
", xrefs: 0041D6DC
--, xrefs: 0041D8EE
%a, %d %b %Y %H:%M:%S, xrefs: 0041D49A
Date: , xrefs: 0041D64B
EMAIL::CreateMailString datebuf= %s, xrefs: 0041D547
EMAIL::CreateMailString zone=%d, tz.Bias= %d, tz.DaylightBias= %d, xrefs: 0041D4DB
" <, xrefs: 0041D596
Subject: , xrefs: 0041D670
MIME-Version: 1.0, xrefs: 0041D6E9
To: , xrefs: 0041D5CC
This is a multi-part MIME message, xrefs: 0041D6FF
Please use a MIME compliant mail, xrefs: 0041D70C
reader to display this message., xrefs: 0041D719

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Time_strlen$H_prolog3$FileInformationStrftime_lSystemZone___getgmtimebuf__aulldiv__time64_memset_sprintf_strftime
String ID: %c%02d%02d$ reader to display this message.$"$" <$%a, %d %b %Y %H:%M:%S$--$Content-Type: multipart/mixed; boundary="$Content-Type: text/plain$Date: $EMAIL::CreateMailString datebuf= %s$EMAIL::CreateMailString zone=%d, tz.Bias= %d, tz.DaylightBias= %d$From: $MIME-Version: 1.0$Please use a MIME compliant mail$Subject: $This is a multi-part MIME message$To: $pGE
API String ID: 1090602794-171040760
Opcode ID: aaa7ef071b09f823b0aaf3ed8427fa3538475bb95462163fc0bb7b2e5343b8c3
Instruction ID: 9edeb56dc9fe65db37b10f36e21e30427d5513483332f22ba7b88789e17771b4
Opcode Fuzzy Hash: aaa7ef071b09f823b0aaf3ed8427fa3538475bb95462163fc0bb7b2e5343b8c3
Instruction Fuzzy Hash: FBE120B0E00108BBDB29EBA5CC92BBE726A9F5430CF14403EB405B76D2DB7C5D499769

Uniqueness

Uniqueness Score: -1.00%

Function 0041A786 Relevance: 42.3, APIs: 16, Strings: 8, Instructions: 251COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041A79F
_memset.LIBCMT ref: 0041A7B2
GetTextMetricsA.GDI32(?,?), ref: 0041A7C1
_memset.LIBCMT ref: 0041A7D1
GetDeviceCaps.GDI32(?,00000058), ref: 0041A7E4
GetDeviceCaps.GDI32(?,0000005A), ref: 0041A7EE
_strcat.LIBCMT ref: 0041A81B
CreateFontIndirectA.GDI32(?), ref: 0041A826

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

SelectObject.GDI32(?,?), ref: 0041A860
GetTextExtentPoint32A.GDI32(?,0045B720,00000001,?), ref: 0041A877
_strlen.LIBCMT ref: 0041A8F0
SetTextAlign.GDI32(?,?), ref: 0041A9F3
MoveToEx.GDI32(?,?,?,00000000), ref: 0041AA0D
TextOutA.GDI32(?,00000000,00000000,?,?), ref: 0041AA26
SelectObject.GDI32(?,?), ref: 0041AA4B
DeleteObject.GDI32(?), ref: 0041AA54

Strings

%USERNAME%, xrefs: 0041A920
hfont, xrefs: 0041A83C
%TIME%, xrefs: 0041A9A1
%DATE%, xrefs: 0041A976
Arial, xrefs: 0041A7FF
%COMPUTERNAME%, xrefs: 0041A94B
.\printer_win32.cpp, xrefs: 0041A837
%PAGE%, xrefs: 0041A9CD

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Text$Object_memset$CapsDeviceH_prolog3Select$AlignCreateCurrentDeleteErrorExtentFontIndirectLastMetricsMovePoint32Thread__snprintf_strcat_strlen
String ID: %COMPUTERNAME%$%DATE%$%PAGE%$%TIME%$%USERNAME%$.\printer_win32.cpp$Arial$hfont
API String ID: 411745296-769191020
Opcode ID: 4344baf39eaa0199fa139c6f280d03052772baec5c9b33d4fb72077a0452d01f
Instruction ID: de87ddb849c0eccfc1112d34385da5888fa828342e71014327147372c3aa2823
Opcode Fuzzy Hash: 4344baf39eaa0199fa139c6f280d03052772baec5c9b33d4fb72077a0452d01f
Instruction Fuzzy Hash: 3F918E71500248EFDB10EFA4DD86ADD7BF4EF18705F10012AF905A7292DB78EA48CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00414BB3 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 327libraryfileloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00414BD5
_memset.LIBCMT ref: 00414BFE
LoadLibraryA.KERNEL32(dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,000001A0), ref: 00414D27
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 00414D3D
GetCurrentThreadId.KERNEL32 ref: 00414D58

Part of subcall function 00437ED0: __lock.LIBCMT ref: 00437EEE
Part of subcall function 00437ED0: ___sbh_find_block.LIBCMT ref: 00437EF9
Part of subcall function 00437ED0: ___sbh_free_block.LIBCMT ref: 00437F08
Part of subcall function 00437ED0: RtlFreeHeap.NTDLL(00000000,?,00469980,0000000C,00443465,00000000,00469F50,0000000C,0044349D,?,?,?,004388FB,00000004,004699E0,0000000C), ref: 00437F38
Part of subcall function 00437ED0: GetLastError.KERNEL32(?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214,?,00000000), ref: 00437F49

__itoa.LIBCMT ref: 00414DBB

Part of subcall function 0043C586: _xtoa@16.LIBCMT ref: 0043C5A4

_strcat.LIBCMT ref: 00414DCB
_sprintf.LIBCMT ref: 00414EB5
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00454616,000004E4,004595B8,00454616,00000001,00470834,0047084C), ref: 00414EF3
GetCurrentProcessId.KERNEL32(00000000,?,?,00000000,00000000,?,?,000001A0), ref: 00414F17
GetCurrentProcess.KERNEL32(00000000,?,?,000001A0), ref: 00414F1E
CloseHandle.KERNEL32(00000000,?,?,000001A0), ref: 00414F29

Part of subcall function 0040F93F: _strlen.LIBCMT ref: 0040F95F

Part of subcall function 0041F5E6: _memset.LIBCMT ref: 0041F5F5

Part of subcall function 0041F601: __fread_nolock.LIBCMT ref: 0041F65C
Part of subcall function 0041F601: __fread_nolock.LIBCMT ref: 0041F68B

Strings

The program %s has encountered an error and will be terminated.You can choose to create a file containing crash-debugging information,which you can then email to EmTec:Filename: %sDo you now want to create the crash-information file?, xrefs: 00414EA5, 00414EB0, 00414EB4
dbghelp.dll, xrefs: 00414CED
.dmp, xrefs: 00414E6F
EmTec.CrashInfo., xrefs: 00414E1B
EMTECAPP::WriteDumpToFileHandler failed to load dll or proc address (%08x/%08x), xrefs: 00414F9C
EMTECAPP::WriteDumpToFileHandler dump file written, xrefs: 00414F7C
MiniDumpWriteDump, xrefs: 00414D37
EMTECAPP::WriteDumpToFileHandler finished, xrefs: 00414FA9
.gz, xrefs: 00414F40
EMTECAPP::WriteDumpToFileHandler entered, xrefs: 00414BE0

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Current$Process__fread_nolock_memset$AddressCloseCreateErrorFileFreeH_prolog3HandleHeapLastLibraryLoadProcThread___sbh_find_block___sbh_free_block__itoa__lock_sprintf_strcat_strlen_xtoa@16
String ID: .dmp$.gz$EMTECAPP::WriteDumpToFileHandler dump file written$EMTECAPP::WriteDumpToFileHandler entered$EMTECAPP::WriteDumpToFileHandler failed to load dll or proc address (%08x/%08x)$EMTECAPP::WriteDumpToFileHandler finished$EmTec.CrashInfo.$MiniDumpWriteDump$The program %s has encountered an error and will be terminated.You can choose to create a file containing crash-debugging information,which you can then email to EmTec:Filename: %sDo you now want to create the crash-information file?$dbghelp.dll
API String ID: 1412181423-975744805
Opcode ID: 258bd4c5546637af212bd5a773151d5f962bcdc9fbcd58e8affa2c0c6cd285ef
Instruction ID: 32967b7bc490c625620c72a5cd5a3e9694e12f9ab8f301fc07ae11e0a076406e
Opcode Fuzzy Hash: 258bd4c5546637af212bd5a773151d5f962bcdc9fbcd58e8affa2c0c6cd285ef
Instruction Fuzzy Hash: D9C1A071D00248EFDB10EBA5CC46ADEBBB4AB14308F20416EF515B72D2EB785A49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004231FB Relevance: 38.8, APIs: 11, Strings: 11, Instructions: 281networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042321A

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

_memset.LIBCMT ref: 0042328C

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0041B3FE: MessageBoxA.USER32(00000000,00000000,?,00000014), ref: 0041B6F3

Part of subcall function 0042286C: _memset.LIBCMT ref: 004228FC

inet_ntoa.WS2_32(?), ref: 00423336
htons.WS2_32(00000000), ref: 00423362
socket.WS2_32(00000002,00000001,00000000), ref: 00423371
connect.WS2_32(00000000,00000000,00000010), ref: 004233C7
WSAGetLastError.WS2_32 ref: 004233D0
inet_ntoa.WS2_32(?), ref: 00423455
_sprintf.LIBCMT ref: 0042346A

Part of subcall function 00421F9C: __EH_prolog3.LIBCMT ref: 00421FBB
Part of subcall function 00421F9C: _memset.LIBCMT ref: 00421FEB
Part of subcall function 00421F9C: _memset.LIBCMT ref: 00421FFB
Part of subcall function 00421F9C: getsockopt.WS2_32(?,0000FFFF,00001007,?,00000004), ref: 0042201B
Part of subcall function 00421F9C: FormatMessageA.KERNEL32(00001000,00000000,?,00000000,00000000,00000100,00000000,?,?,?,?,?,00000024), ref: 00422031
Part of subcall function 00421F9C: _strlen.LIBCMT ref: 0042203B
Part of subcall function 00421F9C: _strlen.LIBCMT ref: 0042204D
Part of subcall function 00421F9C: _strlen.LIBCMT ref: 0042205D
Part of subcall function 00421F9C: _strlen.LIBCMT ref: 0042206D
Part of subcall function 00421F9C: _strlen.LIBCMT ref: 00422079

closesocket.WS2_32(00000000), ref: 004234D0
WSAGetLastError.WS2_32(?,00000000,000004E4), ref: 00423557

Strings

%s (%s), xrefs: 00423464
!this->DevIsConnected(), xrefs: 00423268, 004232CC
TCPIPIO::MakeCall, xrefs: 00423225
TCPIPIO::MakeCall after resolv() hnm= %08x host %s/%s, port= %d, xrefs: 00423340
TCPIPIO::MakeCall(%s), xrefs: 004232E4
TCPIPIO::MakeCall after connect(): rc= %d, xrefs: 00423446
.\tcpio.cpp, xrefs: 00423249, 0042324E, 00423267, 004232CB
!this->IsDead, xrefs: 0042324F
TCPIPIO::MakeCall after socket(): sock= %d, xrefs: 0042338D
TCPIPIO::MakeCall sock %d in writefds, xrefs: 0042341A
TCPIPIO::~MakeCall last error= %d WSABASEERR+%d, xrefs: 00423569

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$_memset$H_prolog3$ErrorLast_sprintf$Message_fprintfinet_ntoa$Format__snprintfclosesocketconnectgetsockopthtonssocket
String ID: !this->DevIsConnected()$!this->IsDead$%s (%s)$.\tcpio.cpp$TCPIPIO::MakeCall$TCPIPIO::MakeCall after connect(): rc= %d$TCPIPIO::MakeCall after resolv() hnm= %08x host %s/%s, port= %d$TCPIPIO::MakeCall after socket(): sock= %d$TCPIPIO::MakeCall sock %d in writefds$TCPIPIO::MakeCall(%s)$TCPIPIO::~MakeCall last error= %d WSABASEERR+%d
API String ID: 129376235-4281641237
Opcode ID: 0550efdde3bf1711dfb060afa60386cc812a1520f6ee2f529c9b82bf9ed5c5bb
Instruction ID: f84bd398aa0b8edb1ca1b1d189ff3eeded0742f734d36885d07a4d4526fa10e7
Opcode Fuzzy Hash: 0550efdde3bf1711dfb060afa60386cc812a1520f6ee2f529c9b82bf9ed5c5bb
Instruction Fuzzy Hash: 12A1D071A00309AFDB10EFA4DC46BEE77B8FF04319F10052EF965961D1E7789A848B59

Uniqueness

Uniqueness Score: -1.00%

Function 00423E4A Relevance: 38.7, APIs: 9, Strings: 13, Instructions: 204networkCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00423E51

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

accept.WS2_32(?,?,00000010), ref: 00423F29
WSAGetLastError.WS2_32 ref: 00423F36
getpeername.WS2_32(?,?,?), ref: 00424000
gethostbyaddr.WS2_32(?,00000004,?), ref: 00424024
inet_ntoa.WS2_32(?), ref: 0042403A
_sprintf.LIBCMT ref: 0042404C
inet_ntoa.WS2_32(?), ref: 0042405F
_strcat.LIBCMT ref: 00424067

Part of subcall function 00421E54: __EH_prolog3.LIBCMT ref: 00421E73
Part of subcall function 00421E54: WSAGetLastError.WS2_32(00000020), ref: 00421E94
Part of subcall function 00421E54: _memset.LIBCMT ref: 00421EB9
Part of subcall function 00421E54: _memset.LIBCMT ref: 00421EC9
Part of subcall function 00421E54: FormatMessageA.KERNEL32(00001000,00000000,?,00000000,00000000,00000100,00000000,?,?,?,?,?,00000020), ref: 00421EDF
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421EE9
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421EFB
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F0B
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F1B
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F27

Strings

TCPIPIO::AcceptCall accepted 2, xrefs: 00424006
!this->DevIsConnected(), xrefs: 00423E9A
TCPIPIO::~AcceptCall, xrefs: 004240DF
TCPIPIO::AcceptCall accepted call from %s, xrefs: 00424074
.\tcpio.cpp, xrefs: 00423E7B, 00423E80, 00423E99, 00423ED6
!this->IsDead, xrefs: 00423E81
TCPIPIO::AcceptCall, xrefs: 00423E5A
TCPIPIO::AcceptCall aborted due to InSocket==-1, looks like destructor or dropcall was called, xrefs: 00423F8F
TCPIPIO::AcceptCall accepted ok, skt=%d, xrefs: 00423FA6
this->InSocket==-1 || (int)this->OurId==0, xrefs: 00423ED7
%s (%s), xrefs: 00424046
TCPIPIO::AcceptCall error, xrefs: 004240CC
TCPIPIO::AcceptCall accept() returned skt==-1, LastError=%d/%s, xrefs: 00423F5A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$ErrorLast_memset_sprintf$H_prolog3_fprintfinet_ntoa$FormatH_prolog3_Message__snprintf_strcatacceptgethostbyaddrgetpeername
String ID: !this->DevIsConnected()$!this->IsDead$%s (%s)$.\tcpio.cpp$TCPIPIO::AcceptCall$TCPIPIO::AcceptCall aborted due to InSocket==-1, looks like destructor or dropcall was called$TCPIPIO::AcceptCall accept() returned skt==-1, LastError=%d/%s$TCPIPIO::AcceptCall accepted 2$TCPIPIO::AcceptCall accepted call from %s$TCPIPIO::AcceptCall accepted ok, skt=%d$TCPIPIO::AcceptCall error$TCPIPIO::~AcceptCall$this->InSocket==-1 || (int)this->OurId==0
API String ID: 446236285-3640719151
Opcode ID: 3b2c2cb99fb4b12ae5de073c81d2e619ffadac9e2a0f0a3b858dead03fc1e6a4
Instruction ID: 73fe5e83fdac3baf48c867db7f613a4406ec0c6b2f47f8a3ad0caff589f47dce
Opcode Fuzzy Hash: 3b2c2cb99fb4b12ae5de073c81d2e619ffadac9e2a0f0a3b858dead03fc1e6a4
Instruction Fuzzy Hash: BB61C570A00308AFDB24AFB5DC46BEE77B8EF44705F50042FF915A6192DB7C6A498B19

Uniqueness

Uniqueness Score: -1.00%

Function 0042DE0E Relevance: 38.6, APIs: 7, Strings: 15, Instructions: 58COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0042DE40
_fprintf.LIBCMT ref: 0042DE4B
_fprintf.LIBCMT ref: 0042DE60
_fprintf.LIBCMT ref: 0042DE75

Part of subcall function 0043A91C: __stbuf.LIBCMT ref: 0043AA2A
Part of subcall function 0043A91C: __output_l.LIBCMT ref: 0043AA3A
Part of subcall function 0043A91C: __ftbuf.LIBCMT ref: 0043AA44

_fprintf.LIBCMT ref: 0042DE80
_fprintf.LIBCMT ref: 0042DE9D
_fprintf.LIBCMT ref: 0042DEB7

Strings

modifiers: -q quiet mode (-qq => quieter) -n never overwrite existing files -a auto-convert any text files -o overwrite files WITHOUT prompting -aa treat ALL files as text -j junk paths (don't make dire, xrefs: 0042DE97
main listing-format options: -s short Unix "ls -l" format (def.) -1 filenames ONLY, one per line -m medium Unix "ls -l" format -2 just filenames but allow -h/-t/-z -l long Unix "ls -l" format , xrefs: 0042DE45
ReadMe, xrefs: 0042DEA5, 0042DEAA, 0042DEAB
-c extract files to stdout/screen (CRT) -l list files (short format) -p extract files to pipe, no messages -v list files (verbose format) -f freshen existing files, create none -t test compressed archive data -u update files, create if , xrefs: 0042DE7A
-Z => ZipInfo mode ("unzip -Z" for usage)., xrefs: 0042DE65
2.0 of 7 February 1994, xrefs: 0042DE35
-$ label removables (-$$ => fixed disks), xrefs: 0042DE8E
[-Z] , xrefs: 0042DE6A
unzip -p foo | more => send contents of foo.zip via pipe into program more, xrefs: 0042DEAC
Usage: unzip %s[-opts[modifiers]] file[.zip] [list] [-x xlist] [-d exdir] Default action is to extract files in list, except those in xlist, to exdir; file[.zip] may be a wildcard. %s, xrefs: 0042DE6F
ZipInfo %s, by Newtware and the fine folks at Info-ZIP.List name, date/time, attribute, size, compression method, etc., about filesin list (excluding those in xlist) contained in the specified .zip archive(s)."file[.zip]" may be a wildcard name containing , xrefs: 0042DE3A
UnZip %s, by Info-ZIP. Portions (c) 1989 by S. H. Smith.Send bug reports to authors at zip-bugs@wkuvx1.wku.edu; see README for details., xrefs: 0042DE5A
-s spaces in filenames => '_', xrefs: 0042DE85
5.1 of 7 February 1994, xrefs: 0042DE55
Examples (see unzip.doc for more info): unzip data1 -x joe => extract all files except joe from zipfile data1.zip %s unzip -fo foo %-6s => quietly replace existing %s if archive file newer, xrefs: 0042DEB1

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$__ftbuf__output_l__stbuf
String ID: main listing-format options: -s short Unix "ls -l" format (def.) -1 filenames ONLY, one per line -m medium Unix "ls -l" format -2 just filenames but allow -h/-t/-z -l long Unix "ls -l" format $ -s spaces in filenames => '_'$ -c extract files to stdout/screen (CRT) -l list files (short format) -p extract files to pipe, no messages -v list files (verbose format) -f freshen existing files, create none -t test compressed archive data -u update files, create if $ -$ label removables (-$$ => fixed disks)$-Z => ZipInfo mode ("unzip -Z" for usage).$2.0 of 7 February 1994$5.1 of 7 February 1994$Examples (see unzip.doc for more info): unzip data1 -x joe => extract all files except joe from zipfile data1.zip %s unzip -fo foo %-6s => quietly replace existing %s if archive file newer$ReadMe$UnZip %s, by Info-ZIP. Portions (c) 1989 by S. H. Smith.Send bug reports to authors at zip-bugs@wkuvx1.wku.edu; see README for details.$Usage: unzip %s[-opts[modifiers]] file[.zip] [list] [-x xlist] [-d exdir] Default action is to extract files in list, except those in xlist, to exdir; file[.zip] may be a wildcard. %s$ZipInfo %s, by Newtware and the fine folks at Info-ZIP.List name, date/time, attribute, size, compression method, etc., about filesin list (excluding those in xlist) contained in the specified .zip archive(s)."file[.zip]" may be a wildcard name containing $[-Z] $modifiers: -q quiet mode (-qq => quieter) -n never overwrite existing files -a auto-convert any text files -o overwrite files WITHOUT prompting -aa treat ALL files as text -j junk paths (don't make dire$unzip -p foo | more => send contents of foo.zip via pipe into program more
API String ID: 1591213610-3258946459
Opcode ID: 59dded01f7fb495cb2f4637b836dac185cf73b54146ce570a513b401aab65abb
Instruction ID: c81c30eb9ef5b20270438dd7bdb15b1fd7df5a3f909f22f6038f1c6e7f88b0e4
Opcode Fuzzy Hash: 59dded01f7fb495cb2f4637b836dac185cf73b54146ce570a513b401aab65abb
Instruction Fuzzy Hash: 1101BCB1BC172072D2A076109C0BF6F10088F39B4AF264627B844BA1C3F6EC6A1141EF

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB73 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 260COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0042EBA2
_strcat.LIBCMT ref: 0042EBB1
_strcat.LIBCMT ref: 0042EBC0

Part of subcall function 00431C66: _strrchr.LIBCMT ref: 00431C85
Part of subcall function 00431C66: _strrchr.LIBCMT ref: 00431C98
Part of subcall function 00431C66: _strcat.LIBCMT ref: 00431DBF

_fprintf.LIBCMT ref: 0042ED0A
_fprintf.LIBCMT ref: 0042ED3B
_fprintf.LIBCMT ref: 0042ED6E

Part of subcall function 0043BD9D: _flsall.LIBCMT ref: 0043BDB1

_fprintf.LIBCMT ref: 0042ED97
_fprintf.LIBCMT ref: 0042EDC0
_fprintf.LIBCMT ref: 0042EDDB
_fprintf.LIBCMT ref: 0042EDFA
_fprintf.LIBCMT ref: 0042EE1C

Strings

No zipfiles found., xrefs: 0042EE0F
.zip, xrefs: 0042EC7D
was, xrefs: 0042ED20
%d file%s had no zipfile directory., xrefs: 0042EDB3
%d archive%s had warnings but no fatal errors., xrefs: 0042ED61
1 "zipfile" was a directory., xrefs: 0042EDCE
%d "zipfiles" were directories., xrefs: 0042EDED
%d archive%s had fatal errors., xrefs: 0042ED8A
%d archive%s successfully processed., xrefs: 0042ED2E
s were, xrefs: 0042ED27, 0042ED2C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$_strcat$_strrchr$_flsall
String ID: was$%d "zipfiles" were directories.$%d archive%s had fatal errors.$%d archive%s had warnings but no fatal errors.$%d archive%s successfully processed.$%d file%s had no zipfile directory.$.zip$1 "zipfile" was a directory.$No zipfiles found.$s were
API String ID: 1335468881-1475570261
Opcode ID: f928747ab51a0ec33ed83665186d12e698fc02871362f86f2086615b8d61531c
Instruction ID: 5e131f71e70b1127eb4c862e398cbca7e20acfaaab4c8766cc04d4663deef660
Opcode Fuzzy Hash: f928747ab51a0ec33ed83665186d12e698fc02871362f86f2086615b8d61531c
Instruction Fuzzy Hash: 5781B572F04219ABDF20ABD7EC47B7E7674EF14308F68146FE500A2252D67D9D40869E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C0B9 Relevance: 36.9, APIs: 6, Strings: 15, Instructions: 187memorycomCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

Part of subcall function 0041B3FE: MessageBoxA.USER32(00000000,00000000,?,00000014), ref: 0041B6F3

Part of subcall function 0041BF40: SysFreeString.OLEAUT32(00000000), ref: 0041C07A

CoCreateInstance.OLE32(0045CCDC,00000000,00000001,0045CCEC,?), ref: 0041C191
SysAllocString.OLEAUT32(?), ref: 0041C1C2
SysAllocString.OLEAUT32(?), ref: 0041C21F
SysStringLen.OLEAUT32(?), ref: 0041C232
SysFreeString.OLEAUT32(?), ref: 0041C299
SysFreeString.OLEAUT32(?), ref: 0041C29E

Strings

FIREWALL::AddApplication() appname=%s, xrefs: 0041C0C7
FIREWALL::AddApplication() get_AuthorizedApplications failed: 0x%08lx, xrefs: 0041C179
FIREWALL::AddApplication() failed: 0x%08lx, xrefs: 0041C14B
FIREWALL::AddApplication() Application %s is now added to the firewall, xrefs: 0041C27B
.\firewall.cpp, xrefs: 0041C0DE, 0041C0E3, 0041C0F8, 0041C10E
this->boolUpAndRunning, xrefs: 0041C0E4
FIREWALL::AddApplication() put_ProcessImageFileName failed: 0x%08lx, xrefs: 0041C204
FIREWALL::AddApplication() CoCreateInstance failed: 0x%08lx, xrefs: 0041C19F
FIREWALL::~AddApplication(), xrefs: 0041C2BC
friendlyname, xrefs: 0041C10F
appname, xrefs: 0041C0F9
FIREWALL::AddApplication() put_Name failed: 0x%08lx, xrefs: 0041C250
FIREWALL::AddApplication() Application is already added, xrefs: 0041C285
FIREWALL::AddApplication() SysAllocString failed: 0x%08lx, xrefs: 0041C1E6
FIREWALL::AddApplication() Add failed: 0x%08lx, xrefs: 0041C26E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: String$Free$Alloc_fprintf_sprintf$CreateErrorH_prolog3InstanceLastMessage__snprintf_memset
String ID: .\firewall.cpp$FIREWALL::AddApplication() Add failed: 0x%08lx$FIREWALL::AddApplication() Application %s is now added to the firewall$FIREWALL::AddApplication() Application is already added$FIREWALL::AddApplication() CoCreateInstance failed: 0x%08lx$FIREWALL::AddApplication() SysAllocString failed: 0x%08lx$FIREWALL::AddApplication() appname=%s$FIREWALL::AddApplication() failed: 0x%08lx$FIREWALL::AddApplication() get_AuthorizedApplications failed: 0x%08lx$FIREWALL::AddApplication() put_Name failed: 0x%08lx$FIREWALL::AddApplication() put_ProcessImageFileName failed: 0x%08lx$FIREWALL::~AddApplication()$appname$friendlyname$this->boolUpAndRunning
API String ID: 145553169-3139093960
Opcode ID: be3114621444a599238903072c5128f25ae40242bf6d656d223780fa1294a45f
Instruction ID: 0d495be4249b5cc1d586a1c9b5cd5f098dc9ad7390276dab326942c1243a3079
Opcode Fuzzy Hash: be3114621444a599238903072c5128f25ae40242bf6d656d223780fa1294a45f
Instruction Fuzzy Hash: 15516F70A80218FFCB009FA5CC85EEE7BB9EF44705F20406BF805A6292D7785985DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00443684 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 004436F0
__invoke_watson.LIBCMT ref: 00443701
GetModuleFileNameA.KERNEL32(00000000,00489AD1,00000104), ref: 0044371D
_strcpy_s.LIBCMT ref: 00443732
__invoke_watson.LIBCMT ref: 00443745
_strlen.LIBCMT ref: 0044374E
_strlen.LIBCMT ref: 0044375B
__invoke_watson.LIBCMT ref: 00443788
_strcat_s.LIBCMT ref: 0044379B
__invoke_watson.LIBCMT ref: 004437AC
_strcat_s.LIBCMT ref: 004437BD
__invoke_watson.LIBCMT ref: 004437CE
GetStdHandle.KERNEL32(000000F4,?,?,00000000,76EC5E70,00000003,00443850,000000FC,00437FD5,00000001,00000000,00000000,?,00442DC2,?,00000001), ref: 004437ED
_strlen.LIBCMT ref: 0044380E
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00442DC2,?,00000001,?,0044340E,00000018,00469F50,0000000C,0044349D,?), ref: 00443818

Strings

<program name unknown>, xrefs: 00443727
Runtime Error!Program: , xrefs: 004436DF
..., xrefs: 0044376C
Microsoft Visual C++ Runtime Library, xrefs: 004437DB

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 1879448924-4022980321
Opcode ID: 2b173ce02994bfd1ff118d10324e9da42cefed77c6bc8a9c24a296f30bae393f
Instruction ID: 9cdf851f7319f97c234aba2b513937a4af79f96d6caeed6fc274dce729b95fe6
Opcode Fuzzy Hash: 2b173ce02994bfd1ff118d10324e9da42cefed77c6bc8a9c24a296f30bae393f
Instruction Fuzzy Hash: 003115E2A003153AFA203A265C46F6F765C9B11B5AF14413BFE45A1293FA5DDA1082FE

Uniqueness

Uniqueness Score: -1.00%

Function 004223B8 Relevance: 31.9, APIs: 3, Strings: 15, Instructions: 357COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004223BF

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 00410409: __vsnprintf.LIBCMT ref: 00410452

Strings

SOCKET, xrefs: 004224BA
DEVICENAME, xrefs: 0042248E
LASTERRORSTRING, xrefs: 004225F8, 004225FD, 004226A8, 0042274B
LASTERROR, xrefs: 004225C7
BANDWIDTH, xrefs: 0042254F
.\tcpio.cpp, xrefs: 0042267D
FALSE, xrefs: 00422682
TCPIP, xrefs: 004224A3
WSALASTERRORSTRING, xrefs: 00422629
LASTERRORCLASS, xrefs: 00422613, 004227FB
CALLERID, xrefs: 00422463
ACCEPTPORT, xrefs: 004224E6
IDLE_TIME, xrefs: 0042256B
OWNID, xrefs: 00422429
ONLINE, xrefs: 00422407

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3H_prolog3___vsnprintf_strlen
String ID: .\tcpio.cpp$ACCEPTPORT$BANDWIDTH$CALLERID$DEVICENAME$FALSE$IDLE_TIME$LASTERROR$LASTERRORCLASS$LASTERRORSTRING$ONLINE$OWNID$SOCKET$TCPIP$WSALASTERRORSTRING
API String ID: 2169032328-1447373423
Opcode ID: 28ac3450a6fd6e0041946e3f8021c9285606d5c8fc64eba0529bb806dccee52a
Instruction ID: aec708d039b01389e1deb601e250846b39fc9175c7c2d7eaa08ea155be836ead
Opcode Fuzzy Hash: 28ac3450a6fd6e0041946e3f8021c9285606d5c8fc64eba0529bb806dccee52a
Instruction Fuzzy Hash: 36D19071E00258BADF21EBA1DD46BDEBB74AF14308F14403BFC05761D3E6B84A49DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00447BE3 Relevance: 30.3, APIs: 20, Instructions: 330COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00447C24
___crtGetEnvironmentStringsW.LIBCMT ref: 00447C6F
__wsetenvp.LIBCMT ref: 00447C79
___mbtow_environ.LIBCMT ref: 00447C82
__malloc_crt.LIBCMT ref: 00447CAD
__malloc_crt.LIBCMT ref: 00447CC8
__recalloc_crt.LIBCMT ref: 00447D42
__recalloc_crt.LIBCMT ref: 00447D7E
__calloc_crt.LIBCMT ref: 00447DBA
_wcscpy_s.LIBCMT ref: 00447DDE
__invoke_watson.LIBCMT ref: 00447DEF
SetEnvironmentVariableW.KERNEL32(00000000,0043C79D,?,?,?,?,00000000,00000000,?,?,?,?,0043C79D,?,00000000), ref: 00447E18
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,0043C79D,?,00000000), ref: 00447E22
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 00447E5A
__calloc_crt.LIBCMT ref: 00447E6A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000), ref: 00447E85
WideCharToMultiByte.KERNEL32(00000000,00000000,00000002,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 00447E99
__calloc_crt.LIBCMT ref: 00447EA5
WideCharToMultiByte.KERNEL32(00000000,00000000,00000002,000000FF,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000), ref: 00447EBE
SetEnvironmentVariableA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,?,?,0043C79D,?), ref: 00447EDE

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ByteCharMultiWide$Environment__calloc_crt$Variable__malloc_crt__recalloc_crt$ErrorLastStrings___crt___mbtow_environ__invoke_watson__wsetenvp_wcschr_wcscpy_s
String ID:
API String ID: 1513918819-0
Opcode ID: ec6648d9b026d98caec469b5b610685eb70968e0373dd1280c99af67acf8d898
Instruction ID: 5f657883fc8b45651bf58b827eaec470c68bd1e7227da8910a2a10fbe5650333
Opcode Fuzzy Hash: ec6648d9b026d98caec469b5b610685eb70968e0373dd1280c99af67acf8d898
Instruction Fuzzy Hash: 4CA1F6B1909215AFEF219FA5DC818AF7BB4EF04765F24066BF110E6290DB394D42CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B3FE Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 256windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041B420
_memset.LIBCMT ref: 0041B468

Part of subcall function 0041036C: __EH_prolog3.LIBCMT ref: 00410373
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103B5
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103E2

GetLastError.KERNEL32 ref: 0041B519
__snprintf.LIBCMT ref: 0041B550
_sprintf.LIBCMT ref: 0041B5CA
_sprintf.LIBCMT ref: 0041B5F1
_fprintf.LIBCMT ref: 0041B646
_fprintf.LIBCMT ref: 0041B66F

Part of subcall function 00412A8A: __EH_prolog3.LIBCMT ref: 00412AA9
Part of subcall function 00412A8A: GetLastError.KERNEL32(00000008), ref: 00412ACB
Part of subcall function 00412A8A: _memset.LIBCMT ref: 00412AED
Part of subcall function 00412A8A: FormatMessageA.KERNEL32(00001000,00000000,FFFFED99,00000000,00000000,00000100,00000000,?,?,00000008), ref: 00412B0C

MessageBoxA.USER32(00000000,00000000,?,00000014), ref: 0041B6F3

Strings

Es ist eine unerwartete Situation aufgetreten!Bitte melden Sie die Umstaende des Fehlers und die folgendenInformationen an uns (siehe auch Datei assert.log im Ordner,in dem das Programm installiert wurde):%sWollen Sie jetzt versuchen mit dem Programm fo, xrefs: 0041B5E0, 0041B5EC, 0041B5F0
Condition: %s Location : %s line %d Last Err.: %dL (%s) Add. Info: %s, xrefs: 0041B5A4, 0041B5C2
assert.log, xrefs: 0041B60C
Unexpected condition encountered!Please contact us via our web site and provide the following information (logged in assert.log file in the program's installation folder):%sDo you want to try to continue with the program?, xrefs: 0041B5D9
Bedingung: %s Datei: %s Zeile %d Code : %dL (%s) Info : %s, xrefs: 0041B59D
*** ASSERTION FAILED: %s, xrefs: 0041B5FD
%s, xrefs: 0041B669
--- %s --- %s %s ---, xrefs: 0041B640

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$ErrorLastMessage_fprintf_memset_sprintf_strlen$Format__snprintf
String ID: Bedingung: %s Datei: %s Zeile %d Code : %dL (%s) Info : %s$ Condition: %s Location : %s line %d Last Err.: %dL (%s) Add. Info: %s$%s$*** ASSERTION FAILED: %s$--- %s --- %s %s ---$Es ist eine unerwartete Situation aufgetreten!Bitte melden Sie die Umstaende des Fehlers und die folgendenInformationen an uns (siehe auch Datei assert.log im Ordner,in dem das Programm installiert wurde):%sWollen Sie jetzt versuchen mit dem Programm fo$Unexpected condition encountered!Please contact us via our web site and provide the following information (logged in assert.log file in the program's installation folder):%sDo you want to try to continue with the program?$assert.log
API String ID: 9982543-2050502595
Opcode ID: bf3f9a5c37375bf90e1fad60e5d8b31935cedf69277fc1f32b4a22533ed00a7f
Instruction ID: b761c5c2ae010ac39d35002f06cea57e6bde63b3bbeaccff24114ff3d09a139a
Opcode Fuzzy Hash: bf3f9a5c37375bf90e1fad60e5d8b31935cedf69277fc1f32b4a22533ed00a7f
Instruction Fuzzy Hash: BAA1777190024DEEDB10EF95CC45BEE77B8AF18304F14806BE949A7152EB785B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0043FC1F Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00436592), ref: 0043FC25
__mtterm.LIBCMT ref: 0043FC31

Part of subcall function 0043F90A: TlsFree.KERNEL32(0000001E,0043FD9E), ref: 0043F935
Part of subcall function 0043F90A: DeleteCriticalSection.KERNEL32(00000000,00000000,7591DFB0,00000001,0043FD9E), ref: 00443372
Part of subcall function 0043F90A: DeleteCriticalSection.KERNEL32(0000001E,7591DFB0,00000001,0043FD9E), ref: 0044339C

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0043FC47
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0043FC54
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0043FC61
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0043FC6E
TlsAlloc.KERNEL32 ref: 0043FCBE
TlsSetValue.KERNEL32(00000000), ref: 0043FCD9
__init_pointers.LIBCMT ref: 0043FCE3
__calloc_crt.LIBCMT ref: 0043FD58
GetCurrentThreadId.KERNEL32 ref: 0043FD88

Strings

FlsFree, xrefs: 0043FC63
FlsGetValue, xrefs: 0043FC49
KERNEL32.DLL, xrefs: 0043FC20
FlsAlloc, xrefs: 0043FC41
FlsSetValue, xrefs: 0043FC56

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2125014093-3819984048
Opcode ID: f17f1f6228e1859aef385c73852dc7d18c31423f9613d67ddc967b50f7bf9a95
Instruction ID: c10f32f806a76e15903b70b324ac3eba9c2525523283d9e8e8db92df55d1d375
Opcode Fuzzy Hash: f17f1f6228e1859aef385c73852dc7d18c31423f9613d67ddc967b50f7bf9a95
Instruction Fuzzy Hash: D5319C76D00B02BECB21AF75EC0961E3AA0AB44354F18193FE515C66A1EB79CC44CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB78 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

StartPagePrinter.WINSPOOL.DRV(?,?,?,?,?,?,000000FF), ref: 0041ABCB
EndPage.GDI32(?), ref: 0041ABFF
StartPage.GDI32(?), ref: 0041AC08
SetMapMode.GDI32(?,00000001), ref: 0041AC20
SetTextColor.GDI32(?,00000000), ref: 0041AC2A
SetBkMode.GDI32(?,00000001), ref: 0041AC35
SetTextAlign.GDI32(?,00000001), ref: 0041AC47
SelectObject.GDI32(?,?), ref: 0041AC53
DeleteObject.GDI32(?), ref: 0041AC63
GetTextExtentPoint32A.GDI32(?,0045B720,00000001,?), ref: 0041AC77

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

PRINTER::NewPage for page #%d done, xrefs: 0041AC8C
PRINTER::NewPage hdc= %08x, hdirect= %08x, xrefs: 0041AB87
PRINTER::NewPage done, ok= %d, xrefs: 0041ACA4
this->hDC, xrefs: 0041ABE7
PRINTER::NewPage raw StartPagePrinter returned %d, xrefs: 0041ABD3
this->FirstPage, xrefs: 0041ABB8
.\printer_win32.cpp, xrefs: 0041ABB3, 0041ABE2

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: PageText$ModeObjectStart$AlignColorCurrentDeleteErrorExtentH_prolog3LastPoint32Printer.SelectThread__snprintf_memset
String ID: .\printer_win32.cpp$PRINTER::NewPage done, ok= %d$PRINTER::NewPage for page #%d done$PRINTER::NewPage hdc= %08x, hdirect= %08x$PRINTER::NewPage raw StartPagePrinter returned %d$this->FirstPage$this->hDC
API String ID: 1565810209-308295776
Opcode ID: 40c82074a6fbe45ea2f27e455fa30577622e642a4ad1c0d39ee2606cd72c55cd
Instruction ID: 68cb6f971afd61d4bf7108c6b895709d7112df1ea96cfb540c429bb9d5a9c8dc
Opcode Fuzzy Hash: 40c82074a6fbe45ea2f27e455fa30577622e642a4ad1c0d39ee2606cd72c55cd
Instruction Fuzzy Hash: 5D31F431500700EFC7306F91ED86D9B7BF1EB44B16720092EFA43915E2D775E8949B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00414341 Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 398threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00414363

Part of subcall function 004114D2: __EH_prolog3.LIBCMT ref: 004114D9

GetCurrentThreadId.KERNEL32 ref: 00414386

Part of subcall function 00412327: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00412351

Part of subcall function 00411793: __EH_prolog3.LIBCMT ref: 0041179A

Part of subcall function 0041502D: __EH_prolog3.LIBCMT ref: 0041503B

Part of subcall function 00412379: SetCurrentDirectoryA.KERNEL32(00000000,0041441B,00000000), ref: 0041237D

Part of subcall function 00410ED1: __EH_prolog3.LIBCMT ref: 00410ED8

Part of subcall function 004107B9: __EH_prolog3.LIBCMT ref: 004107C0
Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410829
Part of subcall function 004107B9: _strlen.LIBCMT ref: 00410835

Part of subcall function 0041B778: __EH_prolog3.LIBCMT ref: 0041B786

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

commandline.ini, xrefs: 00414509
EMTECAPP processing of %s done, xrefs: 004146C8
EMTECAPP sleeping for startupdelay, xrefs: 00414737
service.exe, xrefs: 0041442B
.exe, xrefs: 004145AE
EMTECAPP Program Argument %d= %s, xrefs: 0041470C
HUNGARIAN, xrefs: 004147ED
FRENCH, xrefs: 004147CC
ENGL, xrefs: 004147AB
GER, xrefs: 00414786
<self>, xrefs: 0041436E
EMTECAPP trying %s, xrefs: 00414623
STARTUPDELAY, xrefs: 00414726, 0041472B, 00414745
LANG, xrefs: 00414777

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Current$Directory_strlen$Thread_strpbrk
String ID: .exe$<self>$EMTECAPP Program Argument %d= %s$EMTECAPP processing of %s done$EMTECAPP sleeping for startupdelay$EMTECAPP trying %s$ENGL$FRENCH$GER$HUNGARIAN$LANG$STARTUPDELAY$commandline.ini$service.exe
API String ID: 2375231372-3197219866
Opcode ID: 6d9bf16b2f49bc5f4fa3657530ab7bb161ecefac2ca5c701648b62cc36ae71f9
Instruction ID: 1eee24efc853de5675181ca2d9abab242090a60288a383665c56af663f1d7f44
Opcode Fuzzy Hash: 6d9bf16b2f49bc5f4fa3657530ab7bb161ecefac2ca5c701648b62cc36ae71f9
Instruction Fuzzy Hash: B2E18530901249EEDB15FBA5CD52ADD7BB4AF14308F10406FF815A3292EB7C5B88CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042CEE1 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 291COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 0042CF4A
_sprintf.LIBCMT ref: 0042D0C6
_sprintf.LIBCMT ref: 0042D111
_strcat.LIBCMT ref: 0042D122
_fprintf.LIBCMT ref: 0042D1D7
_fprintf.LIBCMT ref: 0042D1EE
_sprintf.LIBCMT ref: 0042D213
_strncmp.LIBCMT ref: 0042D23C
_fprintf.LIBCMT ref: 0042D257

Strings

Unk:%03d, xrefs: 0042D107
%0", xrefs: 0042D092, 0042D127, 0042D16C
.1i, xrefs: 0042D21B
%c%d%%, xrefs: 0042D0C0, 0042D20D
(&, xrefs: 0042D087
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 0042CFEC, 0042CFF1, 0042D025, 0042D119
admin$$$.ini, xrefs: 0042CF23

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf_sprintf$_strncmp$_strcat
String ID: %0"$%c%d%%$(&$.1i$C:/Program Files (x86)/ZOC5/zocdll.dll$Unk:%03d$admin$$$.ini
API String ID: 1056443619-1869785367
Opcode ID: 610943fb32137ae82aca2ec757fffa257c9919da80e3f8cb010acd9df38c36ef
Instruction ID: bdcaeba495aa201353652b95b0f445013597e6ef2bd73bd7b1fe01c8513bd063
Opcode Fuzzy Hash: 610943fb32137ae82aca2ec757fffa257c9919da80e3f8cb010acd9df38c36ef
Instruction Fuzzy Hash: D991E9B1F08320AAE714AF21BC4263A73A5EB54308FA4083FF94197291E77DD955876F

Uniqueness

Uniqueness Score: -1.00%

Function 00421895 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004218F0
_strcpy_s.LIBCMT ref: 00421912
_strcat_s.LIBCMT ref: 00421924
LoadLibraryA.KERNEL32(?), ref: 00421939
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00421947
FreeLibrary.KERNEL32(00000000), ref: 00421952
_strcpy_s.LIBCMT ref: 0042196A
_strcat_s.LIBCMT ref: 0042197C
LoadLibraryA.KERNEL32(?), ref: 0042198B
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00421999
FreeLibrary.KERNEL32(00000000), ref: 004219A4
GetProcAddress.KERNEL32(00000000,?), ref: 004219B7
FreeLibrary.KERNEL32(00000000), ref: 004219CE

Strings

\ws2_32, xrefs: 00421917
\wship6, xrefs: 0042196F
getaddrinfo, xrefs: 004218B7, 00421941, 00421993

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Library$AddressFreeProc$Load_strcat_s_strcpy_s$DirectorySystem
String ID: \ws2_32$\wship6$getaddrinfo
API String ID: 2766041494-3078833738
Opcode ID: fc9c351837e57fb1d2bbaba8c87479b8ae3d3530adc27506f236f24c2224cd86
Instruction ID: c09625084ad07a351bae1784942f428a890746389d4ea2e44ea5a942682de6aa
Opcode Fuzzy Hash: fc9c351837e57fb1d2bbaba8c87479b8ae3d3530adc27506f236f24c2224cd86
Instruction Fuzzy Hash: 4B41D8B16003189ACB20EFA5AC44BDF77B8AB48755F94012AF809C7211DB78C149CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF40 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

SysAllocString.OLEAUT32(?), ref: 0041BFE0
SysFreeString.OLEAUT32(00000000), ref: 0041C07A

Strings

FIREWALL::~IsAppEnabled(), isenabled=%d, xrefs: 0041C09F
FIREWALL::IsAppEnabled() Application is in exception list, xrefs: 0041C01A
appname, xrefs: 0041BF80
FIREWALL::IsAppEnabled() Application is not in exception list, xrefs: 0041C06C
FIREWALL::IsAppEnabled() SysAllocString failed: 0x%08lx, xrefs: 0041C001
.\firewall.cpp, xrefs: 0041BF65, 0041BF6A, 0041BF7F
this->boolUpAndRunning, xrefs: 0041BF6B
FIREWALL::IsAppEnabled() get_AuthorizedApplications failed: 0x%08lx, xrefs: 0041BFBB
FIREWALL::IsAppEnabled() Application is disabled, xrefs: 0041C05B
FIREWALL::IsAppEnabled() get_Enabled failed: 0x%08lx, xrefs: 0041C039
FIREWALL::IsAppEnabled() Application is enabled, xrefs: 0041C046
FIREWALL::IsAppEnabled() appname=%s, xrefs: 0041BF4E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: String_fprintf_sprintf$AllocErrorFreeH_prolog3Last__snprintf_memset
String ID: .\firewall.cpp$FIREWALL::IsAppEnabled() Application is disabled$FIREWALL::IsAppEnabled() Application is enabled$FIREWALL::IsAppEnabled() Application is in exception list$FIREWALL::IsAppEnabled() Application is not in exception list$FIREWALL::IsAppEnabled() SysAllocString failed: 0x%08lx$FIREWALL::IsAppEnabled() appname=%s$FIREWALL::IsAppEnabled() get_AuthorizedApplications failed: 0x%08lx$FIREWALL::IsAppEnabled() get_Enabled failed: 0x%08lx$FIREWALL::~IsAppEnabled(), isenabled=%d$appname$this->boolUpAndRunning
API String ID: 2364098195-187328529
Opcode ID: d697eedbcfeda5368be91f308e1fec98d3703059efaedef908a660ae6b516b1b
Instruction ID: af6d0832c6a280f3cc33fbaec8eb06f81df7882105353905301c7af20402ed19
Opcode Fuzzy Hash: d697eedbcfeda5368be91f308e1fec98d3703059efaedef908a660ae6b516b1b
Instruction Fuzzy Hash: 4041E430680308FFCB109BA5CC85EDEBBA4EF49755B20415BFC05AB292C7799D85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2DF Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

Part of subcall function 0041BF40: SysFreeString.OLEAUT32(00000000), ref: 0041C07A

SysFreeString.OLEAUT32(00000000), ref: 0041C3FD

Part of subcall function 004104E2: __EH_prolog3.LIBCMT ref: 004104E9

SysAllocString.OLEAUT32(?), ref: 0041C39A
SysStringLen.OLEAUT32(00000000), ref: 0041C3B2

Strings

appname, xrefs: 0041C31F
FIREWALL::RemoveApplication() failed: 0x%08lx, xrefs: 0041C351
FIREWALL::RemoveApplication() get_AuthorizedApplications failed: 0x%08lx, xrefs: 0041C37E
FIREWALL::AddApplication() Application %s is now removed in the firewall, xrefs: 0041C3E7
FIREWALL::RemoveApplication() appname=%s, xrefs: 0041C2ED
.\firewall.cpp, xrefs: 0041C304, 0041C309, 0041C31E
this->boolUpAndRunning, xrefs: 0041C30A
FIREWALL::RemoveApplication() Remove failed: 0x%08lx, xrefs: 0041C3DA
FIREWALL::~RemoveApplication(), xrefs: 0041C410
FIREWALL::AddApplication() Application not found and therefor not removed, xrefs: 0041C3F1
FIREWALL::RemoveApplication() SysAllocString failed: 0x%08lx, xrefs: 0041C3C2

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: String$FreeH_prolog3_fprintf_sprintf$AllocErrorLast__snprintf_memset
String ID: .\firewall.cpp$FIREWALL::AddApplication() Application %s is now removed in the firewall$FIREWALL::AddApplication() Application not found and therefor not removed$FIREWALL::RemoveApplication() Remove failed: 0x%08lx$FIREWALL::RemoveApplication() SysAllocString failed: 0x%08lx$FIREWALL::RemoveApplication() appname=%s$FIREWALL::RemoveApplication() failed: 0x%08lx$FIREWALL::RemoveApplication() get_AuthorizedApplications failed: 0x%08lx$FIREWALL::~RemoveApplication()$appname$this->boolUpAndRunning
API String ID: 1892481059-2383231683
Opcode ID: ea4ac27f78c60ca26e0c78d4a00e4bc3154075273b1d2233df4fff43eb79647b
Instruction ID: 0a31eea110d0782b961b0b3ad8e80d4191507d9869c9b89e8bde26eeb68277f6
Opcode Fuzzy Hash: ea4ac27f78c60ca26e0c78d4a00e4bc3154075273b1d2233df4fff43eb79647b
Instruction Fuzzy Hash: FC31C93168030DBFCB109B52CCC6EEE3B79DB84755B20402FBC11A6292DB7C9985D65D

Uniqueness

Uniqueness Score: -1.00%

Function 00419C1F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 298COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00419C38

Part of subcall function 00419A87: _strncpy.LIBCMT ref: 00419AA6

_strncpy.LIBCMT ref: 00419C91
_strncpy.LIBCMT ref: 00419CA1

Part of subcall function 00419AB4: __EH_prolog3.LIBCMT ref: 00419ABB
Part of subcall function 00419AB4: _strncpy.LIBCMT ref: 00419AF9

Part of subcall function 00418F66: _memset.LIBCMT ref: 00418FAD
Part of subcall function 00418F66: _sprintf.LIBCMT ref: 00418FCA

_strncmp.LIBCMT ref: 00419D40
_strncmp.LIBCMT ref: 00419D5A

Part of subcall function 004107B9: __EH_prolog3.LIBCMT ref: 004107C0
Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410829
Part of subcall function 004107B9: _strlen.LIBCMT ref: 00410835

Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410809

_strncmp.LIBCMT ref: 00419DF0

Part of subcall function 00401A26: __EH_prolog3.LIBCMT ref: 00401A2D

Strings

={{, xrefs: 00419DE8
item.Find("="), xrefs: 00419EF6
#Handle, xrefs: 00419F0C
HASH-VALUES, xrefs: 00419C9B
.\stringarray.cpp, xrefs: 00419EF1
#Key, xrefs: 00419F2D
HASH-KEYS, xrefs: 00419C87

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_strncpy$_strncmp$_strpbrk$_memset_sprintf_strlen
String ID: #Handle$#Key$.\stringarray.cpp$={{$HASH-KEYS$HASH-VALUES$item.Find("=")
API String ID: 2408641952-221067418
Opcode ID: a4bccafaf528b93f7c03276fdddc5994f0463ebbe1a2e3616660a06f5b0a8ac3
Instruction ID: 51457d21a4e25aec759705ad14638697978ebb604825093648f429ceafa4e932
Opcode Fuzzy Hash: a4bccafaf528b93f7c03276fdddc5994f0463ebbe1a2e3616660a06f5b0a8ac3
Instruction Fuzzy Hash: 65B17771504248EEDB05EFA1CC52BDE7BB4AF14308F10406FF806A61D2EB789A48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041ACB7 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

_strlen.LIBCMT ref: 0041ACEC

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

WritePrinter.WINSPOOL.DRV(000000FF,?,000000FF,?,000000FF), ref: 0041AD07
MoveToEx.GDI32(?,?,?,00000000), ref: 0041AD99
TextOutA.GDI32(?,00000000,00000000,?,?), ref: 0041ADAA
GetCurrentPositionEx.GDI32(?,?), ref: 0041ADB4
MoveToEx.GDI32(?,?,?,00000000), ref: 0041AE0D
TextOutA.GDI32(?,00000000,00000000,?,?), ref: 0041AE1E
GetCurrentPositionEx.GDI32(?,?), ref: 0041AE28

Strings

PRINTER::WriteText %d bytes done, ok= %d, xrefs: 0041AEC9
PRINTER::WriteText %d bytes hdc= %08x, hdirect= %08x, xrefs: 0041ACC9
this->hDC, xrefs: 0041AD28
this->Margins.bottom>0, xrefs: 0041AD46
.\printer_win32.cpp, xrefs: 0041AD22, 0041AD27, 0041AD45

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Current$MovePositionText_fprintf_sprintf$ErrorH_prolog3LastPrinter.ThreadWrite__snprintf_memset_strlen
String ID: .\printer_win32.cpp$PRINTER::WriteText %d bytes done, ok= %d$PRINTER::WriteText %d bytes hdc= %08x, hdirect= %08x$this->Margins.bottom>0$this->hDC
API String ID: 590916919-1604752662
Opcode ID: 21af30b57fed7164dbf5360dec0b4da6b2d8853d0378cb16bb34c0c37e479a2d
Instruction ID: 232ddbf5555f96b9e91f90ac7ff3bcc76624e800370a917e622ae6939b6dd451
Opcode Fuzzy Hash: 21af30b57fed7164dbf5360dec0b4da6b2d8853d0378cb16bb34c0c37e479a2d
Instruction Fuzzy Hash: 4761F130601704AFCB20DFA5CD85A9ABBB1FB48715F20451EF94687691D338F9A0CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00423779 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 138COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00423780

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

Part of subcall function 00422DF3: __EH_prolog3.LIBCMT ref: 00422DFD
Part of subcall function 00422DF3: select.WS2_32(?,?,?,?,?), ref: 00422EA0
Part of subcall function 00422DF3: __WSAFDIsSet.WS2_32(?,?), ref: 00422EC2
Part of subcall function 00422DF3: __WSAFDIsSet.WS2_32(?,?), ref: 00422F5E

Strings

SEND, xrefs: 004238B8
TCPIPIO::DevWrite pending done ok on skt= %d, xrefs: 004237F5
TCPIPIO::DevWrite select for write failed, rrc= %d, xrefs: 00423842
TCPIPIO::DevWrite send rc=%d , xrefs: 0042386E
TCPIPIO::DevWrite wrote partial packet. thismany= %d, howmany= %d, l= %d, xrefs: 00423832
.\tcpio.cpp, xrefs: 004238A1
TCPIPIO::partial send!, xrefs: 00423897
TCPIPIO::DevWrite partial send (%d of %d)!!!!, xrefs: 0042388B
TCPIPIO::DevWrite error rc=%d on skt=%d, error=%s, xrefs: 00423917
FALSE, xrefs: 004238A6
TCPIPIO::DevWrite l=%d on skt= %d , xrefs: 00423792
TCPIPIO::DevWrite done rc= %d, l=%d, xrefs: 00423931

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$CurrentThreadselect
String ID: .\tcpio.cpp$FALSE$SEND$TCPIPIO::DevWrite done rc= %d, l=%d$TCPIPIO::DevWrite error rc=%d on skt=%d, error=%s$TCPIPIO::DevWrite l=%d on skt= %d $TCPIPIO::DevWrite partial send (%d of %d)!!!!$TCPIPIO::DevWrite pending done ok on skt= %d$TCPIPIO::DevWrite select for write failed, rrc= %d$TCPIPIO::DevWrite send rc=%d $TCPIPIO::DevWrite wrote partial packet. thismany= %d, howmany= %d, l= %d$TCPIPIO::partial send!
API String ID: 4166063393-417256094
Opcode ID: 285028e5a16249125e2b31c1cb337a3ec6b4fd23aedad5dbdca542c6d495e40c
Instruction ID: 2582721d22c901e990ddc79c6f428cbdcd55fa05d24894d2254e49de7b17ecca
Opcode Fuzzy Hash: 285028e5a16249125e2b31c1cb337a3ec6b4fd23aedad5dbdca542c6d495e40c
Instruction Fuzzy Hash: C9412F71240704BBDB10AF658C07FEA77A4EF44715F60402FFC2D5A1D2EBB86618865A

Uniqueness

Uniqueness Score: -1.00%

Function 00431E5D Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 262COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00431EBC
_strrchr.LIBCMT ref: 00431F8B
_fprintf.LIBCMT ref: 004320B6
_fprintf.LIBCMT ref: 004320DF
_fprintf.LIBCMT ref: 0043213A
SetVolumeLabelA.KERNEL32(?,C:/Program Files (x86)/ZOC5/zocdll.dll), ref: 00432147
_fprintf.LIBCMT ref: 00432163

Strings

labelling %s %-22s, xrefs: 0043212C
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 00431EAA, 00431EAF, 00431ED3, 00431EEA, 00431F29, 00431F8A, 0043208D, 004320A7, 004320D0, 004320F8, 00432127, 00432142
creating: %-22s, xrefs: 004320A8
mapname: error setting volume label, xrefs: 00432155
mapname: conversion of %s failed, xrefs: 004320D1

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$LabelVolume_strlen_strrchr
String ID: creating: %-22s$C:/Program Files (x86)/ZOC5/zocdll.dll$labelling %s %-22s$mapname: conversion of %s failed$mapname: error setting volume label
API String ID: 3224579094-709802743
Opcode ID: 1daf420a74d19f49d78e75ab3c8e8c5fb42e6859defe77aa4920a8c0ccf8f47c
Instruction ID: 2aff3e371a910bf72668f4ff1e1111d3603ce3827307d65e76a344e25d686d38
Opcode Fuzzy Hash: 1daf420a74d19f49d78e75ab3c8e8c5fb42e6859defe77aa4920a8c0ccf8f47c
Instruction Fuzzy Hash: 6791F470D083848EEB309FB598457AEBBB4AB19304F24246FE58497292D7BC4549CF2E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E66F Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 233COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041E68E

Part of subcall function 0041E4A4: __EH_prolog3.LIBCMT ref: 0041E4AB

Part of subcall function 00419AB4: __EH_prolog3.LIBCMT ref: 00419ABB
Part of subcall function 00419AB4: _strncpy.LIBCMT ref: 00419AF9

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

Part of subcall function 00418F66: _memset.LIBCMT ref: 00418FAD
Part of subcall function 00418F66: _sprintf.LIBCMT ref: 00418FCA

_sscanf.LIBCMT ref: 0041E7D6

Part of subcall function 00437AF5: _vscan_fn.LIBCMT ref: 00437B0A

_sscanf.LIBCMT ref: 0041E7F5
_sscanf.LIBCMT ref: 0041E814

Strings

s.NumItems()==d.NumItems(), xrefs: 0041E741
idx!=-1, xrefs: 0041E8B5
KEYBOARD::KEYBOARD, xrefs: 0041E695
keyidx!=-1, xrefs: 0041E860
.\winkeys.cpp, xrefs: 0041E73B, 0041E740, 0041E774, 0041E85F, 0041E8B4, 0041E8E2
s.NumItems()==w.NumItems(), xrefs: 0041E775
oldscan==extscan2scancode[i].scan, xrefs: 0041E8E3
KEYBOARD::KEYBOARD done, xrefs: 0041E946

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_sprintf_sscanf$_fprintf_memset$ErrorLast__snprintf_strncpy_vscan_fn
String ID: .\winkeys.cpp$KEYBOARD::KEYBOARD$KEYBOARD::KEYBOARD done$idx!=-1$keyidx!=-1$oldscan==extscan2scancode[i].scan$s.NumItems()==d.NumItems()$s.NumItems()==w.NumItems()
API String ID: 3983447022-3296955498
Opcode ID: 4397b1b316a572d11e132ce26e4b4a3208d6d62ecd7cd792af53f1a1b3aa08bb
Instruction ID: 160e684dc6799aeed42a0ef144b6f87139138dedda2790286c7d6515610ec4ae
Opcode Fuzzy Hash: 4397b1b316a572d11e132ce26e4b4a3208d6d62ecd7cd792af53f1a1b3aa08bb
Instruction Fuzzy Hash: 2F81D571D00259AFDB14EBA5CC46BEE77A8FF14718F00012EFC15A7192EB785A48C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044B352 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,00489AB8,004437E6,00489AB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0044B37F
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0044B39B

Part of subcall function 0043F7B6: TlsGetValue.KERNEL32(00000000,0043F82B,00000000,0044B360,00000000,00000000,00000314,?,?,?,00489AB8,004437E6,00489AB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0043F7C3
Part of subcall function 0043F7B6: TlsGetValue.KERNEL32(00000005,?,?,?,00489AB8,004437E6,00489AB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0043F7DA

GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B3B8

Part of subcall function 0043F7B6: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00489AB8,004437E6,00489AB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0043F7EF
Part of subcall function 0043F7B6: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0043F80A

GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B3CD
__invoke_watson.LIBCMT ref: 0044B3EE

Part of subcall function 00440AB8: _memset.LIBCMT ref: 00440B44
Part of subcall function 00440AB8: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 00440B62
Part of subcall function 00440AB8: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00440B6C
Part of subcall function 00440AB8: UnhandledExceptionFilter.KERNEL32(00489AB8,?,?,00000000), ref: 00440B76
Part of subcall function 00440AB8: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 00440B91
Part of subcall function 00440AB8: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00440B98

Part of subcall function 0043F82D: TlsGetValue.KERNEL32(00000000,0043F8DD,?,00438E66), ref: 0043F83A
Part of subcall function 0043F82D: TlsGetValue.KERNEL32(00000005,?,00438E66), ref: 0043F851

Part of subcall function 0043F82D: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00438E66), ref: 0043F866
Part of subcall function 0043F82D: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0043F881

GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0044B402
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0044B41A
__invoke_watson.LIBCMT ref: 0044B48D

Strings

USER32.DLL, xrefs: 0044B37A
MessageBoxA, xrefs: 0044B395
GetUserObjectInformationA, xrefs: 0044B3FC
GetProcessWindowStation, xrefs: 0044B414

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2940365033-1046234306
Opcode ID: fab2c6b851559cb3aad1512ea8c8daacfc28a809689d50572186f09ec3b6c89f
Instruction ID: 2aed174c590050926c2abb571d9c2db15f7b512535155a083989e831a50170ca
Opcode Fuzzy Hash: fab2c6b851559cb3aad1512ea8c8daacfc28a809689d50572186f09ec3b6c89f
Instruction Fuzzy Hash: 5B416771D00304ABEF24AFA59C8596F7BA4EB59318F14483FE500D2252DB7CD944DBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A268 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

_memset.LIBCMT ref: 0041A2CB
_memset.LIBCMT ref: 0041A2DB
PrintDlgA.COMDLG32(00000042), ref: 0041A36F
GlobalFree.KERNEL32(00000000), ref: 0041A388

Strings

!this->hFont, xrefs: 0041A2AA
current != -1, xrefs: 0041A3C7
PRINTER::PrinterDialog, xrefs: 0041A2B5
@, xrefs: 0041A30D
!this->hDC, xrefs: 0041A28E, 0041A35D
PRINTER::PrinterDialog returns %d, xrefs: 0041A417
.\printer_win32.cpp, xrefs: 0041A288, 0041A28D, 0041A2A9, 0041A35C, 0041A3BB
B, xrefs: 0041A2EE

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset$_fprintf_sprintf$ErrorFreeGlobalH_prolog3LastPrint__snprintf
String ID: !this->hDC$!this->hFont$.\printer_win32.cpp$@$B$PRINTER::PrinterDialog$PRINTER::PrinterDialog returns %d$current != -1
API String ID: 1632205761-2930310019
Opcode ID: c0f3a9d29ff76ff7023524c940fce9286b70ae203e378233ba524b6b021a4484
Instruction ID: ca8f1634c1b5eab1b2e2758f4a86a4c4320844533cd9f1f7f9e184693345080a
Opcode Fuzzy Hash: c0f3a9d29ff76ff7023524c940fce9286b70ae203e378233ba524b6b021a4484
Instruction Fuzzy Hash: 43517E70A01308AFDB249FA5D885BEE77F4EF48B14F14442AFC11E7291E3789894CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004216DB Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

inet_ntoa.WS2_32(?), ref: 00421867
_strlen.LIBCMT ref: 00421870
_strcpy_s.LIBCMT ref: 00421882

Strings

65535, xrefs: 004216F7
udp, xrefs: 0042177A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strcpy_s_strleninet_ntoa
String ID: 65535$udp
API String ID: 3718499672-1267037602
Opcode ID: 31dcb01bfcc9c87938098e2b56b7ba2da1274a4672d8590996ecbc4438e0f802
Instruction ID: 00213a0bfcd56ba7eb619f05121a0efb64b719ec361ded555edcd0620b0e9b7d
Opcode Fuzzy Hash: 31dcb01bfcc9c87938098e2b56b7ba2da1274a4672d8590996ecbc4438e0f802
Instruction Fuzzy Hash: F3511C31B0022A9BDF24EF55E8856BF37A5EFA5305F944037E901962A1EB7CC901C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00438AFD Relevance: 19.8, APIs: 13, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00438B3E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 503ded709b22a89d7165cb6afa506cf117f8a89c24c499053054bc72256e868e
Instruction ID: 498dbf7dc677333966d66075d18d016d4309fb6941ed0d175676d855749c9826
Opcode Fuzzy Hash: 503ded709b22a89d7165cb6afa506cf117f8a89c24c499053054bc72256e868e
Instruction Fuzzy Hash: A081F2B1A007059BEB24EF6ACC819AFF3F9AF98314F14552FF511D2392EB7899008759

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE4F Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 284COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040DE5D

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Part of subcall function 00415A8E: SetWindowTextA.USER32(?,00000000), ref: 00415A95

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0040CAB5: __EH_prolog3.LIBCMT ref: 0040CAC3

Strings

WorkPath, xrefs: 0040E087
ZOC4, xrefs: 0040E024
SETUP::NewSetupHookZOC %d %d %08x, xrefs: 0040DE6E
%ZOCFILES%, xrefs: 0040DFA7
Software\EmTec, xrefs: 0040DF37, 0040E029
HomePath, xrefs: 0040E04A, 0040E119
%ZOC%, xrefs: 0040DF73
Software, xrefs: 0040E0FC
ZOC5, xrefs: 0040DF32
Zap-O-Com , xrefs: 0040E0F7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$H_prolog3_LoadStringTextWindow_strlen
String ID: %ZOC%$%ZOCFILES%$HomePath$SETUP::NewSetupHookZOC %d %d %08x$Software$Software\EmTec$WorkPath$ZOC4$ZOC5$Zap-O-Com
API String ID: 3184825967-3982529888
Opcode ID: 2d05176ae61abbe99f8e3d170629e2494fbd2357511c4dc6c43345da10ff2927
Instruction ID: e08c1071a30ea2ea8b498847996460af4a28e7ec21f7fa1777dbcabd951e09c8
Opcode Fuzzy Hash: 2d05176ae61abbe99f8e3d170629e2494fbd2357511c4dc6c43345da10ff2927
Instruction Fuzzy Hash: C3B17331900248EADB14EBA6CD56FDD77649F11308F10407FF94AB72D2EB7C5A88CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042D27D Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0042D29F

Part of subcall function 00437FAD: __FF_MSGBANNER.LIBCMT ref: 00437FD0
Part of subcall function 00437FAD: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00442DC2,?,00000001,?,0044340E,00000018,00469F50,0000000C,0044349D,?), ref: 00438025

_malloc.LIBCMT ref: 0042D2CA
_strncmp.LIBCMT ref: 0042D32D
_strncmp.LIBCMT ref: 0042D4DB
_fprintf.LIBCMT ref: 0042D4F6
_fprintf.LIBCMT ref: 0042D530
_fprintf.LIBCMT ref: 0042D57A
_fprintf.LIBCMT ref: 0042D5B9

Strings

C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 0042D3B9, 0042D3F5
caution: filename not matched: %s, xrefs: 0042D522
caution: excluded filename not matched: %s, xrefs: 0042D56C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$_malloc_strncmp$AllocateHeap
String ID: C:/Program Files (x86)/ZOC5/zocdll.dll$caution: excluded filename not matched: %s$caution: filename not matched: %s
API String ID: 4163885258-437899265
Opcode ID: b56c69fbce36a9b219efbff64bbb0bd020b324e0a53eb5734f1b22d9410ad9cc
Instruction ID: 52bc8c2e960067285a0d75c4017ff6f2e58f251dd95a4d3a1aff7ef01c7c3237
Opcode Fuzzy Hash: b56c69fbce36a9b219efbff64bbb0bd020b324e0a53eb5734f1b22d9410ad9cc
Instruction Fuzzy Hash: 9591C6B2F04221AAE720AF55BC82A2A73A0AB44358FE4083FF541D7251D778DD85CB5F

Uniqueness

Uniqueness Score: -1.00%

Function 0042F555 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 248COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0042F5A1
_fprintf.LIBCMT ref: 0042F5C3
__locking.LIBCMT ref: 0042F618

Strings

warning: extra field too long (%d). Ignoring..., xrefs: 0042F5B5
[ %s ], xrefs: 0042F712
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 0042F68B, 0042F690, 0042F6B2, 0042F711
warning: filename too long--truncating., xrefs: 0042F65F

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __locking_fprintf_malloc
String ID: C:/Program Files (x86)/ZOC5/zocdll.dll$[ %s ]$warning: extra field too long (%d). Ignoring...$warning: filename too long--truncating.
API String ID: 184718480-2918875044
Opcode ID: 34bb9571dd4a1106ff9b4759117dbfd452bfabf991e6f9742f86e2e458ff5e9f
Instruction ID: d9186d1ec99c69af2252b5645a9751cff983cd520960b5a7cbf3adae22532b7f
Opcode Fuzzy Hash: 34bb9571dd4a1106ff9b4759117dbfd452bfabf991e6f9742f86e2e458ff5e9f
Instruction Fuzzy Hash: F6714672B042615BE7106B28BC4572A77F4EB44358FE8043FE841D33A2E7AD9C19879E

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 200filethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004129C0: QueryPerformanceCounter.KERNEL32(000001FF,?,?,?,?,?,0041B13D,?,?,E5C332AE,?,000001FF,00000000), ref: 004129D4
Part of subcall function 004129C0: QueryPerformanceFrequency.KERNEL32(000001FF,?,?,?,?,?,0041B13D,?,?,E5C332AE,?,000001FF,00000000), ref: 004129FC

GetCurrentThreadId.KERNEL32 ref: 0041B22D
_sprintf.LIBCMT ref: 0041B249
_strncpy.LIBCMT ref: 0041B26D
__vsnprintf.LIBCMT ref: 0041B290

Part of subcall function 00413129: CreateMutexA.KERNEL32(00000000,00000000,?,?,0041B1B5,00000000,00000000,E5C332AE,?,000001FF,00000000), ref: 00413140

_strlen.LIBCMT ref: 0041B2A0
_strlen.LIBCMT ref: 0041B2BF
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041B304
OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,E5C332AE), ref: 0041B316

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Strings

.\emtec.cpp, xrefs: 0041B213, 0041B2D7
howmany < sizeof(logitbuf), xrefs: 0041B2E0
[%07.3lf:%04x] , xrefs: 0041B243

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: PerformanceQuery_strlen$CounterCreateCurrentDebugFileFrequencyMutexOutputStringThreadWrite__vsnprintf_malloc_sprintf_strncpy
String ID: .\emtec.cpp$[%07.3lf:%04x] $howmany < sizeof(logitbuf)
API String ID: 922108681-2720381564
Opcode ID: 313ccae740487dcefe299e6349dd2676d9299102ceb0e96c469814c642cd836d
Instruction ID: d1da8adc352d3aecefd75a829098c0c29a20c2b99db6a502fbe2bb30f04eaf2f
Opcode Fuzzy Hash: 313ccae740487dcefe299e6349dd2676d9299102ceb0e96c469814c642cd836d
Instruction Fuzzy Hash: 2571D571D0024DABDF10DFA5DC89AEEB7B8FB08354F10856FE815E6291DB384944CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00412C52 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 164registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00412C71

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

RegCreateKeyExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000003,00000000,?,?,Software\Microsoft\Windows\CurrentVersion\Run,000004E4,00000078), ref: 00412CC2
_memset.LIBCMT ref: 00412CEA
GetModuleFileNameA.KERNEL32(00000000,00000100), ref: 00412D01
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,00000000,000004E4,00454616,000004E4), ref: 00412DDF

Part of subcall function 0043C079: __stricmp_l.LIBCMT ref: 0043C0BE

RegDeleteValueA.ADVAPI32(?,?), ref: 00412E04
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004085A3), ref: 00412E10

Strings

"%s", xrefs: 00412D98
<ownfile>, xrefs: 00412D1E
<self>, xrefs: 00412D2F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00412C8A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3Value$CloseCreateDeleteFileModuleName__stricmp_l_memset_strlen
String ID: "%s"$<ownfile>$<self>$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3573620039-3298314571
Opcode ID: 14804b29848d1e18fe11a6fddd64e79f7ca63297b921c4c8951bfada8492b120
Instruction ID: 0213d3bd60f69f2018e6c12bdaa91681bab73259743ce10d1bb50c6380d27ace
Opcode Fuzzy Hash: 14804b29848d1e18fe11a6fddd64e79f7ca63297b921c4c8951bfada8492b120
Instruction Fuzzy Hash: 72518371D00249AEDB25DFA4DD45BEEBBB8EF08304F10402AF905B61D1EB785B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00422DF3 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 162networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00422DFD
select.WS2_32(?,?,?,?,?), ref: 00422EA0
__WSAFDIsSet.WS2_32(?,?), ref: 00422EC2
__WSAFDIsSet.WS2_32(?,?), ref: 00422F5E
__WSAFDIsSet.WS2_32(?,?), ref: 00422F95
__WSAFDIsSet.WS2_32(?,?), ref: 00422FAB
WSAGetLastError.WS2_32 ref: 00422FC3

Strings

TCPIPIO::Select for skt %d failed with %s, xrefs: 00422FF7
.\tcpio.cpp, xrefs: 00422F7A
TCPIPIO::Select for skt %d before select timout= %d/%d, xrefs: 00422E6B
!connect_request, xrefs: 00422F7F

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorH_prolog3Lastselect
String ID: !connect_request$.\tcpio.cpp$TCPIPIO::Select for skt %d before select timout= %d/%d$TCPIPIO::Select for skt %d failed with %s
API String ID: 137377352-2727668841
Opcode ID: 7b6963f24bbe64a8b93662f786f266c84385f4c52beca98df15fe471d10c8751
Instruction ID: 714f95fced612ec92cd14f11a3cadbe79e519b4e0f6f8338dacdceddefb4a6de
Opcode Fuzzy Hash: 7b6963f24bbe64a8b93662f786f266c84385f4c52beca98df15fe471d10c8751
Instruction Fuzzy Hash: 2F519170A00229ABCB11EF55DA85ADEB7B8FF49300F5105ABE819D6241D7789F80DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00410F78 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 138COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410F7F

Part of subcall function 0041238A: __EH_prolog3.LIBCMT ref: 004123AC
Part of subcall function 0041238A: _memset.LIBCMT ref: 004123D0
Part of subcall function 0041238A: _memset.LIBCMT ref: 004123EB

Part of subcall function 00410CF9: __EH_prolog3.LIBCMT ref: 00410D00

Part of subcall function 0041238A: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,?,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,000004E4), ref: 004126F6
Part of subcall function 0041238A: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000400,00000400,?,?,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,000004E4), ref: 0041271A
Part of subcall function 0041238A: RegCloseKey.KERNEL32(?,?,?,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,000004E4,?,?,?,?,?,00000180), ref: 00412726
Part of subcall function 0041238A: ExpandEnvironmentStringsA.KERNEL32(?,?,00000400,?,?,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,000004E4,?,?,?,?,?,00000180), ref: 00412741
Part of subcall function 0041238A: _strlen.LIBCMT ref: 0041274E

Strings

%ALLUSERAPPDATA%, xrefs: 004110DD
%USERDOCUMENTS%, xrefs: 00411053
%ALLUSERPROFILE%, xrefs: 0041110B
%USERDESKTOP%, xrefs: 00411081
%USERPROFILE%, xrefs: 00411025
%USERPICTURES%, xrefs: 00410FCE
FILENAME::ShellStringsInit, xrefs: 00410FAF
%USERHOME%, xrefs: 00410FFB
%APPDATA%, xrefs: 004110AF
FILENAME::ShellStringsInit done, xrefs: 0041112A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_memset$CloseEnvironmentExpandOpenQueryStringsValue_strlen
String ID: %ALLUSERAPPDATA%$%ALLUSERPROFILE%$%APPDATA%$%USERDESKTOP%$%USERDOCUMENTS%$%USERHOME%$%USERPICTURES%$%USERPROFILE%$FILENAME::ShellStringsInit$FILENAME::ShellStringsInit done
API String ID: 1400441989-2062923142
Opcode ID: d7571af6366ecbb29305b8851a707457546b54fcab3f9a7e652af1f277a01dbe
Instruction ID: e436aaf81bcf05675fb1d1210f213f6159dd1fda73e1a7bfa2c49c245e684c04
Opcode Fuzzy Hash: d7571af6366ecbb29305b8851a707457546b54fcab3f9a7e652af1f277a01dbe
Instruction Fuzzy Hash: 93416370D40108AFCB10EFA1C946BDE77B8DB04704F5001AAF905A7292E7BE5A59CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041134A Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00411369
_memset.LIBCMT ref: 00411388
_getenv.LIBCMT ref: 00411401
__tempnam.LIBCMT ref: 0041140D
_strcat.LIBCMT ref: 00411433

Part of subcall function 00412E54: _memset.LIBCMT ref: 00412E88
Part of subcall function 00412E54: GetModuleFileNameA.KERNEL32(?,00000100,?,?,?), ref: 00412E9F

Strings

fname, xrefs: 0041141E
.\osysfile.cpp, xrefs: 00411419
<self>, xrefs: 004113A1
TEMP, xrefs: 004113FC
<temp>, xrefs: 004113EB
<tmp>, xrefs: 004113DA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset$FileH_prolog3ModuleName__tempnam_getenv_strcat
String ID: .\osysfile.cpp$<self>$<temp>$<tmp>$TEMP$fname
API String ID: 468438843-3117012196
Opcode ID: d92f8daa9d34e72ff7b0ac33e6bbc023548ef3538c32bc626824e50b1c86d38f
Instruction ID: ec29cf5c120f5542d6a15bc0049773c735fa658ac131b4de30407117c49d4bd9
Opcode Fuzzy Hash: d92f8daa9d34e72ff7b0ac33e6bbc023548ef3538c32bc626824e50b1c86d38f
Instruction Fuzzy Hash: 1F41AA75D00249AFDB14EBA5CD42ADEB7B8AF18318F10402FF815B7192EA7C6B48C759

Uniqueness

Uniqueness Score: -1.00%

Function 00421F9C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 117windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00421FBB
_memset.LIBCMT ref: 00421FEB
_memset.LIBCMT ref: 00421FFB
getsockopt.WS2_32(?,0000FFFF,00001007,?,00000004), ref: 0042201B
FormatMessageA.KERNEL32(00001000,00000000,?,00000000,00000000,00000100,00000000,?,?,?,?,?,00000024), ref: 00422031
_strlen.LIBCMT ref: 0042203B
_strlen.LIBCMT ref: 0042204D
_strlen.LIBCMT ref: 0042205D
_strlen.LIBCMT ref: 0042206D
_strlen.LIBCMT ref: 00422079

Strings

TCP::GetLastSocketErrorString lasterr=%d, errbuf=%s, xrefs: 004220AB

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$_memset$FormatH_prolog3Messagegetsockopt
String ID: TCP::GetLastSocketErrorString lasterr=%d, errbuf=%s
API String ID: 4061203125-898781902
Opcode ID: bcd9f5507cec6dd734485ac1fc17da13f3c1e12dd25b564ec1e0809eeb57ecce
Instruction ID: b0a62e5cb7f13c5d1e633e7407dc6ffaf77471ce4641121c2803ac4c7fa53a23
Opcode Fuzzy Hash: bcd9f5507cec6dd734485ac1fc17da13f3c1e12dd25b564ec1e0809eeb57ecce
Instruction Fuzzy Hash: 334150B290024DBFDB20EFA0DC41AEE77A8FF08344F54042EFA459B291D6B89A448B55

Uniqueness

Uniqueness Score: -1.00%

Function 004091AF Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 116registryfileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004091BD
CopyFileA.KERNEL32(?,?,00000000), ref: 004092E6
RegCreateKeyA.ADVAPI32(80000001,Software\Enterprise Alternatives\REXX\ExecOptions,?), ref: 0040931A
RegSetValueExA.ADVAPI32(?,GlobalSCBs,00000000,00000004,?,00000004), ref: 00409331
RegCloseKey.ADVAPI32(?), ref: 0040933A

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 004121F3: __EH_prolog3_GS.LIBCMT ref: 004121FA

Strings

GlobalSCBs, xrefs: 00409329
*.*, xrefs: 004091FC, 00409201, 00409272
SCRIPT, xrefs: 00409217, 0040921C, 00409247
OPTIONS, xrefs: 004091D0, 004091D5, 004091E7
Software\Enterprise Alternatives\REXX\ExecOptions, xrefs: 0040930A
PHONEBK, xrefs: 00409284, 00409289, 004092B4

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$CloseCopyCreateFileH_prolog3_Value_memset_strlen
String ID: *.*$GlobalSCBs$OPTIONS$PHONEBK$SCRIPT$Software\Enterprise Alternatives\REXX\ExecOptions
API String ID: 1025971036-2501763011
Opcode ID: 72bc9ff52f8026150d67d3bbb704558b945aa7d533ea316dff9fa6cabfc27864
Instruction ID: 414767a77524a1db033896fffa5373e42adab1683dcef265066458412af59660
Opcode Fuzzy Hash: 72bc9ff52f8026150d67d3bbb704558b945aa7d533ea316dff9fa6cabfc27864
Instruction Fuzzy Hash: 3A419070810189FEDB04EFA1DD45BDE7F65AF14308F1080AAF90A221A3E7791B4CDB68

Uniqueness

Uniqueness Score: -1.00%

Function 00421E54 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 111windownetworkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00421E73
WSAGetLastError.WS2_32(00000020), ref: 00421E94
_memset.LIBCMT ref: 00421EB9
_memset.LIBCMT ref: 00421EC9
FormatMessageA.KERNEL32(00001000,00000000,?,00000000,00000000,00000100,00000000,?,?,?,?,?,00000020), ref: 00421EDF
_strlen.LIBCMT ref: 00421EE9
_strlen.LIBCMT ref: 00421EFB
_strlen.LIBCMT ref: 00421F0B
_strlen.LIBCMT ref: 00421F1B
_strlen.LIBCMT ref: 00421F27

Strings

TCP::GetLastErrorString lasterr=%d, errbuf=%s, xrefs: 00421F4E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$_memset$ErrorFormatH_prolog3LastMessage
String ID: TCP::GetLastErrorString lasterr=%d, errbuf=%s
API String ID: 3019503529-3487503035
Opcode ID: 415e93333473be2cb66b3393ba5d9bec06e73d3f96a57f876a576f9eb42d3704
Instruction ID: a4b88a86c73cbdd9397bd3b8c0dc09c9f87b3787f52d858222299d125ad55484
Opcode Fuzzy Hash: 415e93333473be2cb66b3393ba5d9bec06e73d3f96a57f876a576f9eb42d3704
Instruction Fuzzy Hash: 3E319176A00288AFDB10EFA4DC41AEE736CEF58304F54402FFD599B291E7789A448764

Uniqueness

Uniqueness Score: -1.00%

Function 0040E308 Relevance: 18.1, APIs: 12, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 00415C03: BeginPaint.USER32(?,?,0040E335,?), ref: 00415C0A

GetSysColor.USER32(00000010), ref: 0040E356
GetSysColor.USER32(00000014), ref: 0040E35D
CreatePen.GDI32(00000000,00000001,?), ref: 0040E36E
CreatePen.GDI32(00000000,00000001,?), ref: 0040E379
MoveToEx.GDI32(00000000,00000000,00000000,?), ref: 0040E38B
SelectObject.GDI32(00000000,?), ref: 0040E397
LineTo.GDI32(?,?,00000000), ref: 0040E3A6
MoveToEx.GDI32(?,00000000,00000001,?), ref: 0040E3B3
SelectObject.GDI32(?,?), ref: 0040E3BB
LineTo.GDI32(?,?,00000001), ref: 0040E3C5
DeleteObject.GDI32(?), ref: 0040E3D0
DeleteObject.GDI32(?), ref: 0040E3D5

Part of subcall function 00415C13: EndPaint.USER32(?,?,0040E3E3,?), ref: 00415C1A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Object$ColorCreateDeleteLineMovePaintSelect$Begin
String ID:
API String ID: 2747204081-0
Opcode ID: 769fc2e1a8e532cafcab813daa9ed0db4e996e37d837c650897d718b940cc50d
Instruction ID: 1bda1526633ffd57c555558cd39f921402516851c9ca309d33523bf4e3c67b5d
Opcode Fuzzy Hash: 769fc2e1a8e532cafcab813daa9ed0db4e996e37d837c650897d718b940cc50d
Instruction Fuzzy Hash: A1312672D0021CABCF10AFE1CC85EDEBFB9EF44754F10402AE601AB2A0D6759D51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043AF10 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 403COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043AFE0
__freea.LIBCMT ref: 0043B039
__isleadbyte_l.LIBCMT ref: 0043B0B0

Strings

a/p, xrefs: 0043B14A
am/pm, xrefs: 0043B134

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __freea__isleadbyte_l_malloc
String ID: a/p$am/pm
API String ID: 492057358-3206640213
Opcode ID: d076fde6d79bff5998b2b1e99bf42f05b8b3836e61084e1cce3c1ff4a737ef3b
Instruction ID: c06648ec2df87d3f9755f19862614db967e6e2924eaf2ba111375ef0bfa371d8
Opcode Fuzzy Hash: d076fde6d79bff5998b2b1e99bf42f05b8b3836e61084e1cce3c1ff4a737ef3b
Instruction Fuzzy Hash: B6D1C1345082059EDF298F14C8907BB7BB1EF1E344F28609BDAA18B351D7398D42DBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00429455 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00429491

Part of subcall function 00437FAD: __FF_MSGBANNER.LIBCMT ref: 00437FD0
Part of subcall function 00437FAD: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00442DC2,?,00000001,?,0044340E,00000018,00469F50,0000000C,0044349D,?), ref: 00438025

_strlen.LIBCMT ref: 004294D6
_malloc.LIBCMT ref: 004294DD
_strcat.LIBCMT ref: 004294F1
_malloc.LIBCMT ref: 00429574
_malloc.LIBCMT ref: 004295B0
__fdopen.LIBCMT ref: 004295DC
_fprintf.LIBCMT ref: 0042960C

Strings

%c%c%c%c%c%c%c%c%c%c, xrefs: 00429606
1.0.4, xrefs: 00429556

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _malloc$AllocateHeap__fdopen_fprintf_strcat_strlen
String ID: %c%c%c%c%c%c%c%c%c%c$1.0.4
API String ID: 174800823-189505174
Opcode ID: bcb0521328be24d6e9f446f42fe0468d9aa99def583a3c18220fcef2694097a6
Instruction ID: 9d04da9b304321160a4d7647142ad34b8149eafb8638443fdb79ab1d6998144b
Opcode Fuzzy Hash: bcb0521328be24d6e9f446f42fe0468d9aa99def583a3c18220fcef2694097a6
Instruction Fuzzy Hash: 2F51D3B1F04764AFDB219FAAD88165AFBF4BF08314F90492FE08997641D7789C84CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00411143 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041114A
_strncmp.LIBCMT ref: 004111B2
_strlen.LIBCMT ref: 0041124C
_strlen.LIBCMT ref: 00411281
_strlen.LIBCMT ref: 0041129E
_strlen.LIBCMT ref: 004112D4

Strings

DGE, xrefs: 0041131A
%USERNAME%, xrefs: 00411168, 00411181, 004111E2
%USERHOME%, xrefs: 004111C8
FILENAME::ExpandShellString %s -> %s, xrefs: 0041130B

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$H_prolog3_strncmp
String ID: %USERHOME%$%USERNAME%$DGE$FILENAME::ExpandShellString %s -> %s
API String ID: 1841588316-127495382
Opcode ID: 3e6e8c5f3b901f4d09b4140e4618f9ecf97f689ab1579352517491a9d1abca57
Instruction ID: 556a20ff7024b2b6cd7b5ad0acc6de5e5a6c7788052721ed7342607b56b61250
Opcode Fuzzy Hash: 3e6e8c5f3b901f4d09b4140e4618f9ecf97f689ab1579352517491a9d1abca57
Instruction Fuzzy Hash: 4C51D170600358BADB15B7A5CC46BEEB6A9AF58708F14003FF905B72D2DF7C0A49865E

Uniqueness

Uniqueness Score: -1.00%

Function 00430083 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 00430163
_fprintf.LIBCMT ref: 00430190
_fgets.LIBCMT ref: 004301B0
_fprintf.LIBCMT ref: 004301EB
_fprintf.LIBCMT ref: 0043022F

Strings

%s: stored in VMS format. Extract anyway? (y/n) , xrefs: 00430182
VMS, xrefs: 0043014A
skipping: %-22s encrypted (not supported), xrefs: 00430221
(&, xrefs: 004300E3
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 0043012C, 0043014F, 00430181, 004301DB, 00430220

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf$_fgets
String ID: %s: stored in VMS format. Extract anyway? (y/n) $ skipping: %-22s encrypted (not supported)$(&$C:/Program Files (x86)/ZOC5/zocdll.dll$VMS
API String ID: 4006501350-2717224965
Opcode ID: 598af358ae02eab5cb7da3e37c21c9574b43255995b58bcbc25ce5f9ec899a3a
Instruction ID: da242376bab145d7c3bd0a626eef410ed50c736103f9d9687401d1bb4f3ecb44
Opcode Fuzzy Hash: 598af358ae02eab5cb7da3e37c21c9574b43255995b58bcbc25ce5f9ec899a3a
Instruction Fuzzy Hash: 7C41C271A412109EF718EB29EC5BF773760EB08304F00546FE5528A2A2E2ADD851876F

Uniqueness

Uniqueness Score: -1.00%

Function 00420A45 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00420A4C

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

<unknown>, xrefs: 00420B29
CALLERID, xrefs: 00420B14
DEVICENAME, xrefs: 00420B3D
LASTERRORSTRING, xrefs: 00420AD4
LASTERROR, xrefs: 00420AA4
BASEIO, xrefs: 00420B52
OWNID, xrefs: 00420AF1
ONLINE, xrefs: 00420A8C
BASEIO::BAD-REQUEST, xrefs: 00420A73

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen
String ID: <unknown>$BASEIO$BASEIO::BAD-REQUEST$CALLERID$DEVICENAME$LASTERROR$LASTERRORSTRING$ONLINE$OWNID
API String ID: 3239654323-2358369944
Opcode ID: c40c9371524dd8232afdca3e74319779e81037b0da2b67b8b27be965057f2276
Instruction ID: 1a65b85c4663441170d6784e3db8de27ce0342eb686ef7d6ca12c2b288a1c963
Opcode Fuzzy Hash: c40c9371524dd8232afdca3e74319779e81037b0da2b67b8b27be965057f2276
Instruction Fuzzy Hash: F831AD31A00209BADF10AAA2DC42FEE7A74AF2435DF54003BFC05721A3E67D4E4DD659

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFFC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041B01E
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0041B02E

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041B057
DeleteDC.GDI32(00000000), ref: 0041B061
MulDiv.KERNEL32(?,?,00000048), ref: 0041B06F
_strcat.LIBCMT ref: 0041B0BF
CreateFontIndirectA.GDI32(?), ref: 0041B0CB

Strings

hdc, xrefs: 0041B046
.\windraw_win32.cpp, xrefs: 0041B03F
DISPLAY, xrefs: 0041B029

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Create_memset$CapsDeleteDeviceErrorFontH_prolog3IndirectLast__snprintf_strcat
String ID: .\windraw_win32.cpp$DISPLAY$hdc
API String ID: 1084519280-2949516874
Opcode ID: 56b7d0ece9860fe47d8047d3085101eba143a1b4ac7e2b4abb393d78590d06b6
Instruction ID: a3765a3db79e5a8282e74dd4254c2ce8f835302a7dca666de221b3c0deda6830
Opcode Fuzzy Hash: 56b7d0ece9860fe47d8047d3085101eba143a1b4ac7e2b4abb393d78590d06b6
Instruction Fuzzy Hash: F021A372E4134CAFDB00DFB4DC829DE7BB8EB59746F14006AFA01A7242D6389954CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00422258 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

shutdown.WS2_32(?,00000002), ref: 004222A8
closesocket.WS2_32(?), ref: 004222D1
_strcat.LIBCMT ref: 00422311

Strings

TCPIPIO::DropCall shutdown(%d) done, err= %d, xrefs: 004222B0
<unknown>, xrefs: 0042230B
TCPIPIO::DropCall socket= %d, xrefs: 00422263
TCPIPIO::DropCall before soclose(%d), xrefs: 004222C3
TCPIPIO::~DropCall, xrefs: 00422318
TCPIPIO::~TCPIPIO after FreeAcceptSocket(), xrefs: 00422288
TCPIPIO::DropCall soclose(%d) done, rc= %d, xrefs: 004222D9

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strcatclosesocketshutdown
String ID: <unknown>$TCPIPIO::DropCall before soclose(%d)$TCPIPIO::DropCall shutdown(%d) done, err= %d$TCPIPIO::DropCall socket= %d$TCPIPIO::DropCall soclose(%d) done, rc= %d$TCPIPIO::~DropCall$TCPIPIO::~TCPIPIO after FreeAcceptSocket()
API String ID: 4051905913-975053631
Opcode ID: 58fb3795322d03de0181d5c40aa51ec4aced0d66aeb35e865f902a01f98318f7
Instruction ID: ef4f04642ff086329ce46780216c2b13630e77d8746af5374dc71511fd71bfcc
Opcode Fuzzy Hash: 58fb3795322d03de0181d5c40aa51ec4aced0d66aeb35e865f902a01f98318f7
Instruction Fuzzy Hash: F611D531344300BFD620AB66AC46FAB73A8DF56729F60051FF91597182DBA8245487AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A675 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

EndPagePrinter.WINSPOOL.DRV(?,000000FF), ref: 0041A6A0
EndDocPrinter.WINSPOOL.DRV(?,?,000000FF), ref: 0041A6A8
ClosePrinter.WINSPOOL.DRV(?,?,?,000000FF), ref: 0041A6B0
EndPage.GDI32(?), ref: 0041A6DF
EndDoc.GDI32(?), ref: 0041A6E8
DeleteDC.GDI32(?), ref: 0041A6F1

Strings

PRINTER::EndDoc done, xrefs: 0041A702
this->hDC, xrefs: 0041A6CC
PRINTER::EndDoc hdc= %08x, hdirect= %08x, xrefs: 0041A67F
.\printer_win32.cpp, xrefs: 0041A6C7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Printer.$Page$CloseCurrentDeleteThread
String ID: .\printer_win32.cpp$PRINTER::EndDoc done$PRINTER::EndDoc hdc= %08x, hdirect= %08x$this->hDC
API String ID: 3694048318-4266346644
Opcode ID: ae2d0abcdabf44a0e9956289a6e073695dcff82329e4ef5cb86c5d39b9be1b9d
Instruction ID: ea8f2cb6735c046bb2a91d672e3147787fb64bdd7c73785d5d9e560b15c90d5a
Opcode Fuzzy Hash: ae2d0abcdabf44a0e9956289a6e073695dcff82329e4ef5cb86c5d39b9be1b9d
Instruction Fuzzy Hash: 8A019631240700AFC7313F52ED47F5A77A1EF40B2AF104A1EF996544E3CB69A4589B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB4E Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040DB5C

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 004116AF: __EH_prolog3.LIBCMT ref: 004116BA
Part of subcall function 004116AF: _memset.LIBCMT ref: 004116D5
Part of subcall function 004116AF: _strlen.LIBCMT ref: 004116EA
Part of subcall function 004116AF: _strlen.LIBCMT ref: 004116FF

Part of subcall function 00402F64: __EH_prolog3.LIBCMT ref: 00402F6B

Part of subcall function 00410E95: __EH_prolog3.LIBCMT ref: 00410E9C

Strings

standard.zoc, xrefs: 0040DC27
zoc.exe, xrefs: 0040DBB4
admin.ini, xrefs: 0040DBDE
phonebk, xrefs: 0040DBC7
standard.cfg, xrefs: 0040DBF2
admin.ini.bak, xrefs: 0040DC6C
standard.zfg, xrefs: 0040DC0F
options, xrefs: 0040DBF7, 0040DBFC, 0040DC14, 0040DC2C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$TextWindow_memset$Length
String ID: admin.ini$admin.ini.bak$options$phonebk$standard.cfg$standard.zfg$standard.zoc$zoc.exe
API String ID: 773487468-73120917
Opcode ID: e7b5d3b4dda13e03a5968835890ebe51c9afa41a662b4be1e395f7e3a175c351
Instruction ID: 20f30cc6d7fd27bbb89533f943aee0a7516e562c4144c5042a5ee53fe9f067c6
Opcode Fuzzy Hash: e7b5d3b4dda13e03a5968835890ebe51c9afa41a662b4be1e395f7e3a175c351
Instruction Fuzzy Hash: D1517130804299EADF15EBA5D945BDD7B74AF14308F1080AFE909722C2EB7C5B48DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004235A7 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004235AE

Part of subcall function 00422DF3: __EH_prolog3.LIBCMT ref: 00422DFD
Part of subcall function 00422DF3: select.WS2_32(?,?,?,?,?), ref: 00422EA0
Part of subcall function 00422DF3: __WSAFDIsSet.WS2_32(?,?), ref: 00422EC2
Part of subcall function 00422DF3: __WSAFDIsSet.WS2_32(?,?), ref: 00422F5E

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

WSAGetLastError.WS2_32 ref: 004236E9

Part of subcall function 00421E54: __EH_prolog3.LIBCMT ref: 00421E73
Part of subcall function 00421E54: WSAGetLastError.WS2_32(00000020), ref: 00421E94
Part of subcall function 00421E54: _memset.LIBCMT ref: 00421EB9
Part of subcall function 00421E54: _memset.LIBCMT ref: 00421EC9
Part of subcall function 00421E54: FormatMessageA.KERNEL32(00001000,00000000,?,00000000,00000000,00000100,00000000,?,?,?,?,?,00000020), ref: 00421EDF
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421EE9
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421EFB
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F0B
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F1B
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F27

Part of subcall function 00422258: shutdown.WS2_32(?,00000002), ref: 004222A8
Part of subcall function 00422258: closesocket.WS2_32(?), ref: 004222D1
Part of subcall function 00422258: _strcat.LIBCMT ref: 00422311

Strings

TCPIPIO::DevRead %d, xrefs: 004235BD
TCPIPIO::DevRead done ok=%d rrc= %d, *plen=%d, xrefs: 0042375C
TCPIPIO::DevRead read error rc=%d, lasterror= %d, xrefs: 00423734
TCPIPIO::DevRead read disconnect rc=%d, lasterror= %d, xrefs: 004236C9
.\tcpio.cpp, xrefs: 0042361F
doread, xrefs: 00423624
TCPIPIO::DevRead done ok=%d *plen=%d, xrefs: 00423674

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$H_prolog3$ErrorLast_memset$FormatMessage__snprintf_strcatclosesocketselectshutdown
String ID: .\tcpio.cpp$TCPIPIO::DevRead %d$TCPIPIO::DevRead done ok=%d *plen=%d$TCPIPIO::DevRead done ok=%d rrc= %d, *plen=%d$TCPIPIO::DevRead read disconnect rc=%d, lasterror= %d$TCPIPIO::DevRead read error rc=%d, lasterror= %d$doread
API String ID: 2072069893-2129108995
Opcode ID: 6a322f221a32ebd8919a4c7f39ed3630de4ff791a117ca2823b6d493d2942393
Instruction ID: e16d6f93271745ee3d6cd6963e445fc48a7ac062d45ff6983ebe2e7597fdf135
Opcode Fuzzy Hash: 6a322f221a32ebd8919a4c7f39ed3630de4ff791a117ca2823b6d493d2942393
Instruction Fuzzy Hash: 5341F7B0600309AFDB14EFA5DC82AEE77B4FF04318F50412FF85996292E7781A54CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00421B85 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00421BB1
_memset.LIBCMT ref: 00421BC0
_strlen.LIBCMT ref: 00421C70
_sprintf.LIBCMT ref: 00421C7B
_strlen.LIBCMT ref: 00421C9B
_sprintf.LIBCMT ref: 00421CA6

Strings

%s [%s], xrefs: 00421C19, 00421CC0
TCPIPIO::%s : , xrefs: 00421BCF
%02x , xrefs: 00421C6A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset_sprintf_strlen
String ID: %s [%s]$%02x $TCPIPIO::%s :
API String ID: 751656446-752829268
Opcode ID: 2da868f8938a46a3308d894ca186cb11c00404a1736e82e2e51635f63156394a
Instruction ID: f124084641171623be8d86c8d2460e68d63ea26aca29cc284387b4fa8c9a978b
Opcode Fuzzy Hash: 2da868f8938a46a3308d894ca186cb11c00404a1736e82e2e51635f63156394a
Instruction Fuzzy Hash: E941EF72A4020D6ACF10EF65EC82DDF77ACEF18358F60042BF914D3252D66CE5498799

Uniqueness

Uniqueness Score: -1.00%

Function 00420E29 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00420E48

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 00413098: WaitForSingleObject.KERNEL32(E5C332AE,?), ref: 004130B9
Part of subcall function 00413098: _sprintf.LIBCMT ref: 004130EB

Part of subcall function 00413C0D: GetCurrentThread.KERNEL32 ref: 00413C10
Part of subcall function 00413C0D: GetThreadPriority.KERNEL32(00000000), ref: 00413C20

_sprintf.LIBCMT ref: 00420EC5

Strings

BASEIO::Daemon (this= %08x), xrefs: 00420E92
BASEIO::Daemon about to Sleep(100), xrefs: 00420EF0
magic1= %08x, magic2= %08x, xrefs: 00420EBF
!this->IsDead, xrefs: 00420E6A
FALSE, xrefs: 00420ED5
BASEIO::~Daemon, xrefs: 00420F16
.\ios.cpp, xrefs: 00420E64, 00420E69, 00420ED4

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3Thread_sprintf$CurrentErrorLastObjectPrioritySingleWait__snprintf_memset
String ID: !this->IsDead$.\ios.cpp$BASEIO::Daemon (this= %08x)$BASEIO::Daemon about to Sleep(100)$BASEIO::~Daemon$FALSE$magic1= %08x, magic2= %08x
API String ID: 3292472660-2181216402
Opcode ID: 90180ef1b7079f3b7ed8c5c020d0729c4b47ea92dd34e71e3b6d623b2496287a
Instruction ID: 85f2dfe2ca25aa8783283625fba1264ab4347a2c71354f70704d5ea7e3f95f8c
Opcode Fuzzy Hash: 90180ef1b7079f3b7ed8c5c020d0729c4b47ea92dd34e71e3b6d623b2496287a
Instruction Fuzzy Hash: 4A21C831644308ABD724EB76DC43FEF7794EB08719F10062FF926961C2EB685A48865D

Uniqueness

Uniqueness Score: -1.00%

Function 004207A8 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004207AF

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

%s, xrefs: 00420866
%02x, xrefs: 0042084F
BASEIO::~Feed ok %d, xrefs: 004208AF
BASEIO::Feed len %d, xrefs: 004207E5
, xrefs: 0042080F, 00420814, 0042083B
!this->IsDead, xrefs: 004207D0
.\ios.cpp, xrefs: 004207CB
BASEIO::Feed data=, xrefs: 004207F4

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$ErrorLast__snprintf_memset_strlen
String ID: $ %02x$!this->IsDead$%s$.\ios.cpp$BASEIO::Feed data=$BASEIO::Feed len %d$BASEIO::~Feed ok %d
API String ID: 2512185904-4265594780
Opcode ID: 7d566d1170c025a29f31be4e725f69dbf0ca0561f08cf181b3c1b745a3b02fdd
Instruction ID: 551d1bb755b84123e0e954fa6ab98520cf87f68eadcad301d3d09bc6cde5a9af
Opcode Fuzzy Hash: 7d566d1170c025a29f31be4e725f69dbf0ca0561f08cf181b3c1b745a3b02fdd
Instruction Fuzzy Hash: 6B21E831640218BBDB14AFB2CC82ADE7760AB04724F54413BF965A51C3D6BCD654C69D

Uniqueness

Uniqueness Score: -1.00%

Function 0043F947 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,00469E28,0000000C,0043FA58,00000000,00000000,?,00000000,004380B0,00439D1B,00000001,0043F765,?,00000000), ref: 0043F958
GetProcAddress.KERNEL32(?,EncodePointer), ref: 0043F98C
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0043F99C
InterlockedIncrement.KERNEL32(0046E8A0), ref: 0043F9BE
__lock.LIBCMT ref: 0043F9C6
___addlocaleref.LIBCMT ref: 0043F9E5

Strings

DecodePointer, xrefs: 0043F994
EncodePointer, xrefs: 0043F97E
KERNEL32.DLL, xrefs: 0043F953

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: ce8f174fc9a4322f6a7232fbe284a4214e82b5540bace2b922ce6c4fb0c55d5d
Instruction ID: 33096796ed65fa54f6b934e2a121b5f7861bbe927cc51505edfdec1f91a84da7
Opcode Fuzzy Hash: ce8f174fc9a4322f6a7232fbe284a4214e82b5540bace2b922ce6c4fb0c55d5d
Instruction Fuzzy Hash: 8F1142B1900701AFE7209F7AD805B5ABBE0AF44318F20452FE49597291DBB8D944CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 00415964 Relevance: 15.0, APIs: 10, Instructions: 46threadCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(00000001), ref: 0041596D
GetCurrentThreadId.KERNEL32 ref: 00415989
GetForegroundWindow.USER32(00000000,00000000,?,?,00000000,?,?,0041600E,00000000,00000001,?,0000002C,00417178,?), ref: 00415994
GetWindowThreadProcessId.USER32(00000000), ref: 0041599D
AttachThreadInput.USER32(00000000,?,?,00000000,?,?,0041600E,00000000,00000001,?,0000002C,00417178,?), ref: 004159A6
SetForegroundWindow.USER32(00000001), ref: 004159AF
GetCurrentThreadId.KERNEL32 ref: 004159BB
GetForegroundWindow.USER32(00000000,00000000,?,?,00000000,?,?,0041600E,00000000,00000001,?,0000002C,00417178,?), ref: 004159C0
GetWindowThreadProcessId.USER32(00000000), ref: 004159C3
AttachThreadInput.USER32(00000000,?,?,00000000,?,?,0041600E,00000000,00000001,?,0000002C,00417178,?), ref: 004159C6

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCurrentInputProcess
String ID:
API String ID: 1971790674-0
Opcode ID: 62356c74175886d4f04bc80cab1443880e56142eddc45ca1e8b2bb302ed8aae3
Instruction ID: 1172986a0c92354f0a0383d5c0c09ac73fa91b6c9556e687dc9a40ca9781f067
Opcode Fuzzy Hash: 62356c74175886d4f04bc80cab1443880e56142eddc45ca1e8b2bb302ed8aae3
Instruction Fuzzy Hash: 720136B2605304AFD700AFA5EC49F5BBBECEBC4716F11442AF64487161CA75DC408B75

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5F3 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 372COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040C60F

Part of subcall function 00413D44: __EH_prolog3.LIBCMT ref: 00413D4B

RemoveDirectoryA.KERNEL32(80000002,00000000), ref: 0040C9D6

Strings

ZOC4, xrefs: 0040C654, 0040C935
UninstallStartmenu, xrefs: 0040C77F, 0040C784, 0040C7B3, 0040C7F0, 0040C858, 0040C8E2
ZOC, xrefs: 0040C639, 0040C911
ZOC5, xrefs: 0040C66D, 0040C957
ZOC6, xrefs: 0040C689
UninstallPath, xrefs: 0040C74D, 0040C7C1, 0040C826

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$DirectoryRemove
String ID: UninstallPath$UninstallStartmenu$ZOC$ZOC4$ZOC5$ZOC6
API String ID: 2811140049-2283524626
Opcode ID: f6ce44ba933d90936cf064a007bed44aebeb1d3171b6d857f1350a827835f39c
Instruction ID: 4863c0861e3aef4ff3be06286b39e8ef0fae45a4ecf9ddfadc2506b962a8dfff
Opcode Fuzzy Hash: f6ce44ba933d90936cf064a007bed44aebeb1d3171b6d857f1350a827835f39c
Instruction Fuzzy Hash: 73E16132500149DADB14EFA5DD82BDE77A8AF15305F10416BF805B3182EB789B88CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406F77 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 291COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00406F99

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00413D81: __EH_prolog3.LIBCMT ref: 00413D88

Strings

uninstall, xrefs: 00407211
UninstallEmail, xrefs: 004070C8
0.00, xrefs: 00407098
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00407048
anonymous@, xrefs: 004071C2
Version, xrefs: 00407062
uninstall@emtec.com;orders.emtec.com, xrefs: 004070F7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$TextWindow$Length_strlen
String ID: uninstall$0.00$Software\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallEmail$Version$anonymous@$uninstall@emtec.com;orders.emtec.com
API String ID: 1630847524-670958330
Opcode ID: 19fd6bc7c3a8bfa85375112d28bc1f4c75d3a407ae6492a41c5d8d6eecfd3e80
Instruction ID: 0a9f061b3b7801285e14011e8789780a35f272f20b4b8f625014a4804ef4ee14
Opcode Fuzzy Hash: 19fd6bc7c3a8bfa85375112d28bc1f4c75d3a407ae6492a41c5d8d6eecfd3e80
Instruction Fuzzy Hash: 23C1533180018DEEDB15EBA5CD55BDDBBB8AF14308F1040AAE509B31C2EB785B88DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00421454 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

tcp, xrefs: 004215A0
udp, xrefs: 0042157C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: e42ce25fe41dedb1ef83b0384d12aa6c1f801a3c5e7adf4f8a28f92981129ea9
Instruction ID: 076fe7531d302dc757b6ca6d0f4ddc34560ebd5d284594a609661b48880c7880
Opcode Fuzzy Hash: e42ce25fe41dedb1ef83b0384d12aa6c1f801a3c5e7adf4f8a28f92981129ea9
Instruction Fuzzy Hash: 79817071E00229EBCF21DF95D8406AEBBB5EF64340F6441ABE455E7270D3788E80DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5EB Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F666
_memset.LIBCMT ref: 0040F782
_memset.LIBCMT ref: 0040F7A2

Strings

this->BufLen>=(l+extra), xrefs: 0040F76E
STRING::Make STRINGFLAG_DYNABLOCK new blocksize %d, xrefs: 0040F6E5
buffer, xrefs: 0040F654
.\strings.cpp, xrefs: 0040F64F, 0040F769
STRING::Make Upgrade String to STRINGFLAG_DYNABLOCK, xrefs: 0040F706

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID: .\strings.cpp$STRING::Make STRINGFLAG_DYNABLOCK new blocksize %d$STRING::Make Upgrade String to STRINGFLAG_DYNABLOCK$buffer$this->BufLen>=(l+extra)
API String ID: 2102423945-1773549806
Opcode ID: b35d98c22497a3c18bfdf6dbf81edbe61c7cd9457114518d95d700c722140612
Instruction ID: 929abcded76d76040ceff49755cd942fa70b0bf47cb8d45abb9ac302d0e777f4
Opcode Fuzzy Hash: b35d98c22497a3c18bfdf6dbf81edbe61c7cd9457114518d95d700c722140612
Instruction Fuzzy Hash: 0B51C2716047019BD7349A26C881F27B3D5EB84719F10883FF49AE7AD1D7BCE8498B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A51B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041A522

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

StartDocPrinterA.WINSPOOL.DRV(?,00000001,?), ref: 0041A572
StartDocA.GDI32(000000FF,00000014), ref: 0041A650

Strings

PRINTER::StartDoc %s hdc= %08x, hdirect= %08x, xrefs: 0041A533
PRINTER::StartDoc raw, StartDocPrinter returned %d, xrefs: 0041A57A
this->hDC, xrefs: 0041A59C
PRINTER::StartDoc done, xrefs: 0041A660
.\printer_win32.cpp, xrefs: 0041A597

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Start$CurrentH_prolog3PrinterThread
String ID: .\printer_win32.cpp$PRINTER::StartDoc %s hdc= %08x, hdirect= %08x$PRINTER::StartDoc done$PRINTER::StartDoc raw, StartDocPrinter returned %d$this->hDC
API String ID: 2667174340-3282340599
Opcode ID: 91dc11db86ff40feb7c921ee950b3d3284e410f19103914b62523dcf15913b80
Instruction ID: 32f8bf562a9c4475e1763614a84d376440e3152d4b9c7856f9be2439491d5ac6
Opcode Fuzzy Hash: 91dc11db86ff40feb7c921ee950b3d3284e410f19103914b62523dcf15913b80
Instruction Fuzzy Hash: 48419271800608EFCB14EFD5C8469DEBBB4EF44724F10452FF556A61D2EB385A88CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004189C1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004189C8

Part of subcall function 00415EEF: GetWindowRect.USER32(?,?), ref: 00415F12
Part of subcall function 00415EEF: GetWindow.USER32(?,00000004), ref: 00415F34
Part of subcall function 00415EEF: ScreenToClient.USER32(?,?), ref: 00415F4A
Part of subcall function 00415EEF: ScreenToClient.USER32(?,?), ref: 00415F51

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00418A4E

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 004159D4: SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,0000001B), ref: 00415A22

Part of subcall function 00415812: KiUserCallbackDispatcher.NTDLL(?,?,00415D56,?,?,?,?,?,0040E288,?), ref: 0041F1C3

Part of subcall function 00418658: GetDlgItem.USER32(?,?), ref: 00418670

Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5CA
Part of subcall function 0041B3FE: _sprintf.LIBCMT ref: 0041B5F1
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B646
Part of subcall function 0041B3FE: _fprintf.LIBCMT ref: 0041B66F

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00418AE8
SendMessageA.USER32(00000001,00000030,00000000,00000000), ref: 00418AF7

Strings

.\wincontrols_win32.cpp, xrefs: 00418A5D, 00418A62, 00418AAA
CONTROL::CONTROL %08x, %d, %s, %s, %x, %x, xrefs: 004189F5
this->hWnd, xrefs: 00418A63
CONTROL(hwndparent, id).Hwnd()==this->hWnd, xrefs: 00418AAB

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$H_prolog3$ClientMessageScreenSend_fprintf_sprintf$CallbackCreateDispatcherErrorItemLastRectUser__snprintf_memset
String ID: .\wincontrols_win32.cpp$CONTROL(hwndparent, id).Hwnd()==this->hWnd$CONTROL::CONTROL %08x, %d, %s, %s, %x, %x$this->hWnd
API String ID: 173105395-186428202
Opcode ID: ee9e364f9341b7cd29f64c0492e8f84529f13d9bfbb0312bf19226ceea8fb501
Instruction ID: 094167d3c78b62b1ce06d6326ad267db43d52c574eba6f1ad3ce88181bfd5a30
Opcode Fuzzy Hash: ee9e364f9341b7cd29f64c0492e8f84529f13d9bfbb0312bf19226ceea8fb501
Instruction Fuzzy Hash: 57414971900209FFDF11EF90CC42FDE7B75EF18704F14800AFA146A292C7799A549B58

Uniqueness

Uniqueness Score: -1.00%

Function 004220F9 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 99networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00422100

Part of subcall function 00420FBF: __EH_prolog3.LIBCMT ref: 00420FC6

Part of subcall function 00412ECD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00412EE0

Part of subcall function 00413129: CreateMutexA.KERNEL32(00000000,00000000,?,?,0041B1B5,00000000,00000000,E5C332AE,?,000001FF,00000000), ref: 00413140

gethostname.WS2_32(?,00000100), ref: 00422212
_strcat.LIBCMT ref: 00422224

Part of subcall function 004107B9: __EH_prolog3.LIBCMT ref: 004107C0
Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410829
Part of subcall function 004107B9: _strlen.LIBCMT ref: 00410835

Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410809

Part of subcall function 00410409: __vsnprintf.LIBCMT ref: 00410452

Strings

<unknown>, xrefs: 0042221E
TCPIPIO::TCPIPIO this= %08x, this->OurId= %s, xrefs: 004221EA
DKE, xrefs: 00422169
%s[%s], xrefs: 004221C0
TCPIPIO::TCPIPIO done, xrefs: 00422242

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Create_strpbrk$EventMutex__vsnprintf_strcat_strlengethostname
String ID: %s[%s]$<unknown>$DKE$TCPIPIO::TCPIPIO done$TCPIPIO::TCPIPIO this= %08x, this->OurId= %s
API String ID: 1136008407-361888069
Opcode ID: 8d86aad5a97714fc72610bc1698dfb88f6efa62be5773afb921cba41e25623c9
Instruction ID: 519a777b719541d0a4a49327ef70de0bf5cd6a4ba9a459c4272e1d6f0faaaf6d
Opcode Fuzzy Hash: 8d86aad5a97714fc72610bc1698dfb88f6efa62be5773afb921cba41e25623c9
Instruction Fuzzy Hash: 4931AE70400704EEDB21EF66C941BDEBBF8AF55708F50041FF59A92182DBB86648CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0042A7AD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042A7B4

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

Strings

main.cpp, xrefs: 0042A7F2
RINGBUFFER::Write Buffer full -- waiting ..., xrefs: 0042A7E1
Ringbuffer Write waits more than 2 Sec, xrefs: 0042A805
RINGBUFFER::~Write %d (%d, %d), xrefs: 0042A8C2
RINGBUFFER::Write %d, xrefs: 0042A7BF
!FILENAME("main.cpp").Exists(), xrefs: 0042A814
.\ringbuffers.cpp, xrefs: 0042A80F

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CurrentH_prolog3Thread
String ID: !FILENAME("main.cpp").Exists()$.\ringbuffers.cpp$RINGBUFFER::Write %d$RINGBUFFER::Write Buffer full -- waiting ...$RINGBUFFER::~Write %d (%d, %d)$Ringbuffer Write waits more than 2 Sec$main.cpp
API String ID: 2223909941-3633728353
Opcode ID: cbd3437a72ac400b3621c994c2260a7018c650683a2b46ccdfc071104b4eb576
Instruction ID: 4e2f32306867b750c1189e1ec0e41423a7b7d0009d22e4cd73e10d37439764a8
Opcode Fuzzy Hash: cbd3437a72ac400b3621c994c2260a7018c650683a2b46ccdfc071104b4eb576
Instruction Fuzzy Hash: E13124306407049FCB24AF65DC42A6E7370EF10718F200A1FF992561C3DB78A955C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE4A Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 83comCOMMON

Download Yara Rule

APIs

Part of subcall function 0041292F: _memset.LIBCMT ref: 0041294F
Part of subcall function 0041292F: GetVersionExA.KERNEL32(?), ref: 00412962

CoInitialize.OLE32(00000000), ref: 0041BE85
CoCreateInstance.OLE32(0045C830,00000000,00000001,0045C840,?), ref: 0041BE9C

Strings

FIREWALL::Constructor() WinOS < WinXP detected, constructor aborted, xrefs: 0041BE78
FIREWALL::Constructor() get_LocalPolicy failed: 0x%08lx, xrefs: 0041BEC0
FIREWALL::Constructor() CoCreateInstance failed: 0x%08lx, xrefs: 0041BEA7
FIREWALL::~Constructor(), xrefs: 0041BF04
FIREWALL::Constructor() get_CurrentProfile failed: 0x%08lx, xrefs: 0041BED6
FIREWALL::Constructor(), xrefs: 0041BE59

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateInitializeInstanceVersion_memset
String ID: FIREWALL::Constructor()$FIREWALL::Constructor() CoCreateInstance failed: 0x%08lx$FIREWALL::Constructor() WinOS < WinXP detected, constructor aborted$FIREWALL::Constructor() get_CurrentProfile failed: 0x%08lx$FIREWALL::Constructor() get_LocalPolicy failed: 0x%08lx$FIREWALL::~Constructor()
API String ID: 3383046407-3241608711
Opcode ID: e523b7d3c871f38c281b9073dcd9fd0054e2c5984c3b4fd78ea936865489f135
Instruction ID: 47e316b6b6b42297f19a697f542a9cefe1305b5889f8809344da5b33385c60d9
Opcode Fuzzy Hash: e523b7d3c871f38c281b9073dcd9fd0054e2c5984c3b4fd78ea936865489f135
Instruction Fuzzy Hash: BE214C71640308AF9B009B96CCC5EFE77ADEB85719B30044BF901DB142D7B999C2CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A432 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

GetDeviceCaps.GDI32(?,00000058), ref: 0041A493
GetDeviceCaps.GDI32(?,0000005A), ref: 0041A49D
GetDeviceCaps.GDI32(?,00000008), ref: 0041A4CE
GetDeviceCaps.GDI32(?,0000000A), ref: 0041A4E9

Strings

PRINTER::SetMargins done, xrefs: 0041A50B
this->hDC, xrefs: 0041A478
PRINTER::SetMargins hdc= %08x, hdirect= %08x, xrefs: 0041A441
.\printer_win32.cpp, xrefs: 0041A473

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CapsDevice$CurrentErrorH_prolog3LastThread__snprintf_memset
String ID: .\printer_win32.cpp$PRINTER::SetMargins done$PRINTER::SetMargins hdc= %08x, hdirect= %08x$this->hDC
API String ID: 2060520178-1212465177
Opcode ID: 685b0a3494027d1c87a8b2ef84604e74bf3110dd91a024cddbd8ecd8b07b4d04
Instruction ID: 9e70e2f091503b3af5d7220d5a2e4d31455ff875f505ac3bf0db5694c7ec7e52
Opcode Fuzzy Hash: 685b0a3494027d1c87a8b2ef84604e74bf3110dd91a024cddbd8ecd8b07b4d04
Instruction Fuzzy Hash: 7921F871700708AFCB24EF69DE82F4ABBF5EBA4701F10452EF501EA1D1D674EA148B55

Uniqueness

Uniqueness Score: -1.00%

Function 00421AB4 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

shutdown.WS2_32(00000000,00000002), ref: 00421B2A
closesocket.WS2_32(00000000), ref: 00421B44

Strings

TCPIPIO::FreeAcceptSocket will close skt=%d (i= %d) now, xrefs: 00421B18
TCPIPIO::FreeAcceptSocket skt=%d, i= %d, InUse= %d now, xrefs: 00421AF1
TCPIPIO::FreeAcceptSocket soclose(%d), err= %d, xrefs: 00421B4E
TCPIPIO::FreeAcceptSocket done, xrefs: 00421B73
TCPIPIO::FreeAcceptSocket shutdown(%d), err= %d, xrefs: 00421B34
TCPIPIO::FreeAcceptSocket skt= %d, hard= %d, this= %08x, xrefs: 00421AC1

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CurrentThreadclosesocketshutdown
String ID: TCPIPIO::FreeAcceptSocket done$TCPIPIO::FreeAcceptSocket shutdown(%d), err= %d$TCPIPIO::FreeAcceptSocket skt= %d, hard= %d, this= %08x$TCPIPIO::FreeAcceptSocket skt=%d, i= %d, InUse= %d now$TCPIPIO::FreeAcceptSocket soclose(%d), err= %d$TCPIPIO::FreeAcceptSocket will close skt=%d (i= %d) now
API String ID: 94276566-4120259822
Opcode ID: 363bfa947b9a8afb9a544a88664f8ce5dbae5725e0c896289f616977c2cc95cc
Instruction ID: 9ffc481203dd4e59d8c341d7e1e4a74bc2bee9cd4f6e184a9c67668ae9ca171b
Opcode Fuzzy Hash: 363bfa947b9a8afb9a544a88664f8ce5dbae5725e0c896289f616977c2cc95cc
Instruction Fuzzy Hash: 1F116572600704FBDB202F46DC06F9B3B65EB51736F10852FFC69411A2E7396894CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00423115 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 67networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042311C
WSACleanup.WS2_32 ref: 004231CB

Part of subcall function 00422258: shutdown.WS2_32(?,00000002), ref: 004222A8
Part of subcall function 00422258: closesocket.WS2_32(?), ref: 004222D1
Part of subcall function 00422258: _strcat.LIBCMT ref: 00422311

Strings

TCPIPIO::~TCPIPIO after semAcceptDone.Wait(), xrefs: 004231C0
!this->DevIsConnected(), xrefs: 0042318E
TCPIPIO::~TCPIPIO this= %08x, xrefs: 0042312D
.\tcpio.cpp, xrefs: 00423189
TCPIPIO::~TCPIPIO after FreeAcceptSocket(), xrefs: 00423175
TCPIPIO::~TCPIPIO after DropCall(), xrefs: 00423150

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CleanupH_prolog3_strcatclosesocketshutdown
String ID: !this->DevIsConnected()$.\tcpio.cpp$TCPIPIO::~TCPIPIO after DropCall()$TCPIPIO::~TCPIPIO after FreeAcceptSocket()$TCPIPIO::~TCPIPIO after semAcceptDone.Wait()$TCPIPIO::~TCPIPIO this= %08x
API String ID: 3400137420-3359572512
Opcode ID: 5cf28e2f1cb8e39be454ba2cf6b0a1b969ed48bb0737199a58412385a3978022
Instruction ID: 2bf020f5649d9aa7167d65e463d9016f1a960db907fd53f50a2b16f195cb1cff
Opcode Fuzzy Hash: 5cf28e2f1cb8e39be454ba2cf6b0a1b969ed48bb0737199a58412385a3978022
Instruction Fuzzy Hash: BA110A30380714A6D714BB7658037AD66554F50729FA0024FFC25661D3DFAC175E465E

Uniqueness

Uniqueness Score: -1.00%

Function 00443E79 Relevance: 13.7, APIs: 9, Instructions: 186COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00443E8E
__calloc_crt.LIBCMT ref: 00443EA1

Part of subcall function 00442DF5: __calloc_impl.LIBCMT ref: 00442E03
Part of subcall function 00442DF5: Sleep.KERNEL32(00000000), ref: 00442E1A

__calloc_crt.LIBCMT ref: 00443F24
GetFileType.KERNEL32(00000038), ref: 00443FA4
___crtInitCritSecAndSpinCount.LIBCMT ref: 00443FD8
GetStdHandle.KERNEL32(-000000F6), ref: 0044402E
GetFileType.KERNEL32(00000000), ref: 00444040
___crtInitCritSecAndSpinCount.LIBCMT ref: 0044406E
SetHandleCount.KERNEL32 ref: 00444098

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
String ID:
API String ID: 1318386821-0
Opcode ID: 63f6e8e06acdf0055f429840710d37bb9433b0ad5aa91382c0a4b4afc305cbb2
Instruction ID: 6999f6a16b54679f314561d9007aab3dec184515632c0e187c42b9555fe63f8e
Opcode Fuzzy Hash: 63f6e8e06acdf0055f429840710d37bb9433b0ad5aa91382c0a4b4afc305cbb2
Instruction Fuzzy Hash: F56167318047418FEB24CF28D944716BBF0AF52735F29436BE5629B2E1C778D80ACB19

Uniqueness

Uniqueness Score: -1.00%

Function 004172B5 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 342COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004172BF

Part of subcall function 00415BEA: IsWindow.USER32(?), ref: 00415BF2

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

ListBox, xrefs: 00417360
cdepend.IsValid(), xrefs: 004172EB
.\datadialogs.cpp, xrefs: 004172E6, 0041746C, 00417626, 004176B3
Edit, xrefs: 0041739B
Button, xrefs: 0041732A, 00417345
FALSE, xrefs: 00417471, 0041762B, 004176B8

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$ErrorLastWindow__snprintf_memset
String ID: .\datadialogs.cpp$Button$Edit$FALSE$ListBox$cdepend.IsValid()
API String ID: 726385935-1427461352
Opcode ID: 7015655d2cad5781f80c21fec7e0aa119446ec5ab9bae5a0b636e9bca7fe2ca1
Instruction ID: e503535e2e617347480a61af1fa58a1fe9d08d6da5bc1ca6d0bf11b7668df4e3
Opcode Fuzzy Hash: 7015655d2cad5781f80c21fec7e0aa119446ec5ab9bae5a0b636e9bca7fe2ca1
Instruction Fuzzy Hash: 39C1E831A48218EBCB14DBA9CC42BEE77B4AF14314F24026FE515B61D2EB7C5EC4C699

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2DC Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 189COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040A2EA

Part of subcall function 00413D44: __EH_prolog3.LIBCMT ref: 00413D4B

Part of subcall function 00411500: __EH_prolog3.LIBCMT ref: 00411507

Part of subcall function 00410A1E: _strerror.LIBCMT ref: 00410A39

Part of subcall function 00410ED1: __EH_prolog3.LIBCMT ref: 00410ED8

Strings

$DIR, xrefs: 0040A49B
%ZOCFILES%, xrefs: 0040A35E, 0040A363, 0040A374
Software\EmTec, xrefs: 0040A309
$PROGRAM, xrefs: 0040A484
ZOC, xrefs: 0040A3D2, 0040A3ED, 0040A483
ZOC5, xrefs: 0040A303, 0040A308, 0040A31C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strerror
String ID: $DIR$$PROGRAM$%ZOCFILES%$Software\EmTec$ZOC$ZOC5
API String ID: 3094183856-1215133591
Opcode ID: 6342ea278712bd1621e844bb2ac57a199d22d5092e42c1ffd3618b15dd1a3553
Instruction ID: 31f00c463a37ddbbfba70e7a30d23953268d8750e48afef9c5f6c967342a5b54
Opcode Fuzzy Hash: 6342ea278712bd1621e844bb2ac57a199d22d5092e42c1ffd3618b15dd1a3553
Instruction Fuzzy Hash: C4717271800288EADB11EF65CC45BDD7BB4AF15318F1441AEF849A31D2EB785B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAB5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 189COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040CAC3

Part of subcall function 00413D44: __EH_prolog3.LIBCMT ref: 00413D4B

Part of subcall function 00411500: __EH_prolog3.LIBCMT ref: 00411507

Part of subcall function 00410A1E: _strerror.LIBCMT ref: 00410A39

Part of subcall function 00410ED1: __EH_prolog3.LIBCMT ref: 00410ED8

Strings

$DIR, xrefs: 0040CC74
%ZOCFILES%, xrefs: 0040CB37, 0040CB3C, 0040CB4D
Software\EmTec, xrefs: 0040CAE2
$PROGRAM, xrefs: 0040CC5D
ZOC, xrefs: 0040CBAB, 0040CBC6, 0040CC5C
ZOC6, xrefs: 0040CADC, 0040CAE1, 0040CAF5

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strerror
String ID: $DIR$$PROGRAM$%ZOCFILES%$Software\EmTec$ZOC$ZOC6
API String ID: 3094183856-3513001517
Opcode ID: ac3596d289cef1e51580c47283807979b4401bae332f44f2a8c71b20e8231fc3
Instruction ID: c509b77a52403199abc11a3b21c738b7fd7a645ecde9d56d0c20be4b738aaf22
Opcode Fuzzy Hash: ac3596d289cef1e51580c47283807979b4401bae332f44f2a8c71b20e8231fc3
Instruction Fuzzy Hash: 2F718371800288EADB11EF65CC85BDD7BB4AF15318F1441AEF849B31D2EB785B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEAC Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040FECB

Strings

<NULL>, xrefs: 0040FF71, 0040FF77
isxdigit(xdigit[1]), xrefs: 00410003
isxdigit(xdigit[0]), xrefs: 0040FFD6
.\strings.cpp, xrefs: 0040FF7D, 0040FFCD, 0040FFD2, 0040FFFF
FALSE, xrefs: 0040FF82

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3
String ID: .\strings.cpp$<NULL>$FALSE$isxdigit(xdigit[0])$isxdigit(xdigit[1])
API String ID: 431132790-2099139090
Opcode ID: 9e9ff284e5610fe18e7b66ed8c83e1aa913da33d467b81d511564582ed4a67b3
Instruction ID: 56b7c19bb3c4fd6f3bcb3852a22283f7fbb2ad5c2bc44a8fd832f72b91477286
Opcode Fuzzy Hash: 9e9ff284e5610fe18e7b66ed8c83e1aa913da33d467b81d511564582ed4a67b3
Instruction Fuzzy Hash: 8551F830D042889FDB21DFA89441BFEBFB8AB59305F14806FD44577283C7BC5A88876A

Uniqueness

Uniqueness Score: -1.00%

Function 0041502D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 163COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041503B

Part of subcall function 0041036C: __EH_prolog3.LIBCMT ref: 00410373
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103B5
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103E2

Part of subcall function 00411500: __EH_prolog3.LIBCMT ref: 00411507

Part of subcall function 00410A1E: _strerror.LIBCMT ref: 00410A39

Part of subcall function 00401A26: __EH_prolog3.LIBCMT ref: 00401A2D

Strings

\..\approot.cpp, xrefs: 0041507B
\Debug2, xrefs: 00415119
\Debug, xrefs: 004150D6
\Release, xrefs: 00415159
\Release2, xrefs: 00415199
\..\main.cpp, xrefs: 00415044

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$_strerror
String ID: \..\approot.cpp$\..\main.cpp$\Debug$\Debug2$\Release$\Release2
API String ID: 2497294980-1857618801
Opcode ID: cb20fe3143dc46bc3821143fc4100c22fc0077c98868a2e38462abe5d865526f
Instruction ID: 5afbb1781faf8a5292670a928b98c71d69ce5cb78a951168abcb29959865bc49
Opcode Fuzzy Hash: cb20fe3143dc46bc3821143fc4100c22fc0077c98868a2e38462abe5d865526f
Instruction Fuzzy Hash: 42515132914288EACB11EFA4C846BDD77A4AF14358F14416AFC15A32C2EB7C9A8C8795

Uniqueness

Uniqueness Score: -1.00%

Function 0041C46D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 131COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041C474

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 00419A87: _strncpy.LIBCMT ref: 00419AA6

Part of subcall function 00418F66: _memset.LIBCMT ref: 00418FAD
Part of subcall function 00418F66: _sprintf.LIBCMT ref: 00418FCA

Strings

EMAIL::Receiver %s, xrefs: 0041C574
.com, xrefs: 0041C5ED
EMAIL::Subject %s, xrefs: 0041C581
EMAIL::Sender %s, xrefs: 0041C55D
anonymous@, xrefs: 0041C5E2
EMAIL::SmtpHost %s, xrefs: 0041C58D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_memset_sprintf_strlen_strncpy
String ID: .com$EMAIL::Receiver %s$EMAIL::Sender %s$EMAIL::SmtpHost %s$EMAIL::Subject %s$anonymous@
API String ID: 165982434-1665083234
Opcode ID: 8af7be721da2cc9c296706e07c1b9310c9574688be6eac2ff942fb813ad83f8c
Instruction ID: 69d2969e739ce943c7cbb8132b45b483c0e57ceb9c9670e5cc93f1bad8b9dca9
Opcode Fuzzy Hash: 8af7be721da2cc9c296706e07c1b9310c9574688be6eac2ff942fb813ad83f8c
Instruction Fuzzy Hash: EA51C230500389EEDB11EBB6C846BDE7BA5AF54308F14446EF849631C2DB7C6B48D76A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E139 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041E173
_memset.LIBCMT ref: 0041E182
_memset.LIBCMT ref: 0041E20C

Strings

UNICODE::UNICODE init tables, xrefs: 0041E187
UNICODE::UNICODE done, xrefs: 0041E266
UNICODE::UNICODE, xrefs: 0041E144
UNICODE::UNICODE init done, xrefs: 0041E1C7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID: UNICODE::UNICODE$UNICODE::UNICODE done$UNICODE::UNICODE init done$UNICODE::UNICODE init tables
API String ID: 2102423945-1718955495
Opcode ID: 80b53a0a5b67439f8051c3c0c700a054a5c61f43f6f332825775ae98fdaa2567
Instruction ID: 28e0c7ad7e069d4f1db24a7f3f3baafc716b824d464fc0dbe919e2535a258d5e
Opcode Fuzzy Hash: 80b53a0a5b67439f8051c3c0c700a054a5c61f43f6f332825775ae98fdaa2567
Instruction Fuzzy Hash: 6B3126712007049BD7299F2AC852ABAB2ADEF41748F50046FE95ACF241EB78BD81C758

Uniqueness

Uniqueness Score: -1.00%

Function 0042300D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00423014

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0040F93F: _strlen.LIBCMT ref: 0040F95F

Strings

TCP::WriteCmd %s, xrefs: 004230B2
PASS , xrefs: 00423058
TCP::WriteCmd returned %s, xrefs: 004230EA
LOGIN, xrefs: 00423081
******, xrefs: 004230A2
IMAP, xrefs: 0042306B

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_strlen
String ID: ******$IMAP$LOGIN$PASS $TCP::WriteCmd %s$TCP::WriteCmd returned %s
API String ID: 782648989-1627918896
Opcode ID: 1702b3819fee0a067c95d98b212d351507563709cff1767492ca9baddf3db522
Instruction ID: 3f335f3d6886c161aae273e551e3119ec035c3b465d8d9693783b5ec972d7650
Opcode Fuzzy Hash: 1702b3819fee0a067c95d98b212d351507563709cff1767492ca9baddf3db522
Instruction Fuzzy Hash: 9B314172900259BBCF15EF91CC429EE7B78EF18358F94003BF80572192DB385A59CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004116AF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004116BA
_memset.LIBCMT ref: 004116D5
_strlen.LIBCMT ref: 004116EA
_strlen.LIBCMT ref: 004116FF

Strings

DGE, xrefs: 0041173A
\.\, xrefs: 00411740
FILENAME::FILENAME returns %s, xrefs: 00411758

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$H_prolog3_memset
String ID: DGE$FILENAME::FILENAME returns %s$\.\
API String ID: 1544512054-2511429333
Opcode ID: 92d73c30fa42c47c7d13a9f96a1b96025e8fe64660b94f3bf67e95454d8925d7
Instruction ID: 54661771440509633bf18104852cf503b3abf31adc7d9e390e8fac20b7d34041
Opcode Fuzzy Hash: 92d73c30fa42c47c7d13a9f96a1b96025e8fe64660b94f3bf67e95454d8925d7
Instruction Fuzzy Hash: F3210631600288ABCB15EF958846BDE77B4DF95708F10402FFD0597382EBBD5A4C9759

Uniqueness

Uniqueness Score: -1.00%

Function 00415898 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 70windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

PeekMessageA.USER32(00000001,00000000,00000000,00000000,00000001), ref: 004158C9
TranslateMessage.USER32(?), ref: 004158E6
DispatchMessageA.USER32(?), ref: 004158F0
MsgWaitForMultipleObjects.USER32(00000001,000001FF,00000000,?,000000FF), ref: 00415906

Strings

WINDOWS::WinWaitForSingleObject dispatch msg= %04x, xrefs: 004158D6
WINDOWS::WinWaitForSingleObject finished, xrefs: 0041590F
.\windows_win32.cpp, xrefs: 00415932

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Message$DispatchMultipleObjectsPeekTranslateWait
String ID: .\windows_win32.cpp$WINDOWS::WinWaitForSingleObject dispatch msg= %04x$WINDOWS::WinWaitForSingleObject finished
API String ID: 2231909638-791906260
Opcode ID: f1833bad4ce4b670fbf2eef20d80b446d15b7c4106f0c2f5ec303141c9f92142
Instruction ID: b0e3dc20ce9c05df7aa32daaff5ee327c47403bced5f2ea3d0d0dc2180bf99cc
Opcode Fuzzy Hash: f1833bad4ce4b670fbf2eef20d80b446d15b7c4106f0c2f5ec303141c9f92142
Instruction Fuzzy Hash: 2D11987264030DFEEB105BD58C8AFDF376CEB44715F10402BFD0166091D6B8D98486A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F877 Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041F896
CoInitialize.OLE32(00000000), ref: 0041F8D2
_memset.LIBCMT ref: 0041F8E5

Part of subcall function 004157DA: __EH_prolog3.LIBCMT ref: 004157E1

Part of subcall function 0041EFC4: __EH_prolog3.LIBCMT ref: 0041EFCB

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

SHBrowseForFolderA.SHELL32(?,?), ref: 0041F92E
SHGetPathFromIDListA.SHELL32(00000000,00000000), ref: 0041F93F
SHGetMalloc.SHELL32(?), ref: 0041F949
_strlen.LIBCMT ref: 0041F961
_strlen.LIBCMT ref: 0041F971

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$BrowseFolderFromInitializeListMallocPath_memset
String ID:
API String ID: 3582332183-0
Opcode ID: 556a8f202b3d51e1948a0f6de1742f1189e9fe77361264dabb6abaf46adcf4ac
Instruction ID: 901c0e7140ad745ee44d131ca0ca1699b1811a331fe78104dff1d50718531f15
Opcode Fuzzy Hash: 556a8f202b3d51e1948a0f6de1742f1189e9fe77361264dabb6abaf46adcf4ac
Instruction Fuzzy Hash: BD4151B5D0024DEFCB10EFA5D845AEEB7B4FF48308F00442AF915AB291D7789645CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407562 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 243COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00407570

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 00413D81: __EH_prolog3.LIBCMT ref: 00413D88

Part of subcall function 004114D2: __EH_prolog3.LIBCMT ref: 004114D9

Part of subcall function 00411793: __EH_prolog3.LIBCMT ref: 0041179A

_strlen.LIBCMT ref: 0040763C

Strings

$DIR, xrefs: 00407803
CEAppMgr.exe, xrefs: 004075B2
$PROGRAM, xrefs: 004077EE
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 004075AD

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen
String ID: $DIR$$PROGRAM$CEAppMgr.exe$Software\Microsoft\Windows\CurrentVersion\App Paths\
API String ID: 3239654323-2088391398
Opcode ID: 0c953ea9c3368ddde8cd06a6f3ba37432a80e3e118f51092911e09648d62274f
Instruction ID: 0fefd57b033297214be7ae376459f3a28dabd28274a92ff8aafe567996a6cf8a
Opcode Fuzzy Hash: 0c953ea9c3368ddde8cd06a6f3ba37432a80e3e118f51092911e09648d62274f
Instruction Fuzzy Hash: 6191E970904248FEDB14EFA5CC46BDD7BA49F14318F10416EF905A72C2E7789B88C799

Uniqueness

Uniqueness Score: -1.00%

Function 004402BC Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

APIs

getSystemCP.LIBCMT ref: 004402D5

Part of subcall function 00440242: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044024F
Part of subcall function 00440242: GetOEMCP.KERNEL32(00000000), ref: 00440269

setSBCS.LIBCMT ref: 004402E7

Part of subcall function 0043FFBF: _memset.LIBCMT ref: 0043FFD2

IsValidCodePage.KERNEL32(-00000030), ref: 0044032D
GetCPInfo.KERNEL32(00000000,?), ref: 00440340
_memset.LIBCMT ref: 00440358
setSBUpLow.LIBCMT ref: 0044042B

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
String ID:
API String ID: 2658552758-0
Opcode ID: 03b476c277a962630d0066a87d17d6987b9a127d535cf155bebddf148b768a7a
Instruction ID: 2b5736ddb7c6a9cd153bfb9935971c8d1e10e9e0193cf67bd285b0e14bd8f473
Opcode Fuzzy Hash: 03b476c277a962630d0066a87d17d6987b9a127d535cf155bebddf148b768a7a
Instruction Fuzzy Hash: DB5113319042158BEB21DF65C8842BEBBE4EF05305F1484ABEA859F242D67CC952CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00409353 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409375

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 00402F64: __EH_prolog3.LIBCMT ref: 00402F6B

_strlen.LIBCMT ref: 0040942A
_sprintf.LIBCMT ref: 004094BA
GetParent.USER32 ref: 004094F0

Part of subcall function 00411500: __EH_prolog3.LIBCMT ref: 00411507

Strings

zoc.exe, xrefs: 004093CE
phonebk, xrefs: 004093E1

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$TextWindow_strlen$LengthParent_memset_sprintf
String ID: phonebk$zoc.exe
API String ID: 325083663-1788341587
Opcode ID: 9319a5fd62f1c7dd8ad9d2158fccda98ff41b736834064bc91b1e6fbb7f70222
Instruction ID: f2270802b09cf7d0114e5a39e79aecb6f3167cccece6095d76e5b2e4842081db
Opcode Fuzzy Hash: 9319a5fd62f1c7dd8ad9d2158fccda98ff41b736834064bc91b1e6fbb7f70222
Instruction Fuzzy Hash: 0551B371904248AEDB15EBA5DD06BDDB7B4AF14318F10807EE509B22D2EB785B48CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004462EC Relevance: 10.6, APIs: 7, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00446303

Part of subcall function 004433C1: __FF_MSGBANNER.LIBCMT ref: 004433DD

__lock.LIBCMT ref: 00446317
__lock.LIBCMT ref: 00446360
___crtInitCritSecAndSpinCount.LIBCMT ref: 0044637B
EnterCriticalSection.KERNEL32(00000115,00469FD0,00000018,0043DADD,00000109,00000000,00000000), ref: 004463A1
LeaveCriticalSection.KERNEL32(00000115), ref: 004463AE

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CriticalSection__lock$CountCritEnterInitLeaveSpin___crt__mtinitlocknum
String ID:
API String ID: 2236623020-0
Opcode ID: 5eeb4f1003d0238ea5a3daf38dd849c340203a7cd40c80704053902742844812
Instruction ID: 196cd0b24b68a955476ac231691ea59e614d387b85dafb4239c54dd630f69f12
Opcode Fuzzy Hash: 5eeb4f1003d0238ea5a3daf38dd849c340203a7cd40c80704053902742844812
Instruction Fuzzy Hash: B5415D319007418BFB249F68D90536E7BF0AF12325F26821FE4669A2D1CBBC8941CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00420FBF Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00420FC6

Part of subcall function 0042A56C: __EH_prolog3.LIBCMT ref: 0042A573
Part of subcall function 0042A56C: _malloc.LIBCMT ref: 0042A5AE

Part of subcall function 00412ECD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00412EE0

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 00419BAA: __EH_prolog3.LIBCMT ref: 00419BB1
Part of subcall function 00419BAA: _strncpy.LIBCMT ref: 00419BFF
Part of subcall function 00419BAA: _strncpy.LIBCMT ref: 00419C0F

Strings

<unknown>, xrefs: 0042107A
BASEIO::BASEIO ConstructorDoneHandle= %08x, xrefs: 004210F0
BASEIO::BASEIO done, xrefs: 0042110A
BASEIO::BASEIO semKillThreadHandle= %08x, xrefs: 004210E4
BASEIO::BASEIO this= %08x, ourid= %s, calltype= %s, parm= %s, xrefs: 004210BF

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strncpy$CreateEvent_malloc_strlen
String ID: <unknown>$BASEIO::BASEIO ConstructorDoneHandle= %08x$BASEIO::BASEIO done$BASEIO::BASEIO semKillThreadHandle= %08x$BASEIO::BASEIO this= %08x, ourid= %s, calltype= %s, parm= %s
API String ID: 2317793957-2465247092
Opcode ID: 6ec3266579b3c3cf94ce5f22f1ee2b90e796090d389d262421c158e1aca4b9e4
Instruction ID: 3bcd102ed439458aa2328305b4ce3425ab384b8966ca00be2a54539d322ca78c
Opcode Fuzzy Hash: 6ec3266579b3c3cf94ce5f22f1ee2b90e796090d389d262421c158e1aca4b9e4
Instruction Fuzzy Hash: 4F419134504784EECB21DF76C941BDBBBE0AF59708F10490EF89A23292DBB96254CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00414879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0041489A
_strlen.LIBCMT ref: 004148B6
_strlen.LIBCMT ref: 00414915

Part of subcall function 004114D2: __EH_prolog3.LIBCMT ref: 004114D9

_strlen.LIBCMT ref: 004148BE
_strlen.LIBCMT ref: 004148C9

Strings

<self>, xrefs: 00414887

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$H_prolog3_strcat
String ID: <self>
API String ID: 1214488146-3288012949
Opcode ID: 4bf1c7a333f22114bef45732c39cd10e6bf7f4994ca7dd478a71559da8702369
Instruction ID: 90a018e4806f5f9647f84efa4d98bd17fbc1052c98603d666a48d31e6f50e3a3
Opcode Fuzzy Hash: 4bf1c7a333f22114bef45732c39cd10e6bf7f4994ca7dd478a71559da8702369
Instruction Fuzzy Hash: 81213A711083916EEB15AF2ACC01BDE3B94AF86324F14106FF881972D2DB7C9C82875D

Uniqueness

Uniqueness Score: -1.00%

Function 0041376D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 54synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413774
WaitForSingleObject.KERNEL32(?,?), ref: 004137BA

Part of subcall function 00412A8A: __EH_prolog3.LIBCMT ref: 00412AA9
Part of subcall function 00412A8A: GetLastError.KERNEL32(00000008), ref: 00412ACB
Part of subcall function 00412A8A: _memset.LIBCMT ref: 00412AED
Part of subcall function 00412A8A: FormatMessageA.KERNEL32(00001000,00000000,FFFFED99,00000000,00000000,00000100,00000000,?,?,00000008), ref: 00412B0C

Strings

OSYS::WaitThread hthread=%08x timeout= %d failed %s, xrefs: 004137EE
.\osys_win32.cpp, xrefs: 004137A5
OSYS::WaitThread hthread=%08x, timeout= %d, xrefs: 00413785
hthread!=NULL, xrefs: 004137AA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$ErrorFormatLastMessageObjectSingleWait_memset
String ID: .\osys_win32.cpp$OSYS::WaitThread hthread=%08x timeout= %d failed %s$OSYS::WaitThread hthread=%08x, timeout= %d$hthread!=NULL
API String ID: 142547358-3696753234
Opcode ID: cd288f7f9e4150dc3f66f2f54bdb41815c415a6411b398f237795d0551f6d9a4
Instruction ID: f619b219c6c6daaa42870c36af6675fa2eb567c62fd4f625241cd1b0a8813aa5
Opcode Fuzzy Hash: cd288f7f9e4150dc3f66f2f54bdb41815c415a6411b398f237795d0551f6d9a4
Instruction Fuzzy Hash: FA014971541314B7C7107B624C4BFDF2A249F41B1AF54411FBC047B1C3DB6C9A6882E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413098 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(E5C332AE,?), ref: 004130B9
_sprintf.LIBCMT ref: 004130EB

Strings

rc!=WAIT_FAILED, xrefs: 00413103
.\osys_win32.cpp, xrefs: 004130FE
handle= %08x, xrefs: 004130E5
EVENTSEM::Wait %08x rc=%d, xrefs: 004130C9

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ObjectSingleWait_sprintf
String ID: .\osys_win32.cpp$EVENTSEM::Wait %08x rc=%d$handle= %08x$rc!=WAIT_FAILED
API String ID: 3570847061-2891030087
Opcode ID: 1be6c3aa699451e8eba74bf40ce803ead6a38d97a7d9f04f9f2eb04ebcd968e5
Instruction ID: 0f27f2789e1d13210565270c1e4ed5318751c44e56aff20ad8054a18177050e3
Opcode Fuzzy Hash: 1be6c3aa699451e8eba74bf40ce803ead6a38d97a7d9f04f9f2eb04ebcd968e5
Instruction Fuzzy Hash: 71014C316002087ADB109F79DC03F9A77E8AF48B29F10076BFE55D31C2EA788A50875A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F07D Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_getenv.LIBCMT ref: 0040F08B

Strings

<NULL>, xrefs: 0040F0B1
p!=NULL, xrefs: 0040F0DE
EMTECFAILONNULL, xrefs: 0040F086
.\strings.cpp, xrefs: 0040F0D9
<none>, xrefs: 0040F0C5, 0040F0CC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _getenv
String ID: .\strings.cpp$<NULL>$<none>$EMTECFAILONNULL$p!=NULL
API String ID: 3834326495-3058051619
Opcode ID: 0b71fc663b2add86da0fcc721852ee57e987063ebc593aaeb22fdfe86fac87de
Instruction ID: 40fd6c6ddc18c04048565f2e429f2af0f0bf4d1033f0e546ecdc9007074cc206
Opcode Fuzzy Hash: 0b71fc663b2add86da0fcc721852ee57e987063ebc593aaeb22fdfe86fac87de
Instruction Fuzzy Hash: CBF0F035B0021057EB209675AC23B5723888B00B55F05A43FFC44FB2C3D76CDC48429C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A710 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

DeleteObject.GDI32(?), ref: 0041A746
CreateFontIndirectA.GDI32(?), ref: 0041A754
SelectObject.GDI32(?,?), ref: 0041A77A

Strings

this->hDC, xrefs: 0041A72E
this->hFont, xrefs: 0041A763
.\printer_win32.cpp, xrefs: 0041A728, 0041A72D, 0041A762

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Object$CreateDeleteErrorFontH_prolog3IndirectLastSelect__snprintf_memset
String ID: .\printer_win32.cpp$this->hDC$this->hFont
API String ID: 4085316585-2624105127
Opcode ID: b2e4c608f40e23ea4f4fce3a8e13abefeb364bf7baeb0169104fe828d29003f1
Instruction ID: 6ab158ebc43fe64ff5be0a275118b8951eb661639f0bdfc588b036db918ba3a1
Opcode Fuzzy Hash: b2e4c608f40e23ea4f4fce3a8e13abefeb364bf7baeb0169104fe828d29003f1
Instruction Fuzzy Hash: AEF0A471540700AFD7305B56DC4AF4777B8EB84B2AF10052EF615951E2C379E8948BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00414B50 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32), ref: 00414B5D
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00414B70
GetProcessHeap.KERNEL32(00000000,?,00000004), ref: 00414B8A
FreeLibrary.KERNEL32(00000000), ref: 00414B96

Strings

HeapSetInformation, xrefs: 00414B6A
kernel32, xrefs: 00414B56

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Library$AddressFreeHeapLoadProcProcess
String ID: HeapSetInformation$kernel32
API String ID: 2919563809-1954744524
Opcode ID: 691bfc8bd2fcaedfd429b81094c924810f278b05e5e70aaeb058ed37c7ff659a
Instruction ID: eb774b62ccc9eacdfc18479868cb3dafbb33bc97a8c786af79a915ba7d3c58cb
Opcode Fuzzy Hash: 691bfc8bd2fcaedfd429b81094c924810f278b05e5e70aaeb058ed37c7ff659a
Instruction Fuzzy Hash: 11F0BB716443146FD3122BE59C8DF6F7ABCDBC4756B10013AB905D6242DAA4DC444569

Uniqueness

Uniqueness Score: -1.00%

Function 0042A56C Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042A573

Part of subcall function 00413129: CreateMutexA.KERNEL32(00000000,00000000,?,?,0041B1B5,00000000,00000000,E5C332AE,?,000001FF,00000000), ref: 00413140

Part of subcall function 00412ECD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00412EE0

_malloc.LIBCMT ref: 0042A5AE

Part of subcall function 00437FAD: __FF_MSGBANNER.LIBCMT ref: 00437FD0
Part of subcall function 00437FAD: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00442DC2,?,00000001,?,0044340E,00000018,00469F50,0000000C,0044349D,?), ref: 00438025

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

RINGBUFFER::RINGBUFFER this= %08x, xrefs: 0042A596
this->Data, xrefs: 0042A5C0
RINGBUFFER::RINGBUFFER done initsize=%d, xrefs: 0042A5CF
.\ringbuffers.cpp, xrefs: 0042A5BB

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateH_prolog3$AllocateErrorEventHeapLastMutex__snprintf_malloc_memset
String ID: .\ringbuffers.cpp$RINGBUFFER::RINGBUFFER done initsize=%d$RINGBUFFER::RINGBUFFER this= %08x$this->Data
API String ID: 3026233294-3410817464
Opcode ID: c16edfb47097b05c98aabe926c50eea792c003f11eb37df6f5e45664c7124d13
Instruction ID: 60276deae85f3eb243633ae50512ce527d7a1670b1042fdef742f0d234af60ce
Opcode Fuzzy Hash: c16edfb47097b05c98aabe926c50eea792c003f11eb37df6f5e45664c7124d13
Instruction Fuzzy Hash: 3BF081B4940744A6C230AF678C42E9B7AA89F99B04F10480FB95567243C7BC555487AD

Uniqueness

Uniqueness Score: -1.00%

Function 0043F7B6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,0043F82B,00000000,0044B360,00000000,00000000,00000314,?,?,?,00489AB8,004437E6,00489AB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0043F7C3
TlsGetValue.KERNEL32(00000005,?,?,?,00489AB8,004437E6,00489AB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0043F7DA
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00489AB8,004437E6,00489AB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0043F7EF
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0043F80A

Strings

EncodePointer, xrefs: 0043F804
KERNEL32.DLL, xrefs: 0043F7EA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 1929421221-3682587211
Opcode ID: 78f8f6979186b759a6defa01c0b65d6cbf8acc87b97e787e0ef15f2f13502b66
Instruction ID: ba63afe6550cb095e9f57bfb73578da6876e209a6e1e7319751d66ba78354eba
Opcode Fuzzy Hash: 78f8f6979186b759a6defa01c0b65d6cbf8acc87b97e787e0ef15f2f13502b66
Instruction Fuzzy Hash: D3F0F634D00613AB96156B39EC1092B7BD59F48750F045233F828D3270DB28DC86C65E

Uniqueness

Uniqueness Score: -1.00%

Function 0043F82D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,0043F8DD,?,00438E66), ref: 0043F83A
TlsGetValue.KERNEL32(00000005,?,00438E66), ref: 0043F851
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00438E66), ref: 0043F866
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0043F881

Strings

DecodePointer, xrefs: 0043F87B
KERNEL32.DLL, xrefs: 0043F861

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 1929421221-629428536
Opcode ID: 7553fde912f5b0379eddec5e5413ebeacde4f7170e61886b0f52dd37bb8aaa5d
Instruction ID: c27569a25ca594739c79439225c609bfb4d0e5bd39ee184547f580c6e6036bf2
Opcode Fuzzy Hash: 7553fde912f5b0379eddec5e5413ebeacde4f7170e61886b0f52dd37bb8aaa5d
Instruction Fuzzy Hash: ABF09634D01713AB962D7B3ADC0496F3AE5AF48754F141172F918DB271EB24CC45865E

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9B9 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 338COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041D9DB

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

_memset.LIBCMT ref: 0041DB8F

Part of subcall function 00415B53: KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00415B5A

Part of subcall function 004107B9: __EH_prolog3.LIBCMT ref: 004107C0
Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410829
Part of subcall function 004107B9: _strlen.LIBCMT ref: 00410835

Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA08
Part of subcall function 0040F9F8: _strlen.LIBCMT ref: 0040FA13
Part of subcall function 0040F9F8: _strncpy.LIBCMT ref: 0040FAA9

Part of subcall function 004107B9: _strpbrk.LIBCMT ref: 00410809

Part of subcall function 0041036C: __EH_prolog3.LIBCMT ref: 00410373
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103B5
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103E2

Part of subcall function 00415A8E: SetWindowTextA.USER32(?,00000000), ref: 00415A95

Part of subcall function 004157DA: __EH_prolog3.LIBCMT ref: 004157E1

Part of subcall function 00415A9E: __EH_prolog3.LIBCMT ref: 00415AA5
Part of subcall function 00415A9E: GetWindowTextLengthA.USER32(?), ref: 00415AB7
Part of subcall function 00415A9E: GetWindowTextA.USER32(?,00000000,00000001), ref: 00415AEC

Part of subcall function 00413EF6: __EH_prolog3.LIBCMT ref: 00413EFD
Part of subcall function 00413EF6: MessageBoxA.USER32(?,?,?,00010010), ref: 00413F9E

Strings

Internet Connection|Please press OK when an Internet connection is available|Sending mail ...|Your mail has been sent. Thank you!|Error: |An error occurred ($error)!Please try the send button again or use fax/mail or your own email program to send the text.|, xrefs: 0041DA00
Internet Verbindung|Bitte klicken Sie auf OK, wenn Sie eine Internetverbindung hergestellt haben.|Sende eMail ...|Die eMail wurde verschickt. Vielen Dank!|Fehler: |Es ist ein Fehler aufgetreten ($error).Bitte versuchen Sie es noch einmal oder schicken Sie de, xrefs: 0041D9F9, 0041DA0A
$error, xrefs: 0041DCE4

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$TextWindow$_strpbrk$CallbackDispatcherLengthMessageUser_memset_strncpy
String ID: $error$Internet Connection|Please press OK when an Internet connection is available|Sending mail ...|Your mail has been sent. Thank you!|Error: |An error occurred ($error)!Please try the send button again or use fax/mail or your own email program to send the text.|$Internet Verbindung|Bitte klicken Sie auf OK, wenn Sie eine Internetverbindung hergestellt haben.|Sende eMail ...|Die eMail wurde verschickt. Vielen Dank!|Fehler: |Es ist ein Fehler aufgetreten ($error).Bitte versuchen Sie es noch einmal oder schicken Sie de
API String ID: 1921037477-3312823702
Opcode ID: 201e55647b85cbe85f011bd561868eb8c9cd43ba809ca8e9309975d83fd8c0ed
Instruction ID: 9c34e24e1fafd2b7af548349b6014d16ffe58b465e0a3a1266d0b7652947e573
Opcode Fuzzy Hash: 201e55647b85cbe85f011bd561868eb8c9cd43ba809ca8e9309975d83fd8c0ed
Instruction Fuzzy Hash: D3E18270C0428CEEDB15EBA5D855BDDBBB4AF24308F14409EE505B32C2EB781B88DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040B683 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 313COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B69F

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

Part of subcall function 00410A1E: _strerror.LIBCMT ref: 00410A39

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 004136A5: __EH_prolog3_GS.LIBCMT ref: 004136AF
Part of subcall function 004136A5: LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Part of subcall function 00419AB4: __EH_prolog3.LIBCMT ref: 00419ABB
Part of subcall function 00419AB4: _strncpy.LIBCMT ref: 00419AF9

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Strings

12#, xrefs: 0040B926, 0040B97A
11#, xrefs: 0040B8F5, 0040B952, 0040B9AF, 0040B9DD, 0040B9E2, 0040BA0A
21#, xrefs: 0040B8C0
admin.ini, xrefs: 0040B6A7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$H_prolog3_LoadString_malloc_memset_strerror_strncpy
String ID: 11#$12#$21#$admin.ini
API String ID: 3746180839-1320473499
Opcode ID: 3bf0b471778d8687ad661272e2520b19e3744863ce132c1550439dda0792a882
Instruction ID: afe8ec872672cff4f518f5bafc6e6aba2a9f1333596383b5dc3460346b58a39e
Opcode Fuzzy Hash: 3bf0b471778d8687ad661272e2520b19e3744863ce132c1550439dda0792a882
Instruction Fuzzy Hash: 42C18470604288EEDB14EBA5C855BEE77A49F15308F1040BFF549A72C2EB7C9A48CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042E0B8 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 289COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0042E44A
_fprintf.LIBCMT ref: 0042E483

Part of subcall function 0042DE0E: _fprintf.LIBCMT ref: 0042DE40
Part of subcall function 0042DE0E: _fprintf.LIBCMT ref: 0042DE4B

Strings

error: -fn or any combination of -c, -l, -p, -t, -u and -v options invalid, xrefs: 0042E43C
caution: both -n and -o specified; ignoring -o, xrefs: 0042E475
WB, xrefs: 0042E0B9, 0042E0C0

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fprintf
String ID: WB$caution: both -n and -o specified; ignoring -o$error: -fn or any combination of -c, -l, -p, -t, -u and -v options invalid
API String ID: 1654120334-1152980988
Opcode ID: a61096ebf6b061a8d51918fe0e82c37f1b67eea1da549e3ddd192fc206473ec9
Instruction ID: 096d3f3f7106010d2c9ebe244c24dfb0a2d57159b6a5b43e4e1092aab57de0bb
Opcode Fuzzy Hash: a61096ebf6b061a8d51918fe0e82c37f1b67eea1da549e3ddd192fc206473ec9
Instruction Fuzzy Hash: 95A1297070D230CB8725DF26BDA413D7A62B644B197B84C7FE81286361D278E991CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041E9EC

Part of subcall function 0041E587: GetKeyState.USER32(00000010), ref: 0041E5F9

_fprintf.LIBCMT ref: 0041EA6A

Strings

FIXME: %s, xrefs: 0041EA4F, 0041EA54, 0041EA60
handle WM_UNICHAR under Windows, xrefs: 0041EA47, 0041EA4E, 0041EA5F
WM_KEY msg= %04x, mp1= %08x, mp2= %08x, scan= %02x, ext= %d, xrefs: 0041EA8E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: State_fprintf_memset
String ID: FIXME: %s$WM_KEY msg= %04x, mp1= %08x, mp2= %08x, scan= %02x, ext= %d$handle WM_UNICHAR under Windows
API String ID: 3675406223-1317379654
Opcode ID: d74aadd1e4d733080e14daebd2956328a1731977608f07d8d27f6a322403b6e4
Instruction ID: e768970d106e4c91be72cf9dbf2adc9a8afe70aa6acd721e4b63331690f8f0b1
Opcode Fuzzy Hash: d74aadd1e4d733080e14daebd2956328a1731977608f07d8d27f6a322403b6e4
Instruction Fuzzy Hash: 2D81E675A047059BDB248FAAC8856EBB7E1EF44314F08492FEDA2C7341D778E980C758

Uniqueness

Uniqueness Score: -1.00%

Function 004177C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 173COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004177CC
GetWindowLongA.USER32(?,000000EC), ref: 0041795A

Strings

0, xrefs: 00417922
Button, xrefs: 004178AC, 004178B1, 004178C8
0, xrefs: 004179BC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3LongWindow
String ID: 0$0$Button
API String ID: 92005281-1714651067
Opcode ID: 30daf967e5d3ec3f327cc8d3b2a585c5c54cf4bdd992573385112d33685956c8
Instruction ID: f9eef8677aa6aa962eaef2c3239c1eb1329c90a0634d631a65af765570889981
Opcode Fuzzy Hash: 30daf967e5d3ec3f327cc8d3b2a585c5c54cf4bdd992573385112d33685956c8
Instruction Fuzzy Hash: 1C61A070904209DFDF14DFA9C984AEEB7B1FF08314F14852EE815AB281DB38A984CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00416B4E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00416B55

Part of subcall function 004157DA: __EH_prolog3.LIBCMT ref: 004157E1

Part of subcall function 00415EEF: GetWindowRect.USER32(?,?), ref: 00415F12
Part of subcall function 00415EEF: GetWindow.USER32(?,00000004), ref: 00415F34
Part of subcall function 00415EEF: ScreenToClient.USER32(?,?), ref: 00415F4A
Part of subcall function 00415EEF: ScreenToClient.USER32(?,?), ref: 00415F51

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

IsWindowVisible.USER32(?), ref: 00416B96
IsChild.USER32(?,?), ref: 00416BC3

Strings

!is_child, xrefs: 00416BE2
.\windows_win32.cpp, xrefs: 00416BDD

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3Window$ClientScreen$ChildRectVisible
String ID: !is_child$.\windows_win32.cpp
API String ID: 2713898942-2306415184
Opcode ID: ec3dcbdab865bd89314bd79e2644ad3db03272f4c4a0ffe8748b2caef552ab92
Instruction ID: dc47cee0c42234229bcebdcca75c876e037ab9719c15de2778af4e1199d92ca4
Opcode Fuzzy Hash: ec3dcbdab865bd89314bd79e2644ad3db03272f4c4a0ffe8748b2caef552ab92
Instruction Fuzzy Hash: 59515B72D0060ADFCF04DFE9C9859EEBBB5EF94304F14412AE415B7250EB789A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00411530 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00411537
_memset.LIBCMT ref: 00411552

Part of subcall function 004114D2: __EH_prolog3.LIBCMT ref: 004114D9

_strlen.LIBCMT ref: 00411589

Strings

DGE, xrefs: 00411628
FILENAME::FILENAME returns %s, xrefs: 0041167E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_memset_strlen
String ID: DGE$FILENAME::FILENAME returns %s
API String ID: 345007730-4005537505
Opcode ID: 917cf2e3414a9278fa0a61da6fa83426ae03fb43cd2244fe44389f72d7384a27
Instruction ID: 8a1c50ba78706162bb1faec0069ee038fe14a2aceba1f2b9f5775c9c42657627
Opcode Fuzzy Hash: 917cf2e3414a9278fa0a61da6fa83426ae03fb43cd2244fe44389f72d7384a27
Instruction Fuzzy Hash: FD418E71800148EACF15EBA1C846ADDBB74AF14318F54406FF549B3192EF785BC9CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F202 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041F221

Part of subcall function 00415786: __EH_prolog3_GS.LIBCMT ref: 0041578D
Part of subcall function 00415786: _sprintf.LIBCMT ref: 004157B5
Part of subcall function 00415786: _strlen.LIBCMT ref: 004157C2

_memset.LIBCMT ref: 0041F2D4
_sprintf.LIBCMT ref: 0041F2E9
WinHelpA.USER32(?,?,00000001,00000000), ref: 0041F316

Strings

%s::html/topic-%s.html, xrefs: 0041F2E3

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _sprintf$H_prolog3H_prolog3_Help_memset_strlen
String ID: %s::html/topic-%s.html
API String ID: 678899315-893373604
Opcode ID: 6076742ef0bce9f93ff25775f843d21866f177776743bbd7d3c63eab635160ec
Instruction ID: 13c53edef6d89de701011545681f6c86154e37ded6a0936ee3eaa759288994f8
Opcode Fuzzy Hash: 6076742ef0bce9f93ff25775f843d21866f177776743bbd7d3c63eab635160ec
Instruction Fuzzy Hash: 9B41D476900209AFDB10DFA5DC419EEB7B5FF48304F10453FE855A2291EB78AA498B28

Uniqueness

Uniqueness Score: -1.00%

Function 00414225 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041422C

Part of subcall function 00418F66: _memset.LIBCMT ref: 00418FAD
Part of subcall function 00418F66: _sprintf.LIBCMT ref: 00418FCA

_strlen.LIBCMT ref: 00414279
_strlen.LIBCMT ref: 004142B3

Strings

<NULL>, xrefs: 0041430D, 00414312
GetArgValue("%s", %d) returned %s, xrefs: 00414319

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$H_prolog3_memset_sprintf
String ID: <NULL>$GetArgValue("%s", %d) returned %s
API String ID: 72350670-3048475594
Opcode ID: db69bd9e8413aac07baaf68d363d272f648e7f104341835dbe2dd64d189e1c36
Instruction ID: 12fdf931854cdf2e9cce4993750bc04e3f1011e5d6afc1ed80f165252957f54a
Opcode Fuzzy Hash: db69bd9e8413aac07baaf68d363d272f648e7f104341835dbe2dd64d189e1c36
Instruction Fuzzy Hash: FD31D570900209AFDF04EF95C841AEE7765AF48348F50816BFC55AB242DB3C9EC19759

Uniqueness

Uniqueness Score: -1.00%

Function 00418E3F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00418E46
_memset.LIBCMT ref: 00418E77

Strings

this->ppItems, xrefs: 00418EE8
pLock, xrefs: 00418EB0
w:\zaphod\dynarray.cpp, xrefs: 00418EAA, 00418EAF, 00418EE7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_memset
String ID: pLock$this->ppItems$w:\zaphod\dynarray.cpp
API String ID: 2828583354-3357673720
Opcode ID: 874585fc2eeb194273d5a969465b740e2ffdf8a2a84b04535de2d7f5012e0887
Instruction ID: e45ba8112b30d06d6859e6e2839f0ba14e51f78c3b463013e6655bd95b9ecfd8
Opcode Fuzzy Hash: 874585fc2eeb194273d5a969465b740e2ffdf8a2a84b04535de2d7f5012e0887
Instruction Fuzzy Hash: B6219570600704ABC720EF3A8C46A5BB7F4EF88714F105A1FB996CB6D2DB78A5408B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040956F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409576

Part of subcall function 004091AF: __EH_prolog3.LIBCMT ref: 004091BD
Part of subcall function 004091AF: CopyFileA.KERNEL32(?,?,00000000), ref: 004092E6
Part of subcall function 004091AF: RegCreateKeyA.ADVAPI32(80000001,Software\Enterprise Alternatives\REXX\ExecOptions,?), ref: 0040931A

Strings

ZOC4, xrefs: 004095CB
SETUP::NewSetupHookZOC %d %d %08x, xrefs: 00409586
Software\EmTec, xrefs: 004095D0
HomePath, xrefs: 00409608

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$CopyCreateFile
String ID: HomePath$SETUP::NewSetupHookZOC %d %d %08x$Software\EmTec$ZOC4
API String ID: 622284977-544688503
Opcode ID: ae13c6f652ef42a490c4ed59e44451ede347059b3135657b1d8e280f5ccf8e67
Instruction ID: f9f5c1ad60773d94c24eaa760446d61a0429618ae0601ae725dc4a31e7a649eb
Opcode Fuzzy Hash: ae13c6f652ef42a490c4ed59e44451ede347059b3135657b1d8e280f5ccf8e67
Instruction Fuzzy Hash: B9219371901148EADB10EBA5C846BDEB7A4AF15309F10803BE855B72D3DB7D4E48CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B307 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B376
_memset.LIBCMT ref: 0040B3A7

Strings

steps[idadv].idstep==STEPADV, xrefs: 0040B3E7
.\zocsetuphook5.cpp, xrefs: 0040B35F, 0040B3E2
steps[idend+1].idstep==STEPFINISH, xrefs: 0040B364

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID: .\zocsetuphook5.cpp$steps[idadv].idstep==STEPADV$steps[idend+1].idstep==STEPFINISH
API String ID: 2102423945-464871554
Opcode ID: dbcc74edadbb90bcfeb9bed0d2a11cbc74ed60c68fb40292e4cbd60504a41472
Instruction ID: 2fff76e6eb05731a4d913eeede60c4a985dcf8d79a56dd537ca24bd789a56fe2
Opcode Fuzzy Hash: dbcc74edadbb90bcfeb9bed0d2a11cbc74ed60c68fb40292e4cbd60504a41472
Instruction Fuzzy Hash: 3221F571600718ABD3305E65CC46F177AE8EB41B48F11852EE495AF1C2E7BCF5098AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD5D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040DDCC
_memset.LIBCMT ref: 0040DDFD

Strings

steps[idadv].idstep==STEPADV, xrefs: 0040DE3D
.\zocsetuphook6.cpp, xrefs: 0040DDB5, 0040DE38
steps[idend+1].idstep==STEPFINISH, xrefs: 0040DDBA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset
String ID: .\zocsetuphook6.cpp$steps[idadv].idstep==STEPADV$steps[idend+1].idstep==STEPFINISH
API String ID: 2102423945-3035875556
Opcode ID: ceb3b327a207077c8f717154f6d33d783095b824123a93caad11fd906f66a196
Instruction ID: 596ec1e4c295d165a17bd61f421f2f054214d22db711b1db528d0d2b92fabb35
Opcode Fuzzy Hash: ceb3b327a207077c8f717154f6d33d783095b824123a93caad11fd906f66a196
Instruction Fuzzy Hash: 3B212575600B19ABD3305F66CD46F13BAE8EB41B48F01452EF1859F1D2EBBCF5098A98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E378 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041E37F

Strings

idx!=-1, xrefs: 0041E42D
codepage :, xrefs: 0041E400
@, xrefs: 0041E391
.\unicode.cpp, xrefs: 0041E428

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3
String ID: .\unicode.cpp$@$codepage :$idx!=-1
API String ID: 431132790-1150001723
Opcode ID: 56bdca53509f6e34d620b277ddba94b591fb3deccf621d714dca7b8e49d317e5
Instruction ID: 8cec4bd3716cc5d9eb3ca108cecf5f9cfcb4a181d9e27e57d8822f5923dd7029
Opcode Fuzzy Hash: 56bdca53509f6e34d620b277ddba94b591fb3deccf621d714dca7b8e49d317e5
Instruction Fuzzy Hash: 1C214C75C04248EADB14DB66CC41AEEBA74AF15310F14412FFC2AA72C2D77C4A85C76D

Uniqueness

Uniqueness Score: -1.00%

Function 00417AFB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417B02

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

GetWindowLongA.USER32(000000FF,000000F0), ref: 00417B7C
SendMessageA.USER32(?,00000111,000000FF,000000FF), ref: 00417BD0

Strings

this->pEntry->IsValid(), xrefs: 00417B4E
.\datadialogitems.cpp, xrefs: 00417B49

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3LongMessageSendWindow_malloc
String ID: .\datadialogitems.cpp$this->pEntry->IsValid()
API String ID: 3467418004-2355480350
Opcode ID: f9e2483cd78ed716e27f7cfbb380491c142fd5672d1f132d75a3353a0d0584de
Instruction ID: 6f574082869952781a5ebb455b2776b6e9d8d2c047dbf4dc4cb87feecc712ef9
Opcode Fuzzy Hash: f9e2483cd78ed716e27f7cfbb380491c142fd5672d1f132d75a3353a0d0584de
Instruction Fuzzy Hash: E721A030600604EFDB14EB60CE52FAAB7B0FF08714F10451EF5925A5E1DB74B940CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0043B67D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0043B69F
__calloc_crt.LIBCMT ref: 0043B6B8

Strings

pF, xrefs: 0043B6E4
`F, xrefs: 0043B721
`+I, xrefs: 0043B6CF

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __calloc_crt
String ID: `+I$`F$pF
API String ID: 3494438863-3061008820
Opcode ID: da54c212f999bbabac67be0ea5351d6c4e463e170d3d41e0d366f442cd082f33
Instruction ID: 0c4de7b76ce9f95e08e11255aaa9d935cf6f43754d59ace7ea60784fce0d15fc
Opcode Fuzzy Hash: da54c212f999bbabac67be0ea5351d6c4e463e170d3d41e0d366f442cd082f33
Instruction Fuzzy Hash: 2D11E7317041105BE7248E1EAC9176623C1EB9D338F24153BE711CB3E6F778984146CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F300
__snprintf.LIBCMT ref: 0040F31F

Strings

i= %d, len= %d, buf= %s, xrefs: 0040F318
i>=0 && i<=this->StrLen, xrefs: 0040F34B
.\strings.cpp, xrefs: 0040F346

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __snprintf_memset
String ID: .\strings.cpp$i= %d, len= %d, buf= %s$i>=0 && i<=this->StrLen
API String ID: 2657849664-1422967550
Opcode ID: 8995b4493cbd3003b91dd34e560aabe20de90ec6b5e57a1ce0a540261ff56208
Instruction ID: 512fea7eed35b026762aeb55c2721cb033d8d4dd096ce83e814955ebc844d963
Opcode Fuzzy Hash: 8995b4493cbd3003b91dd34e560aabe20de90ec6b5e57a1ce0a540261ff56208
Instruction Fuzzy Hash: 6C110A72600204ABC730DB59CC83F9BB3A9DB94705F1004BFEA85A31C1E6B8BA48875D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EEBD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040EEFD
__snprintf.LIBCMT ref: 0040EF1C

Strings

i= %d, len= %d, buf= %s, xrefs: 0040EF15
.\strings.cpp, xrefs: 0040EF40
i>=0 && i<this->StrLen, xrefs: 0040EF45

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __snprintf_memset
String ID: .\strings.cpp$i= %d, len= %d, buf= %s$i>=0 && i<this->StrLen
API String ID: 2657849664-3622733328
Opcode ID: 4164cf76af41d6e61835b7333bf3cad46faa4ae67cd5518c8cb18aa7027611e3
Instruction ID: c1c4717ba1deb29c4ccdcd318fe5fa69b1e8226971ef9499636f007e14e3c859
Opcode Fuzzy Hash: 4164cf76af41d6e61835b7333bf3cad46faa4ae67cd5518c8cb18aa7027611e3
Instruction Fuzzy Hash: 69110D72600245BBC720DB56CC46F9B77E9DBA4704F10047FF645A31C1E6B8B954875D

Uniqueness

Uniqueness Score: -1.00%

Function 004206C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004206C7

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 00412F1B: CloseHandle.KERNEL32 ref: 00412F39
Part of subcall function 00412F1B: _sprintf.LIBCMT ref: 00412F64

Part of subcall function 00419FDE: __EH_prolog3.LIBCMT ref: 00419FE5

Part of subcall function 0042A5E6: __EH_prolog3.LIBCMT ref: 0042A5ED

Strings

BASEIO::~BASEIO done, xrefs: 0042070A
!this->hThread, xrefs: 004206FF
BASEIO::~BASEIO this= %08x, xrefs: 004206D8
.\ios.cpp, xrefs: 004206FA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$CloseErrorHandleLast__snprintf_memset_sprintf
String ID: !this->hThread$.\ios.cpp$BASEIO::~BASEIO done$BASEIO::~BASEIO this= %08x
API String ID: 3159177082-818480339
Opcode ID: b2d58e171299f4ba82b23e623e3030569a0da8622aa21eb34cf327dfcbfc110d
Instruction ID: 6340c3160d59d35780094ffaf8aba297117d6b39cd3fe46aeaec5f60510ce277
Opcode Fuzzy Hash: b2d58e171299f4ba82b23e623e3030569a0da8622aa21eb34cf327dfcbfc110d
Instruction Fuzzy Hash: 7F215634405784EED714EBB2C6067DDBBE05F15308F50445FA89A636C3EBBC6708CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 00418F66 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

_memset.LIBCMT ref: 00418FAD
_sprintf.LIBCMT ref: 00418FCA

Strings

i= %d, max= %d, count= %d, type= %s, this= %08x, xrefs: 00418FC4
w:\zaphod\dynarray.cpp, xrefs: 00418FDD
FALSE, xrefs: 00418FE2

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CurrentThread_memset_sprintf
String ID: FALSE$i= %d, max= %d, count= %d, type= %s, this= %08x$w:\zaphod\dynarray.cpp
API String ID: 2028706086-1356527501
Opcode ID: 4db7cc12cfe11d69bf3cf7f8c89acb9cbc980ed4722278d66bcd8959bfa80975
Instruction ID: f20ba1270379a6e6c0a5119e00d6c0cb058937d857dc91138b6bffa832d9d98a
Opcode Fuzzy Hash: 4db7cc12cfe11d69bf3cf7f8c89acb9cbc980ed4722278d66bcd8959bfa80975
Instruction Fuzzy Hash: 58110A71600704AFCB20DB56CC42FEAB3F9EF48704F00055EFA4AA31C1DAB4BA858B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041036C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410373

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0040F07D: _getenv.LIBCMT ref: 0040F08B

_strlen.LIBCMT ref: 004103B5

Part of subcall function 0040F5EB: _memset.LIBCMT ref: 0040F666

_strlen.LIBCMT ref: 004103E2

Strings

STR::op2||, xrefs: 00410394
STR::op1||, xrefs: 004103C9

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$H_prolog3$_getenv_memset
String ID: STR::op1||$STR::op2||
API String ID: 1485478962-2685297015
Opcode ID: ef72367aec2ff0931805c4fe9819b16540aee9fcba578dfe8262c56365018785
Instruction ID: 60dabbe90debc945d5002b5635343102b0137e0b0f789cc8c210a9595fb263d8
Opcode Fuzzy Hash: ef72367aec2ff0931805c4fe9819b16540aee9fcba578dfe8262c56365018785
Instruction Fuzzy Hash: 4411C4B5500645EFDB14EF65CC42E9DB7A4FF08304F10442EF954A7292CBB9A920CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413018 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(E5C332AE), ref: 00413036
_sprintf.LIBCMT ref: 00413065

Strings

.\osys_win32.cpp, xrefs: 00413077
handle= %08x, xrefs: 0041305F
EVENTSEM::Reset %08x, xrefs: 00413044

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: EventReset_sprintf
String ID: .\osys_win32.cpp$EVENTSEM::Reset %08x$handle= %08x
API String ID: 4082095451-2018138586
Opcode ID: 76ef0f45cb23bcddd2f1792fed8b0a90b259dbf5bad63ba02035bb6336ffc56c
Instruction ID: d94c7ed7f6fdf0f5d96fd897d5af5ce770cd9b9c87e73ddb0f3d6059af4f65f0
Opcode Fuzzy Hash: 76ef0f45cb23bcddd2f1792fed8b0a90b259dbf5bad63ba02035bb6336ffc56c
Instruction Fuzzy Hash: 5CF0AE71600208B7DB209F659C42F9777F8EB4CB09F20056FFD45D2142EA7D9B948659

Uniqueness

Uniqueness Score: -1.00%

Function 00412F1B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00412F39
_sprintf.LIBCMT ref: 00412F64

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

EVENTSEM::~EVENTSEM deleted %08x, ok= %d, xrefs: 00412F44
.\osys_win32.cpp, xrefs: 00412F76
handle= %08x, xrefs: 00412F5E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CloseErrorH_prolog3HandleLast__snprintf_memset_sprintf
String ID: .\osys_win32.cpp$EVENTSEM::~EVENTSEM deleted %08x, ok= %d$handle= %08x
API String ID: 1014848641-3216442996
Opcode ID: 70edb8e33dd6908fa364538e4e2620180a931327247fdfe45b5c17bd1d6fd15a
Instruction ID: c2d99f177c426646260f820fd7e19b2ab95558c2383cbdb9ef046ea5d3bd55af
Opcode Fuzzy Hash: 70edb8e33dd6908fa364538e4e2620180a931327247fdfe45b5c17bd1d6fd15a
Instruction Fuzzy Hash: B4F0A971600209BBD710AB659D83FA6B3ECEB48709F10056FFE45A2143FAB89E544B59

Uniqueness

Uniqueness Score: -1.00%

Function 00412F98 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32(E5C332AE), ref: 00412FB6
_sprintf.LIBCMT ref: 00412FE5

Strings

EVENTSEM::Set %08x, xrefs: 00412FC4
.\osys_win32.cpp, xrefs: 00412FF7
handle= %08x, xrefs: 00412FDF

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Event_sprintf
String ID: .\osys_win32.cpp$EVENTSEM::Set %08x$handle= %08x
API String ID: 353398720-69362834
Opcode ID: 32c500ccc66fdc2c287ac44424d8c74011421b9fc8b017024c568fb597c5c4a2
Instruction ID: 3b2b1698dbbb60b6f3c7793db131bfab74fc0f16789d933d2feed75ab0e2c44e
Opcode Fuzzy Hash: 32c500ccc66fdc2c287ac44424d8c74011421b9fc8b017024c568fb597c5c4a2
Instruction Fuzzy Hash: FBF0FE31600208B7DB109F259D03E9677F8EB48709F20056FFD45D3141EA789A55865A

Uniqueness

Uniqueness Score: -1.00%

Function 0042054C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

_strlen.LIBCMT ref: 00420596

Strings

BASEIO::~Write ok %d, xrefs: 004205AB
!this->IsDead, xrefs: 0042057F
BASEIO::Write len %d, xrefs: 00420554
.\ios.cpp, xrefs: 0042057A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorH_prolog3Last__snprintf_memset_strlen
String ID: !this->IsDead$.\ios.cpp$BASEIO::Write len %d$BASEIO::~Write ok %d
API String ID: 675196462-3145454701
Opcode ID: 192d3d0272a63c8116819c15512a63b16ced424929c6cf483f2043762602a862
Instruction ID: 8137e6a62985864a26a4c95a0edfc0201d3bcdc743f6102979146f9cd836a11b
Opcode Fuzzy Hash: 192d3d0272a63c8116819c15512a63b16ced424929c6cf483f2043762602a862
Instruction Fuzzy Hash: 4AF0FC72B003143BD21496769C86F4BE6DCEB88B65F20451BF958D31D2C6AC8D944669

Uniqueness

Uniqueness Score: -1.00%

Function 00413B91 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00413B9A
WaitForSingleObject.KERNEL32(80000000,?,?,?,0041B208,000000FF,E5C332AE,?,000001FF,00000000), ref: 00413BBD

Strings

rc!=WAIT_FAILED, xrefs: 00413BE0
.\osys_win32.cpp, xrefs: 00413BDB
MUTEXSEM::Obtain %08x rc= %d, xrefs: 00413BF2

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CurrentObjectSingleThreadWait
String ID: .\osys_win32.cpp$MUTEXSEM::Obtain %08x rc= %d$rc!=WAIT_FAILED
API String ID: 1728940165-2940198759
Opcode ID: f04b02d4c04b9a46c8138a4f4e63251a19cbb49995f4667f0e053d7091ea9efa
Instruction ID: 7ac1601291d1e4ea4763dc4eaad7b8eb027d721fc41f4ef636dffd389fdaf4bc
Opcode Fuzzy Hash: f04b02d4c04b9a46c8138a4f4e63251a19cbb49995f4667f0e053d7091ea9efa
Instruction Fuzzy Hash: 45F0F4326443006AD6302A298C03F9732508B80F2BF24471BFD65521C3EABD95D4819E

Uniqueness

Uniqueness Score: -1.00%

Function 00415836 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00415853
TranslateMessage.USER32(?), ref: 00415870
DispatchMessageA.USER32(?), ref: 0041587A

Strings

WINDOWS::WinProcessMessages dispatch msg= %04x, xrefs: 00415860
WINDOWS::WinProcessMessages done after n=%d messages, xrefs: 00415886

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID: WINDOWS::WinProcessMessages dispatch msg= %04x$WINDOWS::WinProcessMessages done after n=%d messages
API String ID: 4217535847-3848425184
Opcode ID: 75b936ab9cbf9d5dbbf55122d6970ff454331e3a75ada69a46ba9dd1428f51bc
Instruction ID: db428cbbdce8c7a0b98c2122dd6aa2bb695b4eddca7431ea60fdd30af90fbf80
Opcode Fuzzy Hash: 75b936ab9cbf9d5dbbf55122d6970ff454331e3a75ada69a46ba9dd1428f51bc
Instruction Fuzzy Hash: D9F068327403086BCA1476D6AC0AFDB7B6CDBC0755F100127B914E61A1DA64D58586A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041322E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,00000000,00001FE0), ref: 00413247
_sprintf.LIBCMT ref: 00413273

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

.\osys_win32.cpp, xrefs: 00413285
handle= %08x, xrefs: 0041326D
MUTEXSEM::Release %08x rc= %d, xrefs: 00413252

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorH_prolog3LastMutexRelease__snprintf_memset_sprintf
String ID: .\osys_win32.cpp$MUTEXSEM::Release %08x rc= %d$handle= %08x
API String ID: 121452875-1120723028
Opcode ID: 86bc1b1238403b08553dc040db612b85cb2d97c30f2673519885556a0f36e85a
Instruction ID: dcf0f8e720bd79b986d49e3e671890e01b75ad3c3035fe7ecbbb76d7c3fb7d18
Opcode Fuzzy Hash: 86bc1b1238403b08553dc040db612b85cb2d97c30f2673519885556a0f36e85a
Instruction Fuzzy Hash: 7DF04231500208BBDB10AF51DC03E6BB7B8FF44709F10056FFE4592142FEB85A548B55

Uniqueness

Uniqueness Score: -1.00%

Function 0043E1CA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,C:/Program Files (x86)/ZOC5/zocdll.dll,0042F26C,C:/Program Files (x86)/ZOC5/zocdll.dll,00000180,00454616,004303E5,0048A840,00000000,?,-001FD774,00000003,00430F6C,0028A470,0048A840,00000000), ref: 0043E1FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0042EA9E), ref: 0043E206
__dosmaperr.LIBCMT ref: 0043E20D
SetFileAttributesA.KERNEL32(00000080,00000000), ref: 0043E229

Strings

C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 0043E1CA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: AttributesFile$ErrorLast__dosmaperr
String ID: C:/Program Files (x86)/ZOC5/zocdll.dll
API String ID: 2189404394-1882927899
Opcode ID: 17bae2e7bd6b3667ced451c9fe3d9d534616a6418ca68a633bd979166d18d44c
Instruction ID: 173b44f6716a8a2978bcdeb479b11bc5747f3e7daf29264a7a62d54c1b5c922a
Opcode Fuzzy Hash: 17bae2e7bd6b3667ced451c9fe3d9d534616a6418ca68a633bd979166d18d44c
Instruction Fuzzy Hash: 27F0BB314157105ECB212776FC0815F7AA8AF49335F11579FF435841E1CB38C8C296AE

Uniqueness

Uniqueness Score: -1.00%

Function 00419BAA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00419BB1

Part of subcall function 00419A87: _strncpy.LIBCMT ref: 00419AA6

_strncpy.LIBCMT ref: 00419BFF
_strncpy.LIBCMT ref: 00419C0F

Strings

HASH-VALUES, xrefs: 00419C09
HASH-KEYS, xrefs: 00419BF9

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strncpy$H_prolog3
String ID: HASH-KEYS$HASH-VALUES
API String ID: 2076106944-2114310471
Opcode ID: 9c149313f87c8ba310c89138958283295bede09598bab8939ddd6361fc600b67
Instruction ID: 1e3c385917c56e74a531bfb229d19b29238aff9c444daa2f81cb25a009ebf6d1
Opcode Fuzzy Hash: 9c149313f87c8ba310c89138958283295bede09598bab8939ddd6361fc600b67
Instruction Fuzzy Hash: EDF0F4715407449BD720FB61C802BAAB3A0AF0470AF50880EE686660C3D7BCA108CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004202B5 Relevance: 7.7, APIs: 5, Instructions: 156COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004202D4
_memset.LIBCMT ref: 00420309
_memset.LIBCMT ref: 00420318
_strlen.LIBCMT ref: 00420343
_strlen.LIBCMT ref: 0042035A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset_strlen$H_prolog3
String ID:
API String ID: 3537525069-0
Opcode ID: 9707db327c407fd8aff655006c3a27eb1da4d3f1c48d96ab2dff22b2726f873f
Instruction ID: db9023b8bfcef898495b4e3cf7bb46ad9aafd18f9c9a7240826ecdb89e0d5caf
Opcode Fuzzy Hash: 9707db327c407fd8aff655006c3a27eb1da4d3f1c48d96ab2dff22b2726f873f
Instruction Fuzzy Hash: 6B51317190029DAADB20EFA5DC45FEE77B8AF08304F50442AF909AB182D7789748CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00445E35 Relevance: 7.6, APIs: 5, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00445E4A

Part of subcall function 00443484: __mtinitlocknum.LIBCMT ref: 00443498
Part of subcall function 00443484: __amsg_exit.LIBCMT ref: 004434A4
Part of subcall function 00443484: EnterCriticalSection.KERNEL32(?,?,?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214), ref: 004434AC

__mtinitlocknum.LIBCMT ref: 00445E8A
__malloc_crt.LIBCMT ref: 00445ECB
___crtInitCritSecAndSpinCount.LIBCMT ref: 00445EF0
EnterCriticalSection.KERNEL32(01FB2108,00469F90,00000010,00437E52,00469960,0000000C,00437ECC,?,?,00000040,0041B616,assert.log,0045C394,*** ASSERTION FAILED: %s,?,Unexpected condition encountered!Please contact us via our web site and provide the following information (logged in assert.log file in the program's installation folder):%sDo you want to try to continue with the program?), ref: 00445F1A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CriticalEnterSection__mtinitlocknum$CountCritInitSpin___crt__amsg_exit__lock__malloc_crt
String ID:
API String ID: 1486408876-0
Opcode ID: bc8077ca95eaaa6f2c25051dcd9f2ea0f087460fda62efb6ac1d49e15f4b54c3
Instruction ID: 9c732738d116a989652b71597d48b03d2f16e568c0a6f9448c0ef6d3a46295b0
Opcode Fuzzy Hash: bc8077ca95eaaa6f2c25051dcd9f2ea0f087460fda62efb6ac1d49e15f4b54c3
Instruction Fuzzy Hash: 7531A171504B019FEB21DF69E881A1AF3E4BF09324750452FF955872A2CB78A9428B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00415EEF Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00415F12

Part of subcall function 00415E95: GetParent.USER32(?), ref: 00415EA0

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

GetWindow.USER32(?,00000004), ref: 00415F34
ScreenToClient.USER32(?,?), ref: 00415F4A
ScreenToClient.USER32(?,?), ref: 00415F51
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00415F5A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ClientScreenWindow$H_prolog3InfoParametersParentRectSystem
String ID:
API String ID: 1335048515-0
Opcode ID: f4e0342161b60231acd6b83092e2c4be86f57d33f61e5678952547996925d7eb
Instruction ID: 5455eaf42f18e1f9b49a892e85e58348147bfc2376e2858456f2031899c03375
Opcode Fuzzy Hash: f4e0342161b60231acd6b83092e2c4be86f57d33f61e5678952547996925d7eb
Instruction Fuzzy Hash: F101F572200608AFD7159B68DC85DEFB7BCDBC8708705402AF605EB211D624ED4587B9

Uniqueness

Uniqueness Score: -1.00%

Function 00419015 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041901C

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

Strings

this->ItemCount<this->MaxItems, xrefs: 004190FD, 0041917B
pos>=0 && pos<=this->ItemCount, xrefs: 0041908E
w:\zaphod\dynarray.cpp, xrefs: 00419034, 0041908D, 004190FC, 0041917A

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CurrentH_prolog3Thread
String ID: pos>=0 && pos<=this->ItemCount$this->ItemCount<this->MaxItems$w:\zaphod\dynarray.cpp
API String ID: 2223909941-4203086300
Opcode ID: d0aada92f25d1444811cfb56568ca1ed085c66a3f8101c3109fcfc46cb2a557d
Instruction ID: 1cb47968d92c78fe2e31f2b3a52565716a9d1a003986b1c1890f9c4a4c8226e1
Opcode Fuzzy Hash: d0aada92f25d1444811cfb56568ca1ed085c66a3f8101c3109fcfc46cb2a557d
Instruction Fuzzy Hash: D751E730500205AFD714EF65C886AAEB7F0FF08304F20452FE456E7692DB78AE85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00416909 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416A02
GetDlgItem.USER32(?,00000320), ref: 00416A13
GetWindowTextA.USER32(00000000,?,0000007F), ref: 00416A2B

Strings

WM_INITDIALOG:RC=0, xrefs: 00416A37

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ItemTextWindow_memset
String ID: WM_INITDIALOG:RC=0
API String ID: 1363805667-2401051034
Opcode ID: 2b785b797a8f37fa97065fcc1de2d3d0c8b3fec044c29b22c57c681ec9b29369
Instruction ID: c8b58b8b5102f19a692cd0a486ce20b0e4178b46591b197dab5dac179df2cd82
Opcode Fuzzy Hash: 2b785b797a8f37fa97065fcc1de2d3d0c8b3fec044c29b22c57c681ec9b29369
Instruction Fuzzy Hash: 564122B36202095BDF389E588C89BFF7696EB45B00F26442BE221D6291D53CCDC9CA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00411EE7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00411EF5
_strlen.LIBCMT ref: 00411F04

Part of subcall function 00418F66: _memset.LIBCMT ref: 00418FAD
Part of subcall function 00418F66: _sprintf.LIBCMT ref: 00418FCA

Part of subcall function 00411500: __EH_prolog3.LIBCMT ref: 00411507

Part of subcall function 00410E95: __EH_prolog3.LIBCMT ref: 00410E9C

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0041036C: __EH_prolog3.LIBCMT ref: 00410373
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103B5
Part of subcall function 0041036C: _strlen.LIBCMT ref: 004103E2

Part of subcall function 004019E1: __EH_prolog3.LIBCMT ref: 004019E8

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Part of subcall function 0040F975: _strlen.LIBCMT ref: 0040F9B5
Part of subcall function 0040F975: _strncpy.LIBCMT ref: 0040F9D2

Part of subcall function 00411ADC: __EH_prolog3.LIBCMT ref: 00411AEA

Strings

source.Left(fromlen)==from, xrefs: 00411FB2
.\osysfile.cpp, xrefs: 00411FAD

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strlen$_memset$ErrorLast__snprintf_sprintf_strncpy
String ID: .\osysfile.cpp$source.Left(fromlen)==from
API String ID: 3319712024-763396992
Opcode ID: 975b5b7f618a4d456863e3ca30a9e8fe2a1f437e46541f599718c75d07f70dea
Instruction ID: 1e792a1f96d9ab4f687e47c8366de282afc3d2aa82305f71b1ce3f4b34665ec3
Opcode Fuzzy Hash: 975b5b7f618a4d456863e3ca30a9e8fe2a1f437e46541f599718c75d07f70dea
Instruction Fuzzy Hash: 3A418431800249EEDF15EFA1C946BDE7BA5AF14348F10416FF90563193EB785B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410CF9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410D00

Part of subcall function 00410F78: __EH_prolog3.LIBCMT ref: 00410F7F

Strings

FILENAME::ShellStringSet %s %s, xrefs: 00410D0C
.\osysfile.cpp, xrefs: 00410E78
didit, xrefs: 00410E7D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3
String ID: .\osysfile.cpp$FILENAME::ShellStringSet %s %s$didit
API String ID: 431132790-2648371487
Opcode ID: 8bc42fe564b22c69223e1d338c17d1f9c8a543a87803c586f7ff65a632d636b3
Instruction ID: ba5503cb38dfe5d2f6f0bededccc95f52136ba64af3c53dbee7a9e2fd101c2a5
Opcode Fuzzy Hash: 8bc42fe564b22c69223e1d338c17d1f9c8a543a87803c586f7ff65a632d636b3
Instruction Fuzzy Hash: FA419771600208ABDB14EBA6CC42ADEB6B5AF44314F20053FF456B31D2DBBC5AC9C759

Uniqueness

Uniqueness Score: -1.00%

Function 00417E3D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417E44

Part of subcall function 00417A18: GetWindowLongA.USER32(?,000000F0), ref: 00417A3B
Part of subcall function 00417A18: GetWindowLongA.USER32(?,000000F0), ref: 00417A48

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Strings

this->pList->IsValid(), xrefs: 00417F48
ListBox, xrefs: 00417E9B
.\datadialogitems.cpp, xrefs: 00417F43

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: LongWindow$H_prolog3_malloc
String ID: .\datadialogitems.cpp$ListBox$this->pList->IsValid()
API String ID: 221057671-1743863370
Opcode ID: 2a5e1e03d2ef0f66874af27a0a66c7633635564500062f813ebc17176bf81cb5
Instruction ID: d7895bcde7722e29f28ffb1b1c5dd2d1bd61eaebb61629c3795b0e663168bae7
Opcode Fuzzy Hash: 2a5e1e03d2ef0f66874af27a0a66c7633635564500062f813ebc17176bf81cb5
Instruction Fuzzy Hash: B541E330608204AECB14EBB9CC41AEE77B0AF18314F20416FF516A76D2DB3C9A85D769

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3EE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040F07D: _getenv.LIBCMT ref: 0040F08B

_strlen.LIBCMT ref: 0040F425

Part of subcall function 004369E5: __toupper_l.LIBCMT ref: 00436A04

Strings

iPos Buffer, xrefs: 0040F408
%USERNAME%, xrefs: 0040F407
iPos str, xrefs: 0040F414

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __toupper_l_getenv_strlen
String ID: %USERNAME%$iPos Buffer$iPos str
API String ID: 2032322048-3991586315
Opcode ID: 4bf9638bbbbe553eb3a1b8a53cb95518eab31f556f84655ac918c438c413b15f
Instruction ID: 27283b48981efd32da4e3b289e51195b2f486fdd3a1dcee4b84c718cac17d9d2
Opcode Fuzzy Hash: 4bf9638bbbbe553eb3a1b8a53cb95518eab31f556f84655ac918c438c413b15f
Instruction Fuzzy Hash: 92218171A00109AFCF20DF68C58199EBBB1FF54324F20857BE855F7682D738AA44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D331 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041D338

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 00418F66: _memset.LIBCMT ref: 00418FAD
Part of subcall function 00418F66: _sprintf.LIBCMT ref: 00418FCA

Strings

boundary.Length()<64, xrefs: 0041D3DF
----=_EmTec_Mime_Part_08154711, xrefs: 0041D34C
.\email.cpp, xrefs: 0041D3DA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_memset_sprintf_strlen
String ID: ----=_EmTec_Mime_Part_08154711$.\email.cpp$boundary.Length()<64
API String ID: 3947979386-3782865599
Opcode ID: 216c7ae42998637fe8d90ea5a664fae2314f6f41a3996f6987fe43d959325b73
Instruction ID: faa6354a6514748a2dc19b1108b49036890b4fdf2f50bd8ef1c9de574b2836ec
Opcode Fuzzy Hash: 216c7ae42998637fe8d90ea5a664fae2314f6f41a3996f6987fe43d959325b73
Instruction Fuzzy Hash: 641196B1E002059BDB24EF658C82ABEB671BF44708F20052FE961A73C2DB7C5D81875E

Uniqueness

Uniqueness Score: -1.00%

Function 00429044 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,0000000E), ref: 004290BF

Part of subcall function 00428FE5: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,00000000,?,?,?,?,0042907E,?,01FB17F8,?,00000000), ref: 00429003
Part of subcall function 00428FE5: RegQueryValueExA.ADVAPI32(00000000,00454616,00000000,00000000,?,?,?,?,?,?,0042907E,?,01FB17F8), ref: 00429025
Part of subcall function 00428FE5: RegCloseKey.ADVAPI32(00000000,?,?,?,?,0042907E,?,01FB17F8), ref: 00429033

LoadLibraryA.KERNEL32(?,?,01FB17F8,?,00000000), ref: 0042908F
LoadLibraryA.KERNEL32(hhctrl.ocx,?,01FB17F8,?,00000000), ref: 004290A5

Strings

hhctrl.ocx, xrefs: 004290A0

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: LibraryLoad$AddressCloseOpenProcQueryValue
String ID: hhctrl.ocx
API String ID: 2110907290-2298675154
Opcode ID: a351756529105b623ff328528e45442de7c0c2cddde672f4765a57b5e024f3f3
Instruction ID: 319ce1da8821ab995ddbd19d358a6f5d6e5ed4cab0e942da13d22db831bd0afe
Opcode Fuzzy Hash: a351756529105b623ff328528e45442de7c0c2cddde672f4765a57b5e024f3f3
Instruction Fuzzy Hash: 22118F31701629EBDB24DFA6FD40BAA37A9AB48348F41043EF509D3250D774DD848B1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F975 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

_strlen.LIBCMT ref: 0040F9B5
_strncpy.LIBCMT ref: 0040F9D2

Strings

text!=this->Buffer, xrefs: 0040F998
.\strings.cpp, xrefs: 0040F993

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorH_prolog3Last__snprintf_memset_strlen_strncpy
String ID: .\strings.cpp$text!=this->Buffer
API String ID: 2216859557-2403493425
Opcode ID: 0eac6bb082760f5d75d4be2b300fff33711d02aab9600bd6b9ffd71bd6826dee
Instruction ID: 12cfd48f513139f35c5ab6c5cf0cc6d9e5957849fec24ccd0294442a626d2b11
Opcode Fuzzy Hash: 0eac6bb082760f5d75d4be2b300fff33711d02aab9600bd6b9ffd71bd6826dee
Instruction Fuzzy Hash: D401D8717002047BCA30AA1DCC83F6F779DDB54B68B21403BF844A76C1D979AC5841AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF68 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040EF6F

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Part of subcall function 004132A6: InitializeCriticalSection.KERNEL32(00000000), ref: 004132D6

Strings

`, xrefs: 0040EFB6
ptr, xrefs: 0040EFDE
.\strings.cpp, xrefs: 0040EFD9

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CriticalH_prolog3InitializeSection_malloc
String ID: .\strings.cpp$`$ptr
API String ID: 2485071247-1621485878
Opcode ID: b17eb2f8e68a3daa4dca1ef5ba68091ee4a806a02c1ee5935cf98e5827c96907
Instruction ID: 3efbe52c56baf48c142b39493c266c7f3d585c3c446189c2a14d801f480e847e
Opcode Fuzzy Hash: b17eb2f8e68a3daa4dca1ef5ba68091ee4a806a02c1ee5935cf98e5827c96907
Instruction Fuzzy Hash: 6B11C630A05205EBDB24EF6AEC0375936606F04715F10413FF949E66D2E7BC5D94968E

Uniqueness

Uniqueness Score: -1.00%

Function 004136A5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004136AF

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

LoadStringA.USER32(?,?,?,00000100), ref: 00413706

Strings

<STR-ERR>, xrefs: 004136CB
OSYS::GetStringFromResource %d returns %s, xrefs: 00413754

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3H_prolog3_LoadString_strlen
String ID: <STR-ERR>$OSYS::GetStringFromResource %d returns %s
API String ID: 2876014114-1297072308
Opcode ID: baa0a4025dc2a5afa5cebf218e8bad1baf91d111ab54926854e6141722792f96
Instruction ID: 59c0b00241dd6836bcb8c111c6265f8c4a65d36418bfc3aa835c453a7897d52f
Opcode Fuzzy Hash: baa0a4025dc2a5afa5cebf218e8bad1baf91d111ab54926854e6141722792f96
Instruction Fuzzy Hash: 6811907190025CABDB21EF55CC42BDD77B4AB08715F1040AAE918AB2C2C7785BD4CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004198D3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004198DA
_memset.LIBCMT ref: 004198FF

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Part of subcall function 00413129: CreateMutexA.KERNEL32(00000000,00000000,?,?,0041B1B5,00000000,00000000,E5C332AE,?,000001FF,00000000), ref: 00413140

Strings

pLock, xrefs: 00419936
w:\zaphod\dynarray.cpp, xrefs: 00419931

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateH_prolog3Mutex_malloc_memset
String ID: pLock$w:\zaphod\dynarray.cpp
API String ID: 751747294-842621046
Opcode ID: 96a6325d884e84ccb3851b4f365a11d4018b44ba5269601b0d12f23f86539830
Instruction ID: 30bfbe26023880e224e8a183f2d4ab454c56c5aaa16f3ac83a28bff0a0c4cb51
Opcode Fuzzy Hash: 96a6325d884e84ccb3851b4f365a11d4018b44ba5269601b0d12f23f86539830
Instruction Fuzzy Hash: 2D0175B0A41700ABC724AF268C02A5FFAF4EF94B00F10550FE88596692D7B85545CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004128A2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004128D6
GetComputerNameA.KERNEL32(?,?), ref: 004128ED
_strcat.LIBCMT ref: 00412900

Strings

<N/A>, xrefs: 004128FA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ComputerName_memset_strcat
String ID: <N/A>
API String ID: 3562001399-3257593766
Opcode ID: c316880304473c87ac16a7df409c61df735c9dbf13321bf1887a3273db3810d5
Instruction ID: 8d13de928fd386db7ab2cb5f95b6420dbe7c188502a6b01c17b29f028a82ca50
Opcode Fuzzy Hash: c316880304473c87ac16a7df409c61df735c9dbf13321bf1887a3273db3810d5
Instruction Fuzzy Hash: F9011E71A0020C9EDB30DFA9DC46BEE77F8BB08708F50442EE554E7182EF7896488B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E400

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

DeleteObject.GDI32(?), ref: 0040E450

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 004170C9: __EH_prolog3.LIBCMT ref: 004170D0

Strings

!this->pSubDlg, xrefs: 0040E433
.\setupdialog.cpp, xrefs: 0040E42E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$DeleteErrorLastObject__snprintf_memset
String ID: !this->pSubDlg$.\setupdialog.cpp
API String ID: 2131507689-3910525131
Opcode ID: b754f7b1afe4d5fff652c02f5d4ad9fcb14f0cc6b29cdadf510e888e469aaef3
Instruction ID: 58a74604958a419a2c73ea9266e721eaff005e9548d3ee7229a2fb2fdbfc2532
Opcode Fuzzy Hash: b754f7b1afe4d5fff652c02f5d4ad9fcb14f0cc6b29cdadf510e888e469aaef3
Instruction Fuzzy Hash: 0A01AD30500740DAE715EF74C406BDD7BA0AB44309F20499EE8A96B2C2CBBC2A48DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00428FE5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,00000000,?,?,?,?,0042907E,?,01FB17F8,?,00000000), ref: 00429003
RegQueryValueExA.ADVAPI32(00000000,00454616,00000000,00000000,?,?,?,?,?,?,0042907E,?,01FB17F8), ref: 00429025
RegCloseKey.ADVAPI32(00000000,?,?,?,?,0042907E,?,01FB17F8), ref: 00429033

Strings

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32, xrefs: 00428FF9

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
API String ID: 3677997916-4062393554
Opcode ID: 4d1e4b6f62673b9e6d8a3050924ba574841f9122015293f43233fdc879bc60ce
Instruction ID: a106159c587ecfc7f5480a0ea6aed982b5135283b9fbc9d36b812563cf9cebfb
Opcode Fuzzy Hash: 4d1e4b6f62673b9e6d8a3050924ba574841f9122015293f43233fdc879bc60ce
Instruction Fuzzy Hash: CFF05471604228BBDB109B91EC09F9FBF6CEB45799F600021BA05D1151D6748E50D6A8

Uniqueness

Uniqueness Score: -1.00%

Function 00413C0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00413C10
GetThreadPriority.KERNEL32(00000000), ref: 00413C20

Strings

RAISETHREADPRIORITY::RAISETHREADPRIORITY done, ok= %d, origclass= %d, xrefs: 00413C58
RAISETHREADPRIORITY::RAISETHREADPRIORITY prio= %d, xrefs: 00413C34

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Thread$CurrentPriority
String ID: RAISETHREADPRIORITY::RAISETHREADPRIORITY done, ok= %d, origclass= %d$RAISETHREADPRIORITY::RAISETHREADPRIORITY prio= %d
API String ID: 1343868529-137569971
Opcode ID: 20a841e96d38022cfe151c757030e8cc82663a0af5f5bbe56962cb0588a43f77
Instruction ID: efb3014f95e50cd89260efb16189b2541cff87b73894c1be405937946bf9c54e
Opcode Fuzzy Hash: 20a841e96d38022cfe151c757030e8cc82663a0af5f5bbe56962cb0588a43f77
Instruction Fuzzy Hash: 24F0E971500701ABC7106F60DC05656BBE0EB50726F10C91EF8A596292E779D8D0CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7EF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041F7F6
_sprintf.LIBCMT ref: 0041F821
_strlen.LIBCMT ref: 0041F82E

Part of subcall function 0040F5EB: _memset.LIBCMT ref: 0040F666

Strings

%I64u, xrefs: 0041F814

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3__memset_sprintf_strlen
String ID: %I64u
API String ID: 2605747077-2461839288
Opcode ID: 32743642ae132433f4c7839e7f7f9e7d43d646708b26635aa066f554936bfcb6
Instruction ID: be72286bfe77f5254359bdfd51ca533117808e62584b2cb4902966541b8496ec
Opcode Fuzzy Hash: 32743642ae132433f4c7839e7f7f9e7d43d646708b26635aa066f554936bfcb6
Instruction Fuzzy Hash: 64F0A0B0500618AADB15FBA5CC06B9D3368AB04708F50501FF800AA182DBBC5A18875D

Uniqueness

Uniqueness Score: -1.00%

Function 00415786 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041578D
_sprintf.LIBCMT ref: 004157B5
_strlen.LIBCMT ref: 004157C2

Part of subcall function 0040F5EB: _memset.LIBCMT ref: 0040F666

Strings

%lu, xrefs: 004157A8

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3__memset_sprintf_strlen
String ID: %lu
API String ID: 2605747077-685833217
Opcode ID: c39049e5983a3c68bd6278fe70eb77c3bb90c23ad180e116ea01f0ce21073f1c
Instruction ID: 261013310a142e66cc3d71d418a317e64c593f69e2ba9f409e76454bd6e431be
Opcode Fuzzy Hash: c39049e5983a3c68bd6278fe70eb77c3bb90c23ad180e116ea01f0ce21073f1c
Instruction Fuzzy Hash: 35E092B1500A187FEB15FB55DC07F9D7268AF04B09F10502FF840AA182DBBC5A1987AD

Uniqueness

Uniqueness Score: -1.00%

Function 00412ECD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00412EE0

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

EVENTSEM::EVENTSEM created %08x, xrefs: 00412EE7
.\osys_win32.cpp, xrefs: 00412F01
this->hev, xrefs: 00412F06

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CreateErrorEventH_prolog3Last__snprintf_memset
String ID: .\osys_win32.cpp$EVENTSEM::EVENTSEM created %08x$this->hev
API String ID: 2778411974-720648830
Opcode ID: 4df4b6bff3fb457099eee1737879bde713be250c51afd066d9a225ffd31e5c53
Instruction ID: 66219d1b3602a9562bbd33bcf4f925a34529c58183ce84193b48f5dbbb9ce0c4
Opcode Fuzzy Hash: 4df4b6bff3fb457099eee1737879bde713be250c51afd066d9a225ffd31e5c53
Instruction Fuzzy Hash: 54E04F71B84314BAE6102A20AC07F666584DB54F0BF20482BBF44AE0C2E5E95EA0A79D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F38C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0042F39F

Part of subcall function 0043BD9D: _flsall.LIBCMT ref: 0043BDB1

_fgets.LIBCMT ref: 0042F3BF

Strings

%s: write error (disk full?). Continue? (y/n/^C) , xrefs: 0042F391
C:/Program Files (x86)/ZOC5/zocdll.dll, xrefs: 0042F38C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _fgets_flsall_fprintf
String ID: %s: write error (disk full?). Continue? (y/n/^C) $C:/Program Files (x86)/ZOC5/zocdll.dll
API String ID: 1414668839-2313624047
Opcode ID: e6be8e14398e156eaae43d346b84985728f1922432e30c8a7255303f33080600
Instruction ID: 23e610ca35e3185e9d9e84695188762529d3f83bddfbcf28fa5770756a6bd726
Opcode Fuzzy Hash: e6be8e14398e156eaae43d346b84985728f1922432e30c8a7255303f33080600
Instruction Fuzzy Hash: 37E0ECE6E84240BDF71073B25C0BB1D21589F19748F19186FB941E51C3EBEE952146BF

Uniqueness

Uniqueness Score: -1.00%

Function 0043B74E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0043B76F

Part of subcall function 00443484: __mtinitlocknum.LIBCMT ref: 00443498
Part of subcall function 00443484: __amsg_exit.LIBCMT ref: 004434A4
Part of subcall function 00443484: EnterCriticalSection.KERNEL32(?,?,?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214), ref: 004434AC

EnterCriticalSection.KERNEL32(?,00000000,0043A970,00000000,00469AE0,0000000C,0041B64B,00000000,--- %s --- %s %s ---,?,?,?,?,?), ref: 0043B782

Strings

PF, xrefs: 0043B75C
`+I, xrefs: 0043B753

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
String ID: PF$`+I
API String ID: 3996875869-2005272330
Opcode ID: 4e729ae5cc253d2cdb8db0ebaa818d907a1b2b1031fda9b7e22b913c60933bbd
Instruction ID: 64bef7e4c0735b079b50d6d082ba14e83359f1743853db2e9c01e43c7744a6bc
Opcode Fuzzy Hash: 4e729ae5cc253d2cdb8db0ebaa818d907a1b2b1031fda9b7e22b913c60933bbd
Instruction Fuzzy Hash: 33D0CD36504630479B38257974462DD66C4D784365707851FEC8656295EB1C6CC146DD

Uniqueness

Uniqueness Score: -1.00%

Function 00441DCA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004359F6), ref: 00441DCF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00441DDF

Strings

IsProcessorFeaturePresent, xrefs: 00441DD9
KERNEL32, xrefs: 00441DCA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 4125ec5f0a93d337c35e85b09e9356fa572a5dc7b3432d7806293d7c917db351
Instruction ID: 521b3db9ba47a0542f254904a132ba421714c44e83b3f974d4de633d5f5cc0ce
Opcode Fuzzy Hash: 4125ec5f0a93d337c35e85b09e9356fa572a5dc7b3432d7806293d7c917db351
Instruction Fuzzy Hash: 9BC080F0B41B0173FA501BF14D49B1A21555B40F43F140412B009D41F0DE9CD0C0553F

Uniqueness

Uniqueness Score: -1.00%

Function 0044871E Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044874E
__isleadbyte_l.LIBCMT ref: 00448782
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,0043E3F8,?,?,00000002), ref: 004487B3
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,0043E3F8,?,?,00000002), ref: 00448821

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 574be55ea80289ad97a648f34956f09942adb5887e5252e8ff0f1c56923b7230
Instruction ID: 6891d52d590f7db683be07597c962f2d2a7b44dcfd5f9c75feed70fffc638e14
Opcode Fuzzy Hash: 574be55ea80289ad97a648f34956f09942adb5887e5252e8ff0f1c56923b7230
Instruction Fuzzy Hash: 5831CE31A00245EFEB21DFA4CCA1AAE7BB5FF01311F2585AEE4609B291DB34D940DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00418BE5 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00418BEC

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

SendMessageA.USER32(00000000,-00000148,000000FF,00000000), ref: 00418C4E
_memset.LIBCMT ref: 00418C70
SendMessageA.USER32(00000000,-00000147,000000FF,?), ref: 00418C91

Part of subcall function 00418882: GetWindowLongA.USER32(?,000000F0), ref: 0041889F
Part of subcall function 00418882: _memset.LIBCMT ref: 004188BE
Part of subcall function 00418882: SendMessageA.USER32(?,00000191,00000100,?), ref: 004188DA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: MessageSend$H_prolog3_memset$LongWindow_strlen
String ID:
API String ID: 3756785551-0
Opcode ID: 6cb10f6f2420b98aaa8f00fe1c32737d96ef3c9ab20b135bb251574bda0e68fc
Instruction ID: 33e6a19bbdbe917c115e46ec5f273e58ffe3f3ea38b717740bd4dfd809022b5c
Opcode Fuzzy Hash: 6cb10f6f2420b98aaa8f00fe1c32737d96ef3c9ab20b135bb251574bda0e68fc
Instruction Fuzzy Hash: 51318D71900249AFCF10EFA5CC42BEEBBB5BF54314F10412AF415AB2E2DB789A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004107B9 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004107C0

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

_strpbrk.LIBCMT ref: 00410809
_strpbrk.LIBCMT ref: 00410829
_strlen.LIBCMT ref: 00410835

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_strlen_strpbrk
String ID:
API String ID: 3807024718-0
Opcode ID: 25131238df51efb2c353e089bca8e8ea39752e08eece798bfed96eff12751f84
Instruction ID: d78d265c9941551010bf5e6648e046f795813b74b9424fd2c5b5fc7d73f2b581
Opcode Fuzzy Hash: 25131238df51efb2c353e089bca8e8ea39752e08eece798bfed96eff12751f84
Instruction Fuzzy Hash: 54217F32905629ABDB14EF65C8017DE37A4AF08714F15502FF945AB281CBBC9E80CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00415C3A Relevance: 6.1, APIs: 4, Instructions: 64windowkeyboardCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00415C4E
GetKeyState.USER32(00000011), ref: 00415C74
TranslateMessage.USER32(?), ref: 00415CB2
DispatchMessageA.USER32(?), ref: 00415CBC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Message$DispatchStateTranslate
String ID:
API String ID: 2198823524-0
Opcode ID: d50473020ee42d4d7b451db6bb5962838227d26b601a3ae5fb9b9495a5bf61a9
Instruction ID: ce34a5c6026321f4203271987b39ae88fcdae02846de6c42b688981c74fe0349
Opcode Fuzzy Hash: d50473020ee42d4d7b451db6bb5962838227d26b601a3ae5fb9b9495a5bf61a9
Instruction Fuzzy Hash: 64112E71A0060ADFDF149FA4D888AEF77B8EB94305F004026E911EA255E778D985CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00418882 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041889F
_memset.LIBCMT ref: 004188BE
SendMessageA.USER32(?,00000191,00000100,?), ref: 004188DA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00418919

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: bf97cfc051919841f1061f0dd219d41ceea721925394ce2a27f571cfb9dc9800
Instruction ID: 81c85e024134700c97ee0cc63b86fa45db0137c238c0dd98694b539819ac007a
Opcode Fuzzy Hash: bf97cfc051919841f1061f0dd219d41ceea721925394ce2a27f571cfb9dc9800
Instruction Fuzzy Hash: 9D1136B0604604ABCB218E54DC84EBB7BF8EB80715F10423FF655601E0DB746981CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 00415D77 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00415C03: BeginPaint.USER32(?,?,0040E335,?), ref: 00415C0A

GetSysColor.USER32(00000010), ref: 00415D9D
CreateSolidBrush.GDI32(00000000), ref: 00415DA4

Part of subcall function 00415B81: GetClientRect.USER32(?,?), ref: 00415BC0

FillRect.USER32(?,?,00000000), ref: 00415DCF
DeleteObject.GDI32(00000000), ref: 00415DD6

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Rect$BeginBrushClientColorCreateDeleteFillObjectPaintSolid
String ID:
API String ID: 4133987377-0
Opcode ID: 22beec4c2f33b3f93eccbbacaa606663ae5a78f13cf6626cf12345a93ca82663
Instruction ID: a8506f1da99d225723d50154c66f6feb7465443551bdbd4c4298ce8e3c0456d4
Opcode Fuzzy Hash: 22beec4c2f33b3f93eccbbacaa606663ae5a78f13cf6626cf12345a93ca82663
Instruction Fuzzy Hash: C2010471E00708DBCB10EFE5D9859DFB7BDEF48705B104426E901DB151EA74D5458B54

Uniqueness

Uniqueness Score: -1.00%

Function 00441C9F Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00441CC3

Part of subcall function 00441AEE: __fltout2.LIBCMT ref: 00441B18

__cftog_l.LIBCMT ref: 00441CE9
__cftoe_l.LIBCMT ref: 00441D1B

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 4da3a88d60d05af007c7c615a80076e6816e294a9d2e6ff66e9dc03216251c59
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: DA018CB244014EBBEF125E84CC41CEE3F26BB08384B08841AFE1958130D33AD9B1AB89

Uniqueness

Uniqueness Score: -1.00%

Function 0044019E Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043FA7D: __amsg_exit.LIBCMT ref: 0043FA8B

__amsg_exit.LIBCMT ref: 004401CA
__lock.LIBCMT ref: 004401DA
InterlockedDecrement.KERNEL32(?), ref: 004401F7
InterlockedIncrement.KERNEL32(01FB15B0), ref: 00440222

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__lock
String ID:
API String ID: 4129207761-0
Opcode ID: fb60f4c20ff68262a23f112b42508f3e16c7015c66805dd5013c99d3f7732d5b
Instruction ID: 4c7e3a61f7c93872aa5d7e12a6fe737d0e4376926029d51477b1ff318733d866
Opcode Fuzzy Hash: fb60f4c20ff68262a23f112b42508f3e16c7015c66805dd5013c99d3f7732d5b
Instruction Fuzzy Hash: 1201E1329017259BE720AB66940974A77A0BF04B15F00005BE900673C1DBBCACA1DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA7F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041AA86

Part of subcall function 00413129: CreateMutexA.KERNEL32(00000000,00000000,?,?,0041B1B5,00000000,00000000,E5C332AE,?,000001FF,00000000), ref: 00413140

_memset.LIBCMT ref: 0041AAE2
_memset.LIBCMT ref: 0041AAEE
_memset.LIBCMT ref: 0041AAFA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset$CreateH_prolog3Mutex
String ID:
API String ID: 4052416266-0
Opcode ID: d113514f1a947cef13f150bc19935a3c6a81df50b002d8cde661d5cb03f29fc9
Instruction ID: 76e824976e4cae1b974cf41b17cf410e77d47f4b830d9d53d031e2059ac20752
Opcode Fuzzy Hash: d113514f1a947cef13f150bc19935a3c6a81df50b002d8cde661d5cb03f29fc9
Instruction Fuzzy Hash: 2B115EB4800B449AC730EF67C545A5BFBF8BF94704F40895FA58693691DBB8F208CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0043FA06 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,004380B0,00439D1B,00000001,0043F765,?,00000000,?,?,?,?,0043F877,?,00438E66), ref: 0043FA08

Part of subcall function 0043F8BF: TlsGetValue.KERNEL32(?,00438E66), ref: 0043F8C6
Part of subcall function 0043F8BF: TlsSetValue.KERNEL32(00000000,00438E66), ref: 0043F8E7

__calloc_crt.LIBCMT ref: 0043FA2A

Part of subcall function 00442DF5: __calloc_impl.LIBCMT ref: 00442E03
Part of subcall function 00442DF5: Sleep.KERNEL32(00000000), ref: 00442E1A

Part of subcall function 0043F82D: TlsGetValue.KERNEL32(00000000,0043F8DD,?,00438E66), ref: 0043F83A
Part of subcall function 0043F82D: TlsGetValue.KERNEL32(00000005,?,00438E66), ref: 0043F851

Part of subcall function 0043F947: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00469E28,0000000C,0043FA58,00000000,00000000,?,00000000,004380B0,00439D1B,00000001,0043F765,?,00000000), ref: 0043F958
Part of subcall function 0043F947: GetProcAddress.KERNEL32(?,EncodePointer), ref: 0043F98C
Part of subcall function 0043F947: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0043F99C
Part of subcall function 0043F947: InterlockedIncrement.KERNEL32(0046E8A0), ref: 0043F9BE
Part of subcall function 0043F947: __lock.LIBCMT ref: 0043F9C6
Part of subcall function 0043F947: ___addlocaleref.LIBCMT ref: 0043F9E5

GetCurrentThreadId.KERNEL32 ref: 0043FA5A
SetLastError.KERNEL32(00000000,?,00000000,004380B0,00439D1B,00000001,0043F765,?,00000000,?,?,?,?,0043F877,?,00438E66), ref: 0043FA72

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
String ID:
API String ID: 1081334783-0
Opcode ID: 665cdc278f2ca1f571ac1dd62def958e1c17f441b7b913911f199f87106772f0
Instruction ID: 9c716f8cbfd9dd3cb594fade53f0237feb3ef9b52a7276cb9f65ab3f9c19f359
Opcode Fuzzy Hash: 665cdc278f2ca1f571ac1dd62def958e1c17f441b7b913911f199f87106772f0
Instruction Fuzzy Hash: 23F02837C00B216BD6363BB57C0AA6A3AD09F48775F14113FF118961D1DF28C845979E

Uniqueness

Uniqueness Score: -1.00%

Function 00419640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00419647

Strings

.\stringarray.cpp, xrefs: 004196C1
!this->LockTable, xrefs: 004196C6

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3
String ID: !this->LockTable$.\stringarray.cpp
API String ID: 431132790-1223753495
Opcode ID: ad893b43b0f032e529bd8dfcbcde562f7bb13d2a2dee1b2130629311042bf5ce
Instruction ID: 03c9696987a61be85b28c6dc939ea0eb467565b1c8e446fadb9d71edddbe9c44
Opcode Fuzzy Hash: ad893b43b0f032e529bd8dfcbcde562f7bb13d2a2dee1b2130629311042bf5ce
Instruction Fuzzy Hash: 05313C3090020AAFCF14EFA1C892CEEBB71FF14328F10452FE525661D2DB395A85DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A162 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041A181

Part of subcall function 0040FD54: __fread_nolock.LIBCMT ref: 0040FE13

Part of subcall function 00419C1F: __EH_prolog3.LIBCMT ref: 00419C38
Part of subcall function 00419C1F: _strncpy.LIBCMT ref: 00419C91
Part of subcall function 00419C1F: _strncpy.LIBCMT ref: 00419CA1
Part of subcall function 00419C1F: _strncmp.LIBCMT ref: 00419D40
Part of subcall function 00419C1F: _strncmp.LIBCMT ref: 00419D5A

Part of subcall function 004192B9: __EH_prolog3.LIBCMT ref: 004192C0

Strings

HASH::Load %s, xrefs: 0041A1A4
HASH::Load returns %d, %s, xrefs: 0041A21D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$_strncmp_strncpy$__fread_nolock
String ID: HASH::Load %s$HASH::Load returns %d, %s
API String ID: 696004964-3413410379
Opcode ID: af69396a7f28fb629e8e82052852c02c14364484a6cd251a8543d8b22e6f783e
Instruction ID: 1f270ec2d327e18d400dfaccdf762e0be3196fbbbe648a01c9d3d5192157ce9d
Opcode Fuzzy Hash: af69396a7f28fb629e8e82052852c02c14364484a6cd251a8543d8b22e6f783e
Instruction Fuzzy Hash: 8421B671900248EFCB14EFA6CC52ADDB7B4FF14314F10406FE805A7292EB785A49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00410409 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

__vsnprintf.LIBCMT ref: 00410452

Part of subcall function 004374EC: __vsnprintf_l.LIBCMT ref: 004374FE

Strings

rc>=0 && rc<sizeof(buf)-1, xrefs: 0041047C
.\strings.cpp, xrefs: 00410477

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __vsnprintf__vsnprintf_l
String ID: .\strings.cpp$rc>=0 && rc<sizeof(buf)-1
API String ID: 551395303-4078348570
Opcode ID: 8d05d94f4fe82000e837aa5717c2c4756f6e07583376fdc0330b6388e5fb9533
Instruction ID: a54efeb6777b40a5a881d7d65751aea843e8aff3436298cc8f91758ba07a7326
Opcode Fuzzy Hash: 8d05d94f4fe82000e837aa5717c2c4756f6e07583376fdc0330b6388e5fb9533
Instruction Fuzzy Hash: 4C21D731A00308ABDB10DB95CC46FEE77A8EB08724F00057BE919D21C2E7789A88CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00413FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413FD7

Part of subcall function 004157DA: __EH_prolog3.LIBCMT ref: 004157E1

Part of subcall function 0041EFC4: __EH_prolog3.LIBCMT ref: 0041EFCB

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0041EC86: __EH_prolog3.LIBCMT ref: 0041EC8D

MessageBoxA.USER32(00000001,?,?,00010024), ref: 00414077

Strings

WINEMTEC::YesNoMsgBox title=%s text=%s, xrefs: 00413FE7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Message_strlen
String ID: WINEMTEC::YesNoMsgBox title=%s text=%s
API String ID: 1800839913-3931902097
Opcode ID: 348eb571901f588d9def187d89df814ff02673dec700d929449333a9be4778c1
Instruction ID: 25353f285da8633147f83ef20acb78569ee83de1482532523c4ec33e5bcb14f4
Opcode Fuzzy Hash: 348eb571901f588d9def187d89df814ff02673dec700d929449333a9be4778c1
Instruction Fuzzy Hash: 45219F31D00248EBCF15EBA6CC06ADD7BB0AF04318F10811AF8157B2D2DB795B58CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00439DD9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00439DE7

Part of subcall function 00443484: __mtinitlocknum.LIBCMT ref: 00443498
Part of subcall function 00443484: __amsg_exit.LIBCMT ref: 004434A4
Part of subcall function 00443484: EnterCriticalSection.KERNEL32(?,?,?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214), ref: 004434AC

Part of subcall function 0043F82D: TlsGetValue.KERNEL32(00000000,0043F8DD,?,00438E66), ref: 0043F83A
Part of subcall function 0043F82D: TlsGetValue.KERNEL32(00000005,?,00438E66), ref: 0043F851

Part of subcall function 0043F82D: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00438E66), ref: 0043F866
Part of subcall function 0043F82D: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0043F881

Strings

dEE, xrefs: 00439E70
PEE, xrefs: 00439E60

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Value$AddressCriticalEnterHandleModuleProcSection__amsg_exit__lock__mtinitlocknum
String ID: PEE$dEE
API String ID: 669183598-2584293349
Opcode ID: 0daeae4d4c9bce63dca62b2266ef1b3f1340e8f8d6bfe49240f3ab37208e4b9b
Instruction ID: 0a30179a0872946eb7ed52370392db1e19f21f242f3eb06a512034ef37093f5a
Opcode Fuzzy Hash: 0daeae4d4c9bce63dca62b2266ef1b3f1340e8f8d6bfe49240f3ab37208e4b9b
Instruction Fuzzy Hash: 5C110232800205AEDF15BFA6D84226E77B0AB88719F24603FF528162D2DBBC4C85CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00413E1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413E23

Part of subcall function 004157DA: __EH_prolog3.LIBCMT ref: 004157E1

Part of subcall function 0041EFC4: __EH_prolog3.LIBCMT ref: 0041EFCB

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0041EC86: __EH_prolog3.LIBCMT ref: 0041EC8D

MessageBoxA.USER32(?,?,?,00010040), ref: 00413EC4

Strings

WINEMTEC::InfoMsgBox title=%s text=%s, xrefs: 00413E32

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Message_strlen
String ID: WINEMTEC::InfoMsgBox title=%s text=%s
API String ID: 1800839913-4169888135
Opcode ID: e891ab521b35136c01f33f39011e38b1eae0763d05bcd308752dce9b2636d4cc
Instruction ID: b4315d52063f6a56511490986b07f04759e0c5b3bf20f3f68e5e15060cc25508
Opcode Fuzzy Hash: e891ab521b35136c01f33f39011e38b1eae0763d05bcd308752dce9b2636d4cc
Instruction Fuzzy Hash: 46216D31900248EBDF05EFA2CC4ABDD7B74AF00318F10811AF8156A1E2DB795B98CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00413EF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413EFD

Part of subcall function 004157DA: __EH_prolog3.LIBCMT ref: 004157E1

Part of subcall function 0041EFC4: __EH_prolog3.LIBCMT ref: 0041EFCB

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Part of subcall function 0041EC86: __EH_prolog3.LIBCMT ref: 0041EC8D

MessageBoxA.USER32(?,?,?,00010010), ref: 00413F9E

Strings

WINEMTEC::ErrorMsgBox title=%s text=%s, xrefs: 00413F0C

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$Message_strlen
String ID: WINEMTEC::ErrorMsgBox title=%s text=%s
API String ID: 1800839913-2787015471
Opcode ID: 4d1a455e6010c8c2ae397faed0235bce5f0789ae83254442533ffcfc0ac7b289
Instruction ID: 0118156ae2dd9b2bca935c45d9f451068516aaa0ca8d7629a3792e205e206227
Opcode Fuzzy Hash: 4d1a455e6010c8c2ae397faed0235bce5f0789ae83254442533ffcfc0ac7b289
Instruction Fuzzy Hash: 4B217A31800248EBDF05EBE1CC0ABDDBB70AF00318F10811AF8152A1E2DBB95B98CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040245A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00402464

Part of subcall function 0041AA7F: __EH_prolog3.LIBCMT ref: 0041AA86
Part of subcall function 0041AA7F: _memset.LIBCMT ref: 0041AAE2
Part of subcall function 0041AA7F: _memset.LIBCMT ref: 0041AAEE
Part of subcall function 0041AA7F: _memset.LIBCMT ref: 0041AAFA

Part of subcall function 004157DA: __EH_prolog3.LIBCMT ref: 004157E1

Part of subcall function 0041A268: _memset.LIBCMT ref: 0041A2CB
Part of subcall function 0041A268: _memset.LIBCMT ref: 0041A2DB
Part of subcall function 0041A268: PrintDlgA.COMDLG32(00000042), ref: 0041A36F
Part of subcall function 0041A268: GlobalFree.KERNEL32(00000000), ref: 0041A388

Part of subcall function 00415D0E: __EH_prolog3.LIBCMT ref: 00415D15

Part of subcall function 0041AEDD: _memset.LIBCMT ref: 0041AF01
Part of subcall function 0041AEDD: GetDeviceCaps.GDI32(?,0000005A), ref: 0041AF0E
Part of subcall function 0041AEDD: _strcat.LIBCMT ref: 0041AF63

Part of subcall function 0041A432: GetDeviceCaps.GDI32(?,00000058), ref: 0041A493
Part of subcall function 0041A432: GetDeviceCaps.GDI32(?,0000005A), ref: 0041A49D
Part of subcall function 0041A432: GetDeviceCaps.GDI32(?,00000008), ref: 0041A4CE
Part of subcall function 0041A432: GetDeviceCaps.GDI32(?,0000000A), ref: 0041A4E9

Part of subcall function 0041A51B: __EH_prolog3.LIBCMT ref: 0041A522
Part of subcall function 0041A51B: StartDocPrinterA.WINSPOOL.DRV(?,00000001,?), ref: 0041A572

Part of subcall function 0041AB78: StartPagePrinter.WINSPOOL.DRV(?,?,?,?,?,?,000000FF), ref: 0041ABCB

Part of subcall function 0041ACB7: _strlen.LIBCMT ref: 0041ACEC
Part of subcall function 0041ACB7: WritePrinter.WINSPOOL.DRV(000000FF,?,000000FF,?,000000FF), ref: 0041AD07

Part of subcall function 0041A675: EndPagePrinter.WINSPOOL.DRV(?,000000FF), ref: 0041A6A0
Part of subcall function 0041A675: EndDocPrinter.WINSPOOL.DRV(?,?,000000FF), ref: 0041A6A8
Part of subcall function 0041A675: ClosePrinter.WINSPOOL.DRV(?,?,?,000000FF), ref: 0041A6B0

Strings

ORDER, xrefs: 004024DE
Courier New, xrefs: 004024BA

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _memset$CapsDeviceH_prolog3Printer.$PageStart$CloseFreeGlobalPrintPrinterWrite_strcat_strlen
String ID: Courier New$ORDER
API String ID: 96007522-1630563337
Opcode ID: 0975b2180fa661f8f38b32f166078d3c77377ffb58770cebc575f6da87250f94
Instruction ID: 944bc64b594721010ff1418a7dd7c26029c26104eb1219e0cea4be5427035578
Opcode Fuzzy Hash: 0975b2180fa661f8f38b32f166078d3c77377ffb58770cebc575f6da87250f94
Instruction Fuzzy Hash: 1F117F7050121CAEDB14EBA4CD92FEE7379AF14358F50029EB215361D3DB781F98CA2A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E587 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0041E5F9

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

.\winkeys.cpp, xrefs: 0041E5B7
FALSE, xrefs: 0041E5BC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ErrorH_prolog3LastState__snprintf_memset
String ID: .\winkeys.cpp$FALSE
API String ID: 3460975504-329848690
Opcode ID: a6ce9f611d231a984cbd61556a0dc96780ec360481755dbc48b2f8227b98113a
Instruction ID: b35a87f53374bb8c5dcdb4049c4cd2210721251e1d4f99a7d6d5c649dffdfe32
Opcode Fuzzy Hash: a6ce9f611d231a984cbd61556a0dc96780ec360481755dbc48b2f8227b98113a
Instruction Fuzzy Hash: AC01D63E68857671E22005EB9C06FF74502A381B9CF684123BD56D61C1FC9CCDC3A1AE

Uniqueness

Uniqueness Score: -1.00%

Function 00416F4E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00416F55

Strings

.\datadialogs.cpp, xrefs: 00416F87
this->DisableItemCount<ARRAYMAX(this->DisableItems), xrefs: 00416F90

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3
String ID: .\datadialogs.cpp$this->DisableItemCount<ARRAYMAX(this->DisableItems)
API String ID: 431132790-590486021
Opcode ID: 4b79528aafbce34ed52cb160d41a555108b55515cbba03c423b925bc935fe722
Instruction ID: b301b8399b890252a267bdeeb18e47c557b63cdf6c6e39a997b4c627ad7e23d7
Opcode Fuzzy Hash: 4b79528aafbce34ed52cb160d41a555108b55515cbba03c423b925bc935fe722
Instruction Fuzzy Hash: 69216D75A00209EFDB10DF29C441B89B7B0FF08314F10812AF859AB292DB74AE94CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040FADA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

__vsnprintf.LIBCMT ref: 0040FB0B

Part of subcall function 004374EC: __vsnprintf_l.LIBCMT ref: 004374FE

Strings

rc>=0 && rc<sizeof(buf)-1, xrefs: 0040FB35
.\strings.cpp, xrefs: 0040FB30

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: __vsnprintf__vsnprintf_l
String ID: .\strings.cpp$rc>=0 && rc<sizeof(buf)-1
API String ID: 551395303-4078348570
Opcode ID: 130fd3d088f4873e84b13ad1d8e3015ad5344508f1238de9537a70c92bf65406
Instruction ID: 7b71038c2549d294c201dd0ad9457d8ded2a99d7b20620f0ab6bdf4a693e843c
Opcode Fuzzy Hash: 130fd3d088f4873e84b13ad1d8e3015ad5344508f1238de9537a70c92bf65406
Instruction Fuzzy Hash: AA017931704208A7DB10DEA5CC46FAA77DDDB54759F10047BBA05E21C2D5B8A905865D

Uniqueness

Uniqueness Score: -1.00%

Function 0041292F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041294F
GetVersionExA.KERNEL32(?), ref: 00412962

Strings

OSYS::GetOSType %d.%d, xrefs: 0041296E

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Version_memset
String ID: OSYS::GetOSType %d.%d
API String ID: 963298953-2180102822
Opcode ID: ee398940897960e78bb74f2ed8ab896f065eece9b0319d788404d1efd1e63b7b
Instruction ID: 2fd79b6358225d5d6a32298053784ba123d12d3b3bc4595bf4e02ba4785e938f
Opcode Fuzzy Hash: ee398940897960e78bb74f2ed8ab896f065eece9b0319d788404d1efd1e63b7b
Instruction Fuzzy Hash: E901C4B1E6020D9FDF10DFB8DD06FEEB3B1AB08304F50041AE615E5181E3AC91958B4E

Uniqueness

Uniqueness Score: -1.00%

Function 00417CBE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417CC5

Part of subcall function 00435AB2: _malloc.LIBCMT ref: 00435ACA

Strings

.\datadialogitems.cpp, xrefs: 00417D0F
this->pRadio->IsValid(), xrefs: 00417D14

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_malloc
String ID: .\datadialogitems.cpp$this->pRadio->IsValid()
API String ID: 2346879263-359313249
Opcode ID: 1f7bd67a7d39c8e27a9bf6dc71ba1d2da328a086e26146850855dc5a6bcdbdb4
Instruction ID: 179236524b0153b96421a33e7aee4372d2d31dfa30bf0ff4c7ee53f8c8c4209e
Opcode Fuzzy Hash: 1f7bd67a7d39c8e27a9bf6dc71ba1d2da328a086e26146850855dc5a6bcdbdb4
Instruction Fuzzy Hash: 9901A530650704EFDB14FB71C903AEE76B0FF08714F10162EE956A76D1EB78A9409B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041011E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410125
_sscanf.LIBCMT ref: 00410179

Strings

%2x, xrefs: 00410168

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_sscanf
String ID: %2x
API String ID: 2446616797-1919545446
Opcode ID: 44098dccccbdb2d6907ace13acc37666336225f8e566b1565717b9809f1fe451
Instruction ID: ee6b12e80e11d4db349cb6790b5b5a443d85a8a7b1994bb9bb0f794ef9bc3702
Opcode Fuzzy Hash: 44098dccccbdb2d6907ace13acc37666336225f8e566b1565717b9809f1fe451
Instruction Fuzzy Hash: 9001D875900209EBCB00DFE5C881BEEB7B5BB44304F10443FF944AB281C7BC9A958B99

Uniqueness

Uniqueness Score: -1.00%

Function 00421D1B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00421D47
WSAStartup.WS2_32(00000101,?), ref: 00421D58

Strings

TCP::InitWinsock WSAStartup vers= %x, highvers= %x, desc= %s, status= %s, maxsocket %d, maxuppdgram= %d, xrefs: 00421D85

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Startup_memset
String ID: TCP::InitWinsock WSAStartup vers= %x, highvers= %x, desc= %s, status= %s, maxsocket %d, maxuppdgram= %d
API String ID: 3974092505-154047836
Opcode ID: 2c0165ef623e9ca9aed0379cc064173af1c2c060822319aea78e087fb6265bf1
Instruction ID: 98dfe8af709f325c5140745af2d5510f801d44bf1b5a7d051168bba32cdbf235
Opcode Fuzzy Hash: 2c0165ef623e9ca9aed0379cc064173af1c2c060822319aea78e087fb6265bf1
Instruction Fuzzy Hash: D5011E7290051C9ADB30EFA99C42BEE77ECAB08709F100556FE54D6181EBB896888765

Uniqueness

Uniqueness Score: -1.00%

Function 004135EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004135F2

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

_strlen.LIBCMT ref: 00413622

Part of subcall function 0040F93F: _strlen.LIBCMT ref: 0040F95F

Strings

DGE, xrefs: 0041362D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$H_prolog3
String ID: DGE
API String ID: 2883720156-828149971
Opcode ID: 8b83f7b5108dccf2c8624ef2e3304092f209c3d92199649268e0f48039f927d1
Instruction ID: 1fd9c63234a1e6c746940979f1e74ce27bf094877d5ade1c0bbc8e2aea712369
Opcode Fuzzy Hash: 8b83f7b5108dccf2c8624ef2e3304092f209c3d92199649268e0f48039f927d1
Instruction Fuzzy Hash: AF01D474904254BBCB24EF55C850EDE3B64AF05754F10422BB9541B3D2CB7C5A81C788

Uniqueness

Uniqueness Score: -1.00%

Function 00418485 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

__time64.LIBCMT ref: 004184A1

Part of subcall function 0043A1AD: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00418444,?,000001FF), ref: 0043A1B6
Part of subcall function 0043A1AD: __aulldiv.LIBCMT ref: 0043A1D6

Part of subcall function 00438DC2: ___getgmtimebuf.LIBCMT ref: 00438DC3

_sprintf.LIBCMT ref: 004184C9

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

%04d-%02d-%02d, xrefs: 004184C3

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Time$FileH_prolog3System___getgmtimebuf__aulldiv__time64_sprintf_strlen
String ID: %04d-%02d-%02d
API String ID: 3702444382-516894531
Opcode ID: 90efa7548fd27542b795429c316670259eb1a9f21d0f3c8b6ab15d5bbaa432b2
Instruction ID: d08fd1c20f1a915006bbafc9e5b5a4b0e17e22229d8efb7bcae4e6e90e93bcf6
Opcode Fuzzy Hash: 90efa7548fd27542b795429c316670259eb1a9f21d0f3c8b6ab15d5bbaa432b2
Instruction Fuzzy Hash: 63F04971E00208ABCB04EFA5CC46EDD77FCAB0C318F00545AF501B7252DA78EA058769

Uniqueness

Uniqueness Score: -1.00%

Function 00417D5B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417D62

Part of subcall function 0041868A: SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00418696

Part of subcall function 00406F23: __EH_prolog3_GS.LIBCMT ref: 00406F2A
Part of subcall function 00406F23: _sprintf.LIBCMT ref: 00406F52
Part of subcall function 00406F23: _strlen.LIBCMT ref: 00406F5F

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

.\datadialogitems.cpp, xrefs: 00417DB7
this->pDataLength==4, xrefs: 00417DBC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3$ErrorH_prolog3_LastMessageSend__snprintf_memset_sprintf_strlen
String ID: .\datadialogitems.cpp$this->pDataLength==4
API String ID: 1028743699-64581460
Opcode ID: 49bdbab03c376face3dc02d16bb5af6e6d01b5bc68825eee54d3de69f6e8300b
Instruction ID: 029d2413d4d507643236ade469255eaa753977d2031b58f47ef0b6cdbbdc5692
Opcode Fuzzy Hash: 49bdbab03c376face3dc02d16bb5af6e6d01b5bc68825eee54d3de69f6e8300b
Instruction Fuzzy Hash: 88018F30500704DBCB24EB71C946B9A73F0AF48719F60056EA986675D2DB7CAA54CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00418068 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041806F

Part of subcall function 00418882: GetWindowLongA.USER32(?,000000F0), ref: 0041889F
Part of subcall function 00418882: _memset.LIBCMT ref: 004188BE
Part of subcall function 00418882: SendMessageA.USER32(?,00000191,00000100,?), ref: 004188DA

Part of subcall function 00406F23: __EH_prolog3_GS.LIBCMT ref: 00406F2A
Part of subcall function 00406F23: _sprintf.LIBCMT ref: 00406F52
Part of subcall function 00406F23: _strlen.LIBCMT ref: 00406F5F

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

Strings

.\datadialogitems.cpp, xrefs: 004180C0
this->pDataLength==4, xrefs: 004180C5

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: H_prolog3_memset$ErrorH_prolog3_LastLongMessageSendWindow__snprintf_sprintf_strlen
String ID: .\datadialogitems.cpp$this->pDataLength==4
API String ID: 2889812211-64581460
Opcode ID: 370f06c97522de02ad525c7d27b0576c0a3468336e1d26ee03b59546f4a0124c
Instruction ID: f92580b7a2071afb22947448ad08d2bec7515269430295a84ec8eb2dca150421
Opcode Fuzzy Hash: 370f06c97522de02ad525c7d27b0576c0a3468336e1d26ee03b59546f4a0124c
Instruction Fuzzy Hash: 74018B716007049BC724FBB1C847B9A73E0AB48719F60462EE44A671D2DF7CAA44CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00422333 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042233A
ioctlsocket.WS2_32(?,4004667F,00000000), ref: 0042235A

Part of subcall function 00421E54: __EH_prolog3.LIBCMT ref: 00421E73
Part of subcall function 00421E54: WSAGetLastError.WS2_32(00000020), ref: 00421E94
Part of subcall function 00421E54: _memset.LIBCMT ref: 00421EB9
Part of subcall function 00421E54: _memset.LIBCMT ref: 00421EC9
Part of subcall function 00421E54: FormatMessageA.KERNEL32(00001000,00000000,?,00000000,00000000,00000100,00000000,?,?,?,?,?,00000020), ref: 00421EDF
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421EE9
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421EFB
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F0B
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F1B
Part of subcall function 00421E54: _strlen.LIBCMT ref: 00421F27

Strings

TCPIPIO::DevGetNumAvail avail=%d , xrefs: 0042239D

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: _strlen$H_prolog3_memset$ErrorFormatLastMessageioctlsocket
String ID: TCPIPIO::DevGetNumAvail avail=%d
API String ID: 3820077274-3065623118
Opcode ID: 066bdbcf07e5f1f042e85e9f323522ae718c82b8c7c4f353e139d23a6c0b12be
Instruction ID: 9c55cad8fd4347efb23adee141c7f5374885f33503e37a31fe2e80170b2a4c08
Opcode Fuzzy Hash: 066bdbcf07e5f1f042e85e9f323522ae718c82b8c7c4f353e139d23a6c0b12be
Instruction Fuzzy Hash: 0601D631504218ABDB14EBB4CC06BDE7374BF04329F54061EF529A21D1DB7C5508CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 004159D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,0000001B), ref: 00415A22

Strings

topbottom==+1, xrefs: 00415A07
.\windows_win32.cpp, xrefs: 00415A02

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window
String ID: .\windows_win32.cpp$topbottom==+1
API String ID: 2353593579-1346219657
Opcode ID: 42c6d5d0a05a065bcc0ae008af7f52b511020c5bf6d342077ff79b5f884ca581
Instruction ID: c41a39e3f9562004a88b072598c52fd6fcca45aa89e074cfecaed1fc3eb45415
Opcode Fuzzy Hash: 42c6d5d0a05a065bcc0ae008af7f52b511020c5bf6d342077ff79b5f884ca581
Instruction Fuzzy Hash: 5DF05E36651328B68F205E669C09DCB7F1CEB46BB2B10812BB92896191D6788190CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00418423 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

__time64.LIBCMT ref: 0041843F

Part of subcall function 0043A1AD: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00418444,?,000001FF), ref: 0043A1B6
Part of subcall function 0043A1AD: __aulldiv.LIBCMT ref: 0043A1D6

Part of subcall function 00438DC2: ___getgmtimebuf.LIBCMT ref: 00438DC3

_sprintf.LIBCMT ref: 0041845E

Part of subcall function 00401071: __EH_prolog3.LIBCMT ref: 00401078
Part of subcall function 00401071: _strlen.LIBCMT ref: 0040109F

Strings

%02d:%02d:%02d, xrefs: 00418458

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Time$FileH_prolog3System___getgmtimebuf__aulldiv__time64_sprintf_strlen
String ID: %02d:%02d:%02d
API String ID: 3702444382-3862977440
Opcode ID: 941f87e44bbad4d9cf358531bf6b26d4601d0f94efc6f8b09a0053a84a580ff1
Instruction ID: a5c6f2f9fca763268fc17fd1cca866664d12875dae21553dbf2228803a287387
Opcode Fuzzy Hash: 941f87e44bbad4d9cf358531bf6b26d4601d0f94efc6f8b09a0053a84a580ff1
Instruction Fuzzy Hash: E8F0FF71A0010CABCF00EBA5C846ECDB7F9AB0C318F50546AF505B71A2E679EA498759

Uniqueness

Uniqueness Score: -1.00%

Function 0042A5E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042A5ED

Part of subcall function 00413B91: GetCurrentThreadId.KERNEL32 ref: 00413B9A

Part of subcall function 00437ED0: __lock.LIBCMT ref: 00437EEE
Part of subcall function 00437ED0: ___sbh_find_block.LIBCMT ref: 00437EF9
Part of subcall function 00437ED0: ___sbh_free_block.LIBCMT ref: 00437F08
Part of subcall function 00437ED0: RtlFreeHeap.NTDLL(00000000,?,00469980,0000000C,00443465,00000000,00469F50,0000000C,0044349D,?,?,?,004388FB,00000004,004699E0,0000000C), ref: 00437F38
Part of subcall function 00437ED0: GetLastError.KERNEL32(?,004388FB,00000004,004699E0,0000000C,00442E08,?,?,00000000,00000000,00000000,0043FA2F,00000001,00000214,?,00000000), ref: 00437F49

Strings

RINGBUFFER::~RINGBUFFER done, xrefs: 0042A62F
RINGBUFFER::~RINGBUFFER, xrefs: 0042A5F7

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: CurrentErrorFreeH_prolog3HeapLastThread___sbh_find_block___sbh_free_block__lock
String ID: RINGBUFFER::~RINGBUFFER$RINGBUFFER::~RINGBUFFER done
API String ID: 1280947857-81443724
Opcode ID: 7bd356922a1f787d0ac8099ef841de07e2818a2d3bd670d43abe4c7f8d083072
Instruction ID: aea92c171d56b7d156038a14e4c996c93eaeff3635d148a7467bda61cd6afe1d
Opcode Fuzzy Hash: 7bd356922a1f787d0ac8099ef841de07e2818a2d3bd670d43abe4c7f8d083072
Instruction Fuzzy Hash: 72F0F0306007088BDB28BB67840779E33A09F00739F20460FF8A5572C2CFBC5B84869E

Uniqueness

Uniqueness Score: -1.00%

Function 00418D42 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00418D49

Part of subcall function 00416DC6: GetWindowLongA.USER32(?,000000F0), ref: 00416DE2

Part of subcall function 00415BEA: IsWindow.USER32(?), ref: 00415BF2

Strings

this->IsDropdownList() || !this->IsValid(), xrefs: 00418D96
.\wincontrols_win32.cpp, xrefs: 00418D91

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$H_prolog3Long
String ID: .\wincontrols_win32.cpp$this->IsDropdownList() || !this->IsValid()
API String ID: 458961026-3203579685
Opcode ID: 4dcdfadeb93ed04314c92393cae36aa02961ea4cf1158a84b014f9d4b2ee6b41
Instruction ID: b641fae489e0106a3cf910fb7004aad829ea522fb03a9fdd729adfc7e971d139
Opcode Fuzzy Hash: 4dcdfadeb93ed04314c92393cae36aa02961ea4cf1158a84b014f9d4b2ee6b41
Instruction Fuzzy Hash: 8BF0A771B44314A7DB107B714C02BAE2554DB25B49F54441FFD45DA2C3DFBC8A5482DD

Uniqueness

Uniqueness Score: -1.00%

Function 00418DAE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00418DB5

Part of subcall function 00416DF8: GetWindowLongA.USER32(?,000000F0), ref: 00416E14

Part of subcall function 00415BEA: IsWindow.USER32(?), ref: 00415BF2

Strings

this->IsDropdownCombo() || !this->IsValid(), xrefs: 00418E02
.\wincontrols_win32.cpp, xrefs: 00418DFD

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Window$H_prolog3Long
String ID: .\wincontrols_win32.cpp$this->IsDropdownCombo() || !this->IsValid()
API String ID: 458961026-617686455
Opcode ID: f4d6ae5490a2f48b42efabb12845250461534bd0870431161a9ee71a791b1cba
Instruction ID: 887848bd20cc79c079610d29c35fc4aef1cb261a74022fb1fa0c2bb3a2794a30
Opcode Fuzzy Hash: f4d6ae5490a2f48b42efabb12845250461534bd0870431161a9ee71a791b1cba
Instruction Fuzzy Hash: 46F0A770750710A7DB107B654C03BAE2554EB14B09F10445FBD45EA2C3EBBC895587DD

Uniqueness

Uniqueness Score: -1.00%

Function 00418355 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 004129C0: QueryPerformanceCounter.KERNEL32(000001FF,?,?,?,?,?,0041B13D,?,?,E5C332AE,?,000001FF,00000000), ref: 004129D4
Part of subcall function 004129C0: QueryPerformanceFrequency.KERNEL32(000001FF,?,?,?,?,?,0041B13D,?,?,E5C332AE,?,000001FF,00000000), ref: 004129FC

__aulldiv.LIBCMT ref: 00418377
__aulldiv.LIBCMT ref: 00418384

Strings

VA, xrefs: 0041835F, 00418381, 00418362

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: PerformanceQuery__aulldiv$CounterFrequency
String ID: VA
API String ID: 2548561793-151723848
Opcode ID: cc000d6f4c94e8004c9742b3284f8298f2840b86cf8eb1eed813d4731a607f6b
Instruction ID: e21ceccbcfd6fcc39170a0356c29aeab73579520dc8d93c8c611a2b1e290338c
Opcode Fuzzy Hash: cc000d6f4c94e8004c9742b3284f8298f2840b86cf8eb1eed813d4731a607f6b
Instruction Fuzzy Hash: 8DF06D71800208AFDB05EBA4EC81ABD77B9EB44744F10812EF950912E0EAB165D18B8E

Uniqueness

Uniqueness Score: -1.00%

Function 00415B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0041B3FE: __EH_prolog3.LIBCMT ref: 0041B420
Part of subcall function 0041B3FE: _memset.LIBCMT ref: 0041B468
Part of subcall function 0041B3FE: GetLastError.KERNEL32 ref: 0041B519
Part of subcall function 0041B3FE: __snprintf.LIBCMT ref: 0041B550

GetClientRect.USER32(?,?), ref: 00415BC0

Strings

this->hWnd!=HWND_DESKTOP, xrefs: 00415BAE
.\windows_win32.cpp, xrefs: 00415BA9

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ClientErrorH_prolog3LastRect__snprintf_memset
String ID: .\windows_win32.cpp$this->hWnd!=HWND_DESKTOP
API String ID: 969043446-2563372510
Opcode ID: 976550b0a3e4a178ef1c4f2834ac872f2541c1ea7028aac44b7641d8eb6481bd
Instruction ID: 025481d2a7e9808e259cd60c88ddfe40909d3fcc99e14aec116c9271440f21d7
Opcode Fuzzy Hash: 976550b0a3e4a178ef1c4f2834ac872f2541c1ea7028aac44b7641d8eb6481bd
Instruction Fuzzy Hash: 01E0ED32300210BF83049EA8DC0B887B6A9EB98712300843EBE59E6122C2A4981086A9

Uniqueness

Uniqueness Score: -1.00%

Function 00417A18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 0041869D: GetClassNameA.USER32(?,?,00000040), ref: 004186BD
Part of subcall function 0041869D: GetWindowLongA.USER32(?,000000F0), ref: 004186E5

GetWindowLongA.USER32(?,000000F0), ref: 00417A3B
GetWindowLongA.USER32(?,000000F0), ref: 00417A48

Strings

Static, xrefs: 00417A20

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: LongWindow$ClassName
String ID: Static
API String ID: 2384183922-2272013587
Opcode ID: e233ce5d8f8a15394ce7ff8d99b2f9313c03dc906f251a2a23e549436ce4d05b
Instruction ID: a43ef6960d3170daf30719b739c7fc1cd119acb5474f4ea2635e9069f5724a70
Opcode Fuzzy Hash: e233ce5d8f8a15394ce7ff8d99b2f9313c03dc906f251a2a23e549436ce4d05b
Instruction Fuzzy Hash: 2AE026321AC165294D30612CAC01EDF33608EC67713710737F5B6A02F9CD08F882951C

Uniqueness

Uniqueness Score: -1.00%

Function 0041330A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 0041332C

Strings

RAISETHREADPRIORITY::~RAISETHREADPRIORITY done (rc= %d), xrefs: 00413335
RAISETHREADPRIORITY::~RAISETHREADPRIORITY (RaiseOk=%d), xrefs: 00413313

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: PriorityThread
String ID: RAISETHREADPRIORITY::~RAISETHREADPRIORITY (RaiseOk=%d)$RAISETHREADPRIORITY::~RAISETHREADPRIORITY done (rc= %d)
API String ID: 2383925036-4194352917
Opcode ID: 8c93c91d8462ae0d6a36f231989b82bfcad091c07f534b0413c7bb0265035d53
Instruction ID: b1e00254eb3f344c4727e7bd0547b4e2165bed2133df6aedb6cc0755deb3b3cf
Opcode Fuzzy Hash: 8c93c91d8462ae0d6a36f231989b82bfcad091c07f534b0413c7bb0265035d53
Instruction Fuzzy Hash: 76E026369002006AE2201B22FC06E83BEA0DBD8B26B21002BFC2C45163D5A258E48195

Uniqueness

Uniqueness Score: -1.00%

Function 004135AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20registryCOMMON

Download Yara Rule

APIs

SHDeleteKeyA.SHLWAPI(?,00000000,004545D8,00408597,00000000,Uninstall,Software\Microsoft\Windows\CurrentVersion\,00000000,?,?,00000000,004545D8,00000000,?,?,?), ref: 004135BC
RegDeleteKeyA.ADVAPI32(?,00000000), ref: 004135C4

Strings

REGISTRY::delete key= %s, error=%d, xrefs: 004135D1

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: Delete
String ID: REGISTRY::delete key= %s, error=%d
API String ID: 1035893169-3788822745
Opcode ID: 3166f8ab35b52bd929bbac0df5da9755785291853a0cbe2fcbcdf2b2169059ef
Instruction ID: bf62c594206353d555b9b3c759e3fcd7f5746d59b85c89eca69ce35448d335ba
Opcode Fuzzy Hash: 3166f8ab35b52bd929bbac0df5da9755785291853a0cbe2fcbcdf2b2169059ef
Instruction Fuzzy Hash: EAE0CD36404321BBD7113B60DC09B97BED5EF40B5EF158416F948551A1D33588E1D796

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 00411530: __EH_prolog3.LIBCMT ref: 00411537
Part of subcall function 00411530: _memset.LIBCMT ref: 00411552
Part of subcall function 00411530: _strlen.LIBCMT ref: 00411589

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000005,zoc.exe), ref: 0040C5E3

Strings

zoc.exe, xrefs: 0040C5BC
open, xrefs: 0040C5DC

Memory Dump Source

Source File: 00000002.00000002.3263781494.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3263763134.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263831618.0000000000454000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000046C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000475000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000477000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.0000000000487000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263855967.000000000048D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3263964809.0000000000494000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_setup.jbxd

Similarity

API ID: ExecuteH_prolog3Shell_memset_strlen
String ID: open$zoc.exe
API String ID: 1455039864-3129284307
Opcode ID: 8c5e15b32bf773a92d4153c84086ffc7a458631a1fc6c3ba9b0427da34bb95cd
Instruction ID: 44d4d8759259aea2219f891c50671c7f25948123ec57221989b84ec0938ff09a
Opcode Fuzzy Hash: 8c5e15b32bf773a92d4153c84086ffc7a458631a1fc6c3ba9b0427da34bb95cd
Instruction Fuzzy Hash: 31E01230590309BACF047B91EC07F8C7A75AB54B4EF540075F601361E276E4645A9B8D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\ZOC5\Develop.txt

C:\Program Files (x86)\ZOC5\Features.txt

C:\Program Files (x86)\ZOC5\Problems.txt

C:\Program Files (x86)\ZOC5\Readme.txt

C:\Program Files (x86)\ZOC5\Register.txt

C:\Program Files (x86)\ZOC5\RxREXX.dll

C:\Program Files (x86)\ZOC5\Setup.exe

C:\Program Files (x86)\ZOC5\SetupEnglish.Dll

C:\Program Files (x86)\ZOC5\SetupGerman.Dll

C:\Program Files (x86)\ZOC5\Versions.txt

C:\Program Files (x86)\ZOC5\ZOC.chm

C:\Program Files (x86)\ZOC5\ZOC.cnt

C:\Program Files (x86)\ZOC5\admin$$$.ini

C:\Program Files (x86)\ZOC5\admin.ini

C:\Program Files (x86)\ZOC5\admin_sample.ini

C:\Program Files (x86)\ZOC5\devisdn2.dll

C:\Program Files (x86)\ZOC5\devmodem.dll

C:\Program Files (x86)\ZOC5\devnpipe.dll

C:\Program Files (x86)\ZOC5\devrcmd.dll

C:\Program Files (x86)\ZOC5\devssh.dll

C:\Program Files (x86)\ZOC5\devtapi.dll

Windows Analysis Report
SecuriteInfo.com.suspected.of.Win32.PhishingPE.Heur.10337.17085.exe