Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Analysis ID:1417372
MD5:3eaa0fb10cc609ba960bb9bc9f503b81
SHA1:4b20bfb6751fc27c6fee082436cbd3964961569a
SHA256:8ceb160dd7b7001c380cd0db545a20fd5db3095dba35547018209e00081f75b4
Tags:exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: Use Short Name Path in Command Line
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe" MD5: 3EAA0FB10CC609BA960BB9BC9F503B81)
    • setup.exe (PID: 7304 cmdline: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe" MD5: 3B81D4123064A71453E6CB120A695C8E)
      • EacCleaner.exe (PID: 7312 cmdline: C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d MD5: E59296FBD02590C3B596C45E4F0FB1C6)
      • EacCleaner.exe (PID: 7344 cmdline: C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exe MD5: E59296FBD02590C3B596C45E4F0FB1C6)
  • LogonUI.exe (PID: 7696 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3f4f855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Use NTFS Short Name in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe", CommandLine: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe", CommandLine|base64offset|contains: ), Image: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, ParentProcessId: 7272, ParentProcessName: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe", ProcessId: 7304, ProcessName: setup.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d, CommandLine: C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe", ParentImage: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe, ParentProcessId: 7304, ParentProcessName: setup.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d, ProcessId: 7312, ProcessName: EacCleaner.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeAvira: detected
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exeReversingLabs: Detection: 15%
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exeVirustotal: Detection: 20%Perma Link
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exeReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exeVirustotal: Detection: 20%Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeVirustotal: Detection: 70%Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10003710 lstrcmpiA,CreateFileA,GetLastError,GetLastError,ImageEnumerateCertificates,GetLastError,ImageGetCertificateHeader,GetLastError,ImageGetCertificateData,GetLastError,CryptVerifyMessageSignature,GetLastError,CertGetNameStringA,CertGetNameStringA,_memset,CertGetNameStringA,lstrcmpA,CertFreeCertificateContext,CloseHandle,2_2_10003710
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: c:\eaccleandrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdbp source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\eaccleandrv\objfre_wlh_x86\i386\ListOpenedFileDrv.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: g:\svn\vclnr_trunk\src\vclnr_dll\Release\vclnr.pdb, source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\work\adsoft_setup\setup\Release\setup.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000000.1628661608.0000000000418000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: c:\Documents and Settings\ThomasP\Desktop\CustomCleanerProject\CustomCleaner20100310\ManualCustomCleaner\Release\EacCleaner.pdb$pB source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000000.1630351044.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000003.00000000.1634531650.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: c:\eaccleandrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: g:\svn\vclnr_trunk\src\vclnr_dll\Release\vclnr.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\work\adsoft_setup\sfx\sfx_Release\sfx.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000000.1610035686.0000000000415000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\ThomasP\Desktop\CustomCleanerProject\CustomCleaner20100310\ManualCustomCleaner\Release\EacCleaner.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000000.1630351044.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000003.00000000.1634531650.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_004027E8 _memset,_memset,_memset,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,GetTickCount,GetFileAttributesA,lstrcmpA,lstrcmpA,wsprintfA,DeleteFileA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,FindNextFileA,FindClose,RemoveDirectoryA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,0_2_004027E8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040355D _memset,FindFirstFileA,FindClose,FileTimeToSystemTime,1_2_0040355D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004033CA _memset,_memset,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,CompareFileTime,1_2_004033CA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00407831 _memset,_memset,_memset,lstrlenA,GetFileAttributesA,lstrcpyA,PathAddBackslashA,lstrcatA,FindFirstFileA,FindNextFileA,Sleep,lstrcmpA,lstrcmpA,wsprintfA,DeleteFileA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,FindNextFileA,FindClose,Sleep,RemoveDirectoryA,RemoveDirectoryA,Sleep,RemoveDirectoryA,GetTickCount,GetTickCount,Sleep,GetFileAttributesA,GetTickCount,Sleep,1_2_00407831
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0040EBA0 PathFileExistsA,FindFirstFileA,FindNextFileA,DeleteFileA,GetFileAttributesA,DeleteFileA,FindNextFileA,2_2_0040EBA0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100452C0 _memset,FindFirstFileA,FindClose,PathRemoveFileSpecA,CopyFileA,2_2_100452C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100432E0 _memset,lstrcpynA,lstrcpynA,PathFindFileNameA,_memset,lstrcpynA,PathRemoveFileSpecA,_memset,lstrcpynA,PathAddBackslashA,PathAddBackslashA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose,2_2_100432E0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008F310 FindFirstFileA,lstrcpynA,PathFileExistsA,PathFindExtensionA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,_memset,GetShortPathNameA,2_2_1008F310
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100453F0 _memset,_memset,lstrcpynA,lstrcpynA,StrRChrIA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcpynA,PathAddBackslashA,StrChrA,GetFileAttributesA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,SetFileAttributesA,_memset,lstrcpynA,PathRemoveFileSpecA,FindNextFileA,FindClose,2_2_100453F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100458D0 _memset,lstrcpynA,lstrcpynA,PathFindFileNameA,_memset,lstrcpynA,PathRemoveFileSpecA,_memset,lstrcpynA,PathAddBackslashA,PathAddBackslashA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,StrChrA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose,2_2_100458D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10041930 FindFirstFileA,lstrcpynA,lstrlenA,_memset,lstrcmpiA,2_2_10041930
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10043A30 _memset,lstrcpynA,PathAddBackslashA,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,GetFileAttributesA,_memset,lstrcpynA,PathAddBackslashA,_memset,lstrcpynA,FindNextFileA,FindClose,2_2_10043A30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10041B00 GetFileAttributesA,CreateFileA,GetFileSize,CloseHandle,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindClose,2_2_10041B00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10041C80 _memset,PathRemoveFileSpecA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcmpiA,PathAddBackslashA,PathAddBackslashA,FindNextFileA,FindNextFileA,lstrcmpiA,PathAddBackslashA,FindNextFileA,FindClose,2_2_10041C80
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008FF00 _memset,FindFirstFileA,2_2_1008FF00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100460A0 SetErrorMode,FindFirstFileA,lstrcmpiA,lstrcmpiA,StrChrIA,FindNextFileA,SetErrorMode,FindClose,2_2_100460A0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10042260 FindFirstFileA,lstrcpynA,CreateFileA,GetFileSize,CloseHandle,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindClose,2_2_10042260
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100423F0 FindFirstFileA,lstrcpynA,lstrlenA,CreateFileA,CreateFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,GetFileSize,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,2_2_100423F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008E470 _memset,FindFirstFileA,2_2_1008E470
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008E6C0 _memset,FindFirstFileA,2_2_1008E6C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10042700 _memset,_memset,_memset,_memset,PathRemoveFileSpecA,PathRemoveFileSpecA,PathFindFileNameA,PathRemoveFileSpecA,PathFileExistsA,PathAppendA,FindFirstFileA,FindFirstFileA,FindFirstFileA,_memset,_memset,PathAddBackslashA,PathAddBackslashA,StrChrIA,_memset,PathAddBackslashA,_memset,PathAddBackslashA,PathAppendA,GetFileAttributesA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,_memset,PathAppendA,PathMatchSpecA,FindNextFileA,FindClose,2_2_10042700
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10044970 GetFileAttributesA,_memset,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose,2_2_10044970
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10042EF0 _memset,_memset,lstrcpynA,StrRChrIA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcpynA,PathAddBackslashA,GetFileAttributesA,FindNextFileA,lstrcpynA,PathAddBackslashA,GetFileAttributesA,FindNextFileA,FindClose,2_2_10042EF0
Source: EacCleaner.exe, 00000002.00000002.1631577343.00000000006FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eacceleration.com
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1633209038.000000000076E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp, EacCleaner.exe, 00000002.00000002.1631577343.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1637918782.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eacceleration.com0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10047760: _memset,_memset,DeviceIoControl,_memset,_memset,2_2_10047760
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100475D0 CloseHandle,OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_100475D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040305A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_0040305A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0040EA50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_0040EA50
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeFile deleted: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.jobJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040E0D00_2_0040E0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040D5320_2_0040D532
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_004121BA0_2_004121BA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004160ED1_2_004160ED
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004174A41_2_004174A4
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004156691_2_00415669
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040B3301_2_0040B330
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040FB321_2_0040FB32
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00415BAB1_2_00415BAB
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004167AD1_2_004167AD
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_004130652_2_00413065
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0041AA8B2_2_0041AA8B
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0041BBCF2_2_0041BBCF
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0041CCDA2_2_0041CCDA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0041B50F2_2_0041B50F
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_004107402_2_00410740
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0041AFCD2_2_0041AFCD
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1001B0302_2_1001B030
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100211102_2_10021110
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100751502_2_10075150
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1003D3402_2_1003D340
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100353B02_2_100353B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C54382_2_100C5438
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1005F4C02_2_1005F4C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100BD5032_2_100BD503
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C56AC2_2_100C56AC
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008F6B02_2_1008F6B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002D6F02_2_1002D6F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002D7562_2_1002D756
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002D7582_2_1002D758
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100317602_2_10031760
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100617702_2_10061770
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1003D7B02_2_1003D7B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1005F7F02_2_1005F7F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100378862_2_10037886
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100B59362_2_100B5936
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C59B52_2_100C59B5
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100819D02_2_100819D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10023B202_2_10023B20
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1003DC002_2_1003DC00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002FC102_2_1002FC10
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10035C502_2_10035C50
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10077C502_2_10077C50
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1003BC602_2_1003BC60
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002DD402_2_1002DD40
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002DDA62_2_1002DDA6
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002DDA82_2_1002DDA8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1005FE202_2_1005FE20
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008BE402_2_1008BE40
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10033F102_2_10033F10
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10069F702_2_10069F70
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10023FC02_2_10023FC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1003E0502_2_1003E050
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100320A02_2_100320A0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100281002_2_10028100
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008C1102_2_1008C110
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C613B2_2_100C613B
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100381792_2_10038179
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100901B02_2_100901B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100A41C02_2_100A41C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100702102_2_10070210
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100B82282_2_100B8228
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100182702_2_10018270
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002C3302_2_1002C330
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1001C3502_2_1001C350
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100243502_2_10024350
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1001E3602_2_1001E360
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C436E2_2_100C436E
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002E3902_2_1002E390
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1003C3D02_2_1003C3D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1003E3D02_2_1003E3D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008C3F02_2_1008C3F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100224B02_2_100224B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100464C02_2_100464C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100765202_2_10076520
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100185802_2_10018580
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100AC5DA2_2_100AC5DA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100305D02_2_100305D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100346302_2_10034630
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100AE6542_2_100AE654
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008E6C02_2_1008E6C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100286F02_2_100286F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100907502_2_10090750
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1009C7902_2_1009C790
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002E8102_2_1002E810
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C48972_2_100C4897
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100188A02_2_100188A0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100329902_2_10032990
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100BA9E12_2_100BA9E1
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10036A0A2_2_10036A0A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10070A102_2_10070A10
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10030AC02_2_10030AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10060AC02_2_10060AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10002AF02_2_10002AF0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100BAAF72_2_100BAAF7
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008EB602_2_1008EB60
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10058C302_2_10058C30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10034C702_2_10034C70
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1001ACB02_2_1001ACB0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C8CDC2_2_100C8CDC
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10034CD82_2_10034CD8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1001ED302_2_1001ED30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1002ED702_2_1002ED70
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C4DD92_2_100C4DD9
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1003CE302_2_1003CE30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10074E702_2_10074E70
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100A2FB02_2_100A2FB0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: String function: 100A6B44 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: String function: 10083CD0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: String function: 004106DC appears 39 times
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: String function: 100722A0 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: String function: 0040B2D0 appears 45 times
Source: vclnr.dll.0.drStatic PE information: Resource name: BINARY type: PE32 executable (native) Intel 80386, for MS Windows
Source: vclnr.dll.0.drStatic PE information: Resource name: BINARY type: PE32 executable (native) Intel 80386, for MS Windows
Source: vclnr.dll.1.drStatic PE information: Resource name: BINARY type: PE32 executable (native) Intel 80386, for MS Windows
Source: vclnr.dll.1.drStatic PE information: Resource name: BINARY type: PE32 executable (native) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesetup.exe-uninst_<>.exe` vs SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesfx.exe* vs SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevCleaner.dll2 vs SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesfx.exe* vs SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeSection loaded: vclnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: vclnr.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.logon.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xamlhost.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: languageoverlayutil.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.blockedshutdown.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: threadpoolwinrt.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.graphics.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wuceffects.dllJump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal76.evad.winEXE@8/18@0/0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040305A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_0040305A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0040EA50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_0040EA50
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0040D050 CoCreateInstance,2_2_0040D050
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0040D0D0 FindResourceA,FindResourceA,FindResourceA,LoadResource,LockResource,LoadResource,LockResource,LoadResource,LockResource,DialogBoxIndirectParamA,GetLastError,GlobalHandle,GlobalFree,GetLastError,SetLastError,2_2_0040D0D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeFile created: C:\Program Files (x86)\Acceleration SoftwareJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeFile created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCommand line argument: /InstallerId0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCommand line argument: /Cmd_Extract0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCommand line argument: -we0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCommand line argument: ExecSetup0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCommand line argument: eAcceleration0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCommand line argument: DelFolder0_2_00402129
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: ENU2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Msg2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Text2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: ENU2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Title2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Text2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Uninstall2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: ENU2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: EndMsg2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Text2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: ENU2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: EndTitle2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Text2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: ENU2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: EndMsgReboot2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Text2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: ENU2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: EndTitleReboot2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: Text2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCommand line argument: done.2_2_00409AC0
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeFile read: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeVirustotal: Detection: 70%
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeString found in binary or memory: /InstallerId
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeProcess created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe"
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exe
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3f4f855 /state1:0x41c64e6d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeProcess created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -dJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exeJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000507-0000-0010-8000-00AA006D2EA4}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeFile written: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.iniJump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\eaccleandrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdbp source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\eaccleandrv\objfre_wlh_x86\i386\ListOpenedFileDrv.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: g:\svn\vclnr_trunk\src\vclnr_dll\Release\vclnr.pdb, source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\work\adsoft_setup\setup\Release\setup.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000000.1628661608.0000000000418000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: c:\Documents and Settings\ThomasP\Desktop\CustomCleanerProject\CustomCleaner20100310\ManualCustomCleaner\Release\EacCleaner.pdb$pB source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000000.1630351044.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000003.00000000.1634531650.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: c:\eaccleandrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: g:\svn\vclnr_trunk\src\vclnr_dll\Release\vclnr.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\work\adsoft_setup\sfx\sfx_Release\sfx.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000000.1610035686.0000000000415000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\ThomasP\Desktop\CustomCleanerProject\CustomCleaner20100310\ManualCustomCleaner\Release\EacCleaner.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000000.1630351044.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000003.00000000.1634531650.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_00401317 _memset,lstrcpyA,lstrcpyA,GetFileAttributesA,GetFileAttributesA,lstrcpyA,GetFileAttributesA,LoadLibraryA,GetProcAddress,FreeLibrary,0_2_00401317
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeStatic PE information: real checksum: 0x257d3 should be: 0xf25f6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040E0B5 push ecx; ret 0_2_0040E0C8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00409029 push ecx; ret 1_2_0040903C
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040B315 push ecx; ret 1_2_0040B328
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_00410E8B push ecx; ret 2_2_00410E9E
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_00410721 push ecx; ret 2_2_00410734
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100A6B89 push ecx; ret 2_2_100A6B9C
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100A6FA3 push ecx; ret 2_2_100A6FB6
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeFile created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeFile created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeFile created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeFile created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\vclnr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeFile created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\vclnr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeFile created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeFile created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeFile created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004030E2 _memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrcmpiA,lstrcmpiA,GetCommandLineA,GetPrivateProfileStringA,lstrcmpiA,1_2_004030E2
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00402131 StrStrIA,_memset,_memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrlenA,lstrlenA,lstrcmpiA,GetTempPathA,lstrlenA,PathAddBackslashA,PathAddBackslashA,PathAddBackslashA,GetShortPathNameA,1_2_00402131
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004065FA _memset,_memset,_memset,_memset,_memset,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcmpA,1_2_004065FA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00403256 _memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrcmpiA,lstrcmpiA,GetCommandLineA,GetPrivateProfileStringA,lstrcmpiA,1_2_00403256
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00406F3D __EH_prolog3,_memset,_memset,_memset,_memset,CreateMutexA,WaitForSingleObject,_memset,GetPrivateProfileStringA,_memset,MessageBoxA,ReleaseMutex,CloseHandle,_memset,PathAppendA,DeleteFileA,1_2_00406F3D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004067B1 _memset,_memset,_memset,_memset,_memset,_memset,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrcmpA,lstrcmpA,lstrcmpiA,1_2_004067B1
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040185D GetPrivateProfileStringA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,_memset,StrStrIA,lstrlenA,_memset,StrStrIA,_memset,_memset,lstrlenA,lstrlenA,StrStrIA,StrStrIA,lstrlenA,StrToIntA,lstrlenA,SHSetValueA,SHDeleteValueA,SHDeleteKeyA,1_2_0040185D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004048AA LoadStringA,_memset,_memset,_memset,_memset,_memset,_memset,GetModuleHandleA,GetModuleFileNameA,PathRemoveFileSpecA,SetCurrentDirectoryA,PathAddBackslashA,GetPrivateProfileStringA,lstrcmpA,lstrlenA,PathQuoteSpacesA,PathAddBackslashA,GetTempPathA,PathFindFileNameA,CopyFileA,CopyFileA,PathRemoveExtensionA,CopyFileA,GetFileAttributesA,PathQuoteSpacesA,1_2_004048AA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00403982 lstrcmpiA,_memset,_memset,_memset,_memset,_memset,GetModuleHandleA,GetModuleFileNameA,PathRemoveFileSpecA,PathAddBackslashA,GetPrivateProfileStringA,lstrcmpA,lstrlenA,PathQuoteSpacesA,SHDeleteKeyA,1_2_00403982
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004016E1 lstrlenA,StrStrIA,_memset,_memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,SHGetValueA,lstrlenA,PathAddBackslashA,PathAddBackslashA,PathAddBackslashA,PathRemoveBackslashA,1_2_004016E1
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00403B54 _memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcmpA,StrStrIA,StrStrIA,GetPrivateProfileStringA,lstrcmpA,PathFindFileNameA,GetPrivateProfileStringA,lstrcmpA,lstrlenA,GetPrivateProfileStringA,GetPrivateProfileStringA,StrStrIA,GetPrivateProfileIntA,DeleteFileA,StrStrIA,PathRemoveArgsA,GetFileAttributesA,1_2_00403B54
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00403FE1 _memset,_memset,_memset,_memset,_memset,_memset,_memset,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcmpA,PathUnquoteSpacesA,PathAddBackslashA,PathRemoveBackslashA,GetFileAttributesA,lstrlenA,StrStrIA,RemoveDirectoryA,GetFileAttributesA,DeleteFileA,1_2_00403FE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: _memset,GetModuleHandleA,GetModuleFileNameA,PathFindFileNameA,StrStrIA,_memset,_memset,LoadStringA,LoadStringA,LoadStringA,MessageBoxA,1_2_00404DD8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: #17,StrStrIA,StrStrIA,_memset,_memset,_memset,_memset,vClnr_initData,EndDialog,IsWindow,Sleep,CloseHandle,vClnr_getText,vClnr_getText,GetActiveWindow,vClnr_cleanType,vClnr_getText,vClnr_getText,vClnr_getText,vClnr_getText,vClnr_unitData,GetModuleFileNameA,PathRemoveFileSpecA,PathAddBackslashA,lstrcatA,PathFileExistsA,lstrlenA,LoadStringA,LoadStringA,lstrlenA,LoadStringA,GetActiveWindow,GetActiveWindow,PathFileExistsA,lstrlenA,lstrlenA,LoadStringA,LoadStringA,lstrlenA,LoadStringA,GetActiveWindow,GetActiveWindow,2_2_00409AC0
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100804402_2_10080440
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100806602_2_10080660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-65662
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeAPI coverage: 2.1 %
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100806602_2_10080660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_004027E8 _memset,_memset,_memset,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,GetTickCount,GetFileAttributesA,lstrcmpA,lstrcmpA,wsprintfA,DeleteFileA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,FindNextFileA,FindClose,RemoveDirectoryA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,0_2_004027E8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040355D _memset,FindFirstFileA,FindClose,FileTimeToSystemTime,1_2_0040355D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004033CA _memset,_memset,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,CompareFileTime,1_2_004033CA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_00407831 _memset,_memset,_memset,lstrlenA,GetFileAttributesA,lstrcpyA,PathAddBackslashA,lstrcatA,FindFirstFileA,FindNextFileA,Sleep,lstrcmpA,lstrcmpA,wsprintfA,DeleteFileA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,FindNextFileA,FindClose,Sleep,RemoveDirectoryA,RemoveDirectoryA,Sleep,RemoveDirectoryA,GetTickCount,GetTickCount,Sleep,GetFileAttributesA,GetTickCount,Sleep,1_2_00407831
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0040EBA0 PathFileExistsA,FindFirstFileA,FindNextFileA,DeleteFileA,GetFileAttributesA,DeleteFileA,FindNextFileA,2_2_0040EBA0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100452C0 _memset,FindFirstFileA,FindClose,PathRemoveFileSpecA,CopyFileA,2_2_100452C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100432E0 _memset,lstrcpynA,lstrcpynA,PathFindFileNameA,_memset,lstrcpynA,PathRemoveFileSpecA,_memset,lstrcpynA,PathAddBackslashA,PathAddBackslashA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose,2_2_100432E0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008F310 FindFirstFileA,lstrcpynA,PathFileExistsA,PathFindExtensionA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,_memset,GetShortPathNameA,2_2_1008F310
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100453F0 _memset,_memset,lstrcpynA,lstrcpynA,StrRChrIA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcpynA,PathAddBackslashA,StrChrA,GetFileAttributesA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,SetFileAttributesA,_memset,lstrcpynA,PathRemoveFileSpecA,FindNextFileA,FindClose,2_2_100453F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100458D0 _memset,lstrcpynA,lstrcpynA,PathFindFileNameA,_memset,lstrcpynA,PathRemoveFileSpecA,_memset,lstrcpynA,PathAddBackslashA,PathAddBackslashA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,StrChrA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose,2_2_100458D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10041930 FindFirstFileA,lstrcpynA,lstrlenA,_memset,lstrcmpiA,2_2_10041930
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10043A30 _memset,lstrcpynA,PathAddBackslashA,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,GetFileAttributesA,_memset,lstrcpynA,PathAddBackslashA,_memset,lstrcpynA,FindNextFileA,FindClose,2_2_10043A30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10041B00 GetFileAttributesA,CreateFileA,GetFileSize,CloseHandle,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindClose,2_2_10041B00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10041C80 _memset,PathRemoveFileSpecA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcmpiA,PathAddBackslashA,PathAddBackslashA,FindNextFileA,FindNextFileA,lstrcmpiA,PathAddBackslashA,FindNextFileA,FindClose,2_2_10041C80
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008FF00 _memset,FindFirstFileA,2_2_1008FF00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100460A0 SetErrorMode,FindFirstFileA,lstrcmpiA,lstrcmpiA,StrChrIA,FindNextFileA,SetErrorMode,FindClose,2_2_100460A0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10042260 FindFirstFileA,lstrcpynA,CreateFileA,GetFileSize,CloseHandle,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindClose,2_2_10042260
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100423F0 FindFirstFileA,lstrcpynA,lstrlenA,CreateFileA,CreateFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,GetFileSize,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,2_2_100423F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008E470 _memset,FindFirstFileA,2_2_1008E470
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_1008E6C0 _memset,FindFirstFileA,2_2_1008E6C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10042700 _memset,_memset,_memset,_memset,PathRemoveFileSpecA,PathRemoveFileSpecA,PathFindFileNameA,PathRemoveFileSpecA,PathFileExistsA,PathAppendA,FindFirstFileA,FindFirstFileA,FindFirstFileA,_memset,_memset,PathAddBackslashA,PathAddBackslashA,StrChrIA,_memset,PathAddBackslashA,_memset,PathAddBackslashA,PathAppendA,GetFileAttributesA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,_memset,PathAppendA,PathMatchSpecA,FindNextFileA,FindClose,2_2_10042700
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10044970 GetFileAttributesA,_memset,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose,2_2_10044970
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_10042EF0 _memset,_memset,lstrcpynA,StrRChrIA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcpynA,PathAddBackslashA,GetFileAttributesA,FindNextFileA,lstrcpynA,PathAddBackslashA,GetFileAttributesA,FindNextFileA,FindClose,2_2_10042EF0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0040F6A2 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,2_2_0040F6A2
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V VHDPMEM BTT Filter
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Storage Accelerator
Source: EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter
Source: EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtual PCI Bus
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Driver
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
Source: EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040DED0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040DED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_00401317 _memset,lstrcpyA,lstrcpyA,GetFileAttributesA,GetFileAttributesA,lstrcpyA,GetFileAttributesA,LoadLibraryA,GetProcAddress,FreeLibrary,0_2_00401317
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040CBB5 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,0_2_0040CBB5
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_00414027 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00414027
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_004114FE SetUnhandledExceptionFilter,0_2_004114FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040DED0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040DED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040C69A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040C69A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040803D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040803D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004115E0 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004115E0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_004083DE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004083DE
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: 1_2_0040E79D SetUnhandledExceptionFilter,1_2_0040E79D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_00414104 SetUnhandledExceptionFilter,2_2_00414104
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_00418E8A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00418E8A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_0040F693 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040F693
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_00410FAD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00410FAD
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100A96A6 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_100A96A6
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100A2DE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_100A2DE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeProcess created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -dJump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeProcess created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_00412C4D cpuid 0_2_00412C4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: GetLocaleInfoA,0_2_004133B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,1_2_00413634
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exeCode function: GetLocaleInfoA,1_2_00411FD4
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: GetLocaleInfoA,2_2_0041CAE1
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,2_2_0040F2E5
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,2_2_100A15B7
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,2_2_100C1722
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,2_2_100C185D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,2_2_100C1898
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,2_2_100AF9A8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_100C19D5
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: GetLocaleInfoA,2_2_100B41D3
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: GetLocaleInfoA,2_2_100B658D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_100B4721
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,2_2_100B6777
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_100B6A32
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_100B6A97
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,2_2_100B6AD3
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,2_2_100B4DB0
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040140E _memset,_memset,GetTempPathA,GetSystemTimeAsFileTime,GetSystemTimeAsFileTime,GetFileAttributesA,Sleep,GetSystemTimeAsFileTime,GetFileAttributesA,0_2_0040140E
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeCode function: 2_2_100C2CB1 __lock,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,2_2_100C2CB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exeCode function: 0_2_0040CBB5 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,0_2_0040CBB5
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Access Token Manipulation		LSASS Memory331
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Native API		Logon Script (Windows)11
Process Injection		11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		NTDS3
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets35
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417372 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 29/03/2024 Architecture: WINDOWS Score: 76 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Machine Learning detection for sample 2->47 7 SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe 9 2->7         started        10 LogonUI.exe 2->10         started        process3 file4 21 C:\Users\user\AppData\Local\...\vclnr.dll, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\Temp\...\sfx.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\setup.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...acCleaner.exe, PE32 7->27 dropped 12 setup.exe 13 7->12         started        process5 file6 29 C:\Program Files (x86)\...\vclnr.dll, PE32 12->29 dropped 31 C:\Program Files (x86)\...\sfx.exe, PE32 12->31 dropped 33 C:\Program Files (x86)\...\setup.exe, PE32 12->33 dropped 35 C:\Program Files (x86)\...acCleaner.exe, PE32 12->35 dropped 49 Contains functionality to compare user and computer (likely to detect sandboxes) 12->49 16 EacCleaner.exe 12->16         started        19 EacCleaner.exe 1 1 12->19         started        signatures7 process8 signatures9 37 Contains functionality to compare user and computer (likely to detect sandboxes) 16->37 39 Contains functionality to detect sleep reduction / modifications 16->39

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe60%ReversingLabsWin32.Adware.RedCap
SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe71%VirustotalBrowse
SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe100%AviraHEUR/AGEN.1307634
SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe0%ReversingLabs
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe0%VirustotalBrowse
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\setup.exe0%ReversingLabs
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\setup.exe0%VirustotalBrowse
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exe16%ReversingLabs
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exe21%VirustotalBrowse
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\vclnr.dll0%ReversingLabs
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\vclnr.dll1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exe16%ReversingLabs
C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exe21%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\vclnr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\vclnr.dll1%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.eacceleration.com0%Avira URL Cloudsafe
http://www.eacceleration.com00%Avira URL Cloudsafe
http://www.eacceleration.com1%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.eacceleration.com0SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1633209038.000000000076E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp, EacCleaner.exe, 00000002.00000002.1631577343.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1637918782.000000000059C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.eacceleration.comEacCleaner.exe, 00000002.00000002.1631577343.00000000006FE000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1417372
Start date and time:2024-03-29 06:19:04 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 9m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Detection:MAL
Classification:mal76.evad.winEXE@8/18@0/0
EGA Information:
  • Successful, ratio: 75%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 67
  • Number of non-executed functions: 327
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target EacCleaner.exe, PID 7344 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exeSecuriteInfo.com.Trojan.MulDrop6.20495.23269.1649.exeGet hashmaliciousUnknownBrowse
    SecuriteInfo.com.Trojan.MulDrop6.20495.4145.2121.exeGet hashmaliciousUnknownBrowse
      SecuriteInfo.com.Trojan.MulDrop6.20495.20242.24645.exeGet hashmaliciousUnknownBrowse
        SecuriteInfo.com.Trojan.MulDrop6.20495.9578.11634.exeGet hashmaliciousUnknownBrowse
          SecuriteInfo.com.Trojan.MulDrop6.20495.21576.15142.exeGet hashmaliciousUnknownBrowse
            SecuriteInfo.com.Trojan.MulDrop6.20495.2691.3865.exeGet hashmaliciousUnknownBrowse
              SecuriteInfo.com.Trojan.MulDrop6.20495.15608.14652.exeGet hashmaliciousUnknownBrowse
                SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exeGet hashmaliciousUnknownBrowse
                  SecuriteInfo.com.Trojan.MulDrop6.20495.3244.19917.exeGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.Trojan.MulDrop6.20495.15510.1055.exeGet hashmaliciousUnknownBrowse
                      C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\setup.exeSecuriteInfo.com.Trojan.MulDrop6.20495.23269.1649.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Trojan.MulDrop6.20495.4145.2121.exeGet hashmaliciousUnknownBrowse
                          SecuriteInfo.com.Trojan.MulDrop6.20495.20242.24645.exeGet hashmaliciousUnknownBrowse
                            SecuriteInfo.com.Trojan.MulDrop6.20495.9578.11634.exeGet hashmaliciousUnknownBrowse
                              SecuriteInfo.com.Trojan.MulDrop6.20495.21576.15142.exeGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.Trojan.MulDrop6.20495.2691.3865.exeGet hashmaliciousUnknownBrowse
                                  SecuriteInfo.com.Trojan.MulDrop6.20495.15608.14652.exeGet hashmaliciousUnknownBrowse
                                    SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exeGet hashmaliciousUnknownBrowse
                                      SecuriteInfo.com.Trojan.MulDrop6.20495.3244.19917.exeGet hashmaliciousUnknownBrowse
                                        SecuriteInfo.com.Trojan.MulDrop6.20495.15510.1055.exeGet hashmaliciousUnknownBrowse

                                          Created / dropped Files

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):267600
                                          Entropy (8bit):6.740954275516009
                                          Encrypted:false
                                          SSDEEP:3072:QLJ5DZl9tX4gVd+eNCboJ2aRhI0YWoL5gcncQr0eByyerNC/7FhMu4O7RonFSdf0:sJlzI6d+vRUNqJnbcqRonFSdfeASHVb
                                          MD5:E59296FBD02590C3B596C45E4F0FB1C6
                                          SHA1:9A3CCCDC250CD7A901F4069A97BA3A096F3BD9A7
                                          SHA-256:1E9574F3E8C5013F971D8FA9DBA0DFA56466F1A06D44E95C83D149B9041EE380
                                          SHA-512:34B3A380105C194235DE539CBEBC6152C488ABF75FED6254B6CA24C52E42762E365B23200B50997C61FD8B13AD6983CA1D7707837B111C56A1CF91CADE4AAEAC
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Joe Sandbox View:
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.23269.1649.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.4145.2121.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.20242.24645.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.9578.11634.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.21576.15142.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.2691.3865.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.15608.14652.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.3244.19917.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.15510.1055.exe, Detection: malicious, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........yt............g.....t.....w......a....K.............h.....f.....b....Rich............PE..L...o.6L..................... ......L.............@.........................................................................\:...........y..............P...............................................@............................................text...a........................... ..`.rdata...m.......p..................@..@.data....?...P...0...P..............@....rsrc....y..........................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\donutstop98CustomCure.cnr

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:Generic INItialization configuration [Text]
                                          Category:dropped
                                          Size (bytes):54038
                                          Entropy (8bit):5.544439484362196
                                          Encrypted:false
                                          SSDEEP:768:aQNig3CmxQGN03cgkQ1VURA3Svk1UUzvs/1:amiQ0GN0stvk1UUz+
                                          MD5:E4D93C4CC1659B75CBCB6805BC72DFBD
                                          SHA1:EB2370FA65793CC70D19AC590552FD16C9FE79F2
                                          SHA-256:68D67A34F6D1357C1E299F6A833E265AA3198DB160594552ABBD25F554AEDB6D
                                          SHA-512:F0D58C3D74432E4B8635AE04B3BC9379B25A90BDE4A0BE1112B1A0C99C6A9F129C2830C4581B278C77F824023F35E0EA0A9463A0EA9338F7B957D34CA3DBF680
                                          Malicious:false
                                          Reputation:low
                                          Preview:[vClnr_1.2.116.20140827]..; Vault Version: 3....[Text]..Type=Text....TXT_Msg_ENU=This will address your issue. Do you wish to continue?..TXT_Title_ENU=CustomCure....[CustomCure]..Type=Uninstall....; ============..; Actions..; ============....CDMFaddPath0=c:\windows\tasks\*.job....; ============..; CDP Actions..; ============....CDPaddPath0=%PROGRAMFILESDIR%\SlimCleaner Plus\SlimServiceFactory.exe....; ============..; CDRK Actions..; ============....CDRKbaseKey0=HKLM..CDRKregPath0=SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SlimService....CDRKbaseKey1=HKLM..CDRKregPath1=SYSTEM\CurrentControlSet\Control\SafeBoot\network\SlimService....CDRKbaseKey2=HKLM..CDRKregPath2=SOFTWARE\Microsoft\Windows NT\CurrentVersion\SlimService....CDRKbaseKey3=HKLM..CDRKregPath3=SOFTWARE\SlimService....CDRKbaseKey4=HKLM..CDRKregPath4=SYSTEM\CurrentControlSet\Services\SlimService....CDRKbaseKey5=HKLM..CDRKregPath5=SYSTEM\ControlSet000\Enum\Root\LEGACY_SlimService....CDRKbaseKey6=HKLM..CDRKregPath6=SYSTEM

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\eac_install00.dat

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):312
                                          Entropy (8bit):2.3296719012142413
                                          Encrypted:false
                                          SSDEEP:3:Sg0G/klll/XlYNt+WfW2AHW3oQIhcRRURdL3llt:SnlX1YNwv2sBQR3UR
                                          MD5:70CB3A3B191179B812CFEA43AF8F86E0
                                          SHA1:9C758C297EE4EE770CFF2DA98CD2B32C13A935BA
                                          SHA-256:8C5FA9C4C228E1D7B33A9A04A6C56FA031E785AA34AA5E5EF45D3FA3AB8DD093
                                          SHA-512:1213C909A3FA2094F9CBBE0486A6A9E54B5A2C6C97483CF122D66912970B83211DDAE38244E9D3E1C8F60D7B9AC2DC11DA56C5214A93C936B8AB4586353FF490
                                          Malicious:false
                                          Reputation:low
                                          Preview:8.......................Q.......................C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe...........................................................................................................................................................................................

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\setup.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):181584
                                          Entropy (8bit):6.571719563577293
                                          Encrypted:false
                                          SSDEEP:3072:rsWokCfFmO1TjqAiucX4VHA8+6B7RonFSdfeASH97PzhhGz9/:t8FbljqRTR01RonFSdfeASHVC/
                                          MD5:3B81D4123064A71453E6CB120A695C8E
                                          SHA1:0AFEC0C1F1AD3BFD3847F0A8ABA9FDA0AA8A8669
                                          SHA-256:320EC75AAD0ED0C77A9EB13442F97FA38847230F33BC7FE6352075CCC0C524E1
                                          SHA-512:382EC9882BE6FF9E9CA0359D0C17EF832AE8B2B76BF987CC14DA0860D2B881401826EADDCF716A87BD853ED2E0189E6D682B2F7534899BDBA220376E2CC78CF9
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Joe Sandbox View:
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.23269.1649.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.4145.2121.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.20242.24645.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.9578.11634.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.21576.15142.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.2691.3865.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.15608.14652.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.3244.19917.exe, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop6.20495.15510.1055.exe, Detection: malicious, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y.Z.7.Z.7.Z.7.S...[.7.}>J.N.7.}>Z...7.S...K.7.Z.6...7.}>Y.f.7.}>K.[.7.}>O.[.7.RichZ.7.........PE..L...:.~K.................p...0......*.............@.........................................................................<...........4...............P...........................................@...@............................................text...?j.......p.................. ..`.rdata..dC.......P..................@..@.data....1....... ..................@....rsrc...4...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\setup.ini

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:Generic INItialization configuration [preinst_tasks]
                                          Category:dropped
                                          Size (bytes):606
                                          Entropy (8bit):4.958458520226878
                                          Encrypted:false
                                          SSDEEP:12:V2dzxB3YNcmrA/upIswZcfQMl2DXanEIs4VdQYc/26tHQn:V2dzxB3YNKCIZcMSFyYc+6VQn
                                          MD5:BD0FFB1513EE242AA5C38F21B26CE2F7
                                          SHA1:8A67A1096CF4AEC51B76345A65291BE0DE584329
                                          SHA-256:3AA6E2E1301A86D656C94732C7F761C7EF439FB857149F3E182FB1D22710AED2
                                          SHA-512:9DFAA6F7F5E4B1509E55AD315324CAD24DAFB78AF1880FF9C41019E8C5EB3D749AA82904E99C413A2196F3F7FB544125AC15A43A808E143932C642EF3C1CAA93
                                          Malicious:false
                                          Reputation:low
                                          Preview:[Global]..Signature=EAC..Company=eAcceleration..CompanyDirectory="Acceleration Software"..Directory="Anti-Virus\customcleaner"..BaseDirDescrip="ProgramFilesDir"....[preinst_tasks]..num=1..file0="Eaccleaner.exe -d"....[com_servers]..num=0....[other_tasks]..num=0....[run]..num=1..file0="Eaccleaner.exe"....[system_requirements]..programtitle="Custom Cure"..nt4sp4=1..reqpoweruser=1....[other_files]..num=8..file0="EacCleaner.exe"..file1="vclnr.dll"..file2="setup.ini"..file3="setup.exe"..file4="sfx.exe"..file5="stops_dlg_header_tl.gif"..file6="stops_dlg_header_tm.gif"..file7="donutstop98CustomCure.cnr" ..

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):148992
                                          Entropy (8bit):6.7375278254409645
                                          Encrypted:false
                                          SSDEEP:3072:ceEmzrLeqi8WDR+7Ija1P+b7RonFSdfeASH97PzhhGiP7:hizHJRonFSdfeASHVT7
                                          MD5:83DC8617494A971AF3569C0076B62061
                                          SHA1:ADF365112F7FBF8A0668FE1691584EC34BB36DE1
                                          SHA-256:99A2D819C3F159D23B622E9C27E502D41AC9DCAF772BBAB6DC33DB0632938699
                                          SHA-512:D451D278B47302BD8B8D8731FA993823DFEA1F461E66F36F898B00149D3A050475D76FE58BC3388D28DA73516E868AA8DAE07EA3701870AC4F0B225E4132849A
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 16%
                                          • Antivirus: Virustotal, Detection: 21%, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:I.L~(i.~(i.~(i.wP...(i.Y...n(i.wP..u(i.~(h..(i.Y....(i.Y...P(i.Y....(i.Y....(i.Rich~(i.................PE..L...D.~K.................>...................P....@..................................W......................................tu..x................................... R..............................0q..@............P...............................text....<.......>.................. ..`.rdata.../...P...0...B..............@..@.data...@N...........r..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\stops_dlg_header_tl.gif

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:PC bitmap, Windows 3.x format, 179 x 33 x 8, cbSize 7018, bits offset 1078
                                          Category:dropped
                                          Size (bytes):7018
                                          Entropy (8bit):4.005820275786894
                                          Encrypted:false
                                          SSDEEP:48:aErlGcouTAO3N9r5i+ExAO+gGfMVq3t+KXg5SwPHM8ELOF82eUaNTp9q2WkHVHzm:aEg9y3MRjQ+KXgQzZ6GFBq2RkV
                                          MD5:ADDD5DB15ABAB9EFE2426177913C175C
                                          SHA1:38A9D26A8379083CFE3B6E1A95D77E6F66CEF498
                                          SHA-256:81D2F3AC9A5024AB72F71C6C4DD6D39A8D87E7383249FD63287108CEE9668220
                                          SHA-512:438C95AF0DDECC1AE96DC40C7334790BCFE7AE6B5FD7E8FF6577EDF5629FED5CB329B2449D71149D0DA087F13EEE07489F4B408C4798E629F85C734988AAAEFB
                                          Malicious:false
                                          Preview:BMj.......6...(.......!..........................................................................*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U.................*.*.*.U.*...*...*...*..**.***.U**..**..**..**..U*.*U*.UU*..U*..U*..U*...*.*.*.U.*...*...*...*...*.*.*.U.*...*...*..*...*.*.*.U.*...*...*...*...U.*.U.U.U...U...U...U..*U.**U.U*U..*U..*U..*U..UU.*UU.UUU..UU..UU..UU...U.*.U.U.U...U...U...U...U.*.U.U.U...U...U..U...U.*.U.U.U...U...U...U.....*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U...................*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U.................*..U...............*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U...........................&&&.333.???.LLL.YYY.fff.rrr...

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\stops_dlg_header_tm.gif

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:PC bitmap, Windows 3.x format, 2 x 33 x 8, cbSize 1210, bits offset 1078
                                          Category:dropped
                                          Size (bytes):1210
                                          Entropy (8bit):3.1101395772875984
                                          Encrypted:false
                                          SSDEEP:12:RfHYctWGIPm0sMEmawIlzphJw+6clgqy4AdOTzafjs0YtPvgk3J3ZB+lkPafCip/:rWxO0sdm1Ifo7qTAdsabsN9r5D++CCiB
                                          MD5:C415DBA8F9A7FC0939E50460DA171AC1
                                          SHA1:703BBE66038705E0A410F5506810E3777EBE5F05
                                          SHA-256:300B17E374D0170F7D4B8AFEFE09D57AEAA4354B952026305E7FCFDFA5A17FF3
                                          SHA-512:5FABA12C954B9F77D80C22E0FE7AD4D7BA9727D714AA63DCCEBE9ACB5123FA4FCD324D9775C02B3FF8372C05230D7F866EB7C9FCA1E1121FEF9A8DB13E27CC5B
                                          Malicious:false
                                          Preview:BM........6...(.......!..........................................................................*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U.................*.*.*.U.*...*...*...*..**.***.U**..**..**..**..U*.*U*.UU*..U*..U*..U*...*.*.*.U.*...*...*...*...*.*.*.U.*...*...*..*...*.*.*.U.*...*...*...*...U.*.U.U.U...U...U...U..*U.**U.U*U..*U..*U..*U..UU.*UU.UUU..UU..UU..UU...U.*.U.U.U...U...U...U...U.*.U.U.U...U...U..U...U.*.U.U.U...U...U...U.....*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U...................*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U.................*..U...............*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U...........................&&&.333.???.LLL.YYY.fff.rrr...

                                          C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\vclnr.dll

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1109144
                                          Entropy (8bit):6.62206538482217
                                          Encrypted:false
                                          SSDEEP:24576:mR7h+4jEryQtN8mrFonqcxOSLTevajbpcS:mR7hTVQfR0dxOSLTsajbC
                                          MD5:93ED06BFE1454A396824A638C2BB89F1
                                          SHA1:D952977DFEFE77FC068E3263A13F0427CA237CEC
                                          SHA-256:433368DB62ED5320C639FBF39106BA6C7C262211C2D9CDB845C86B56A985E6F4
                                          SHA-512:7CF6EE0FD09DEACD515571068D6C8765731FE24FCAE8C34B1F83E01A16AFBBBD52151231FEFB5EC17A161096A7E7D24AB0B1762B4BB6273F1F3396B31DC9A814
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............h...h...h.V.....h.......h...7...h...5...h.....].h.....h......h...i...h.......h.......h.......h.......h.Rich..h.................PE..L.....3P...........!.....0..........wh.......@.......................................k..........................................,....P.......................`...y...E..................................@............@...............................text....(.......0.................. ..`.rdata..e....@.......@..............@..@.data....N.......@..................@....rsrc........P.......@..............@..@.reloc...{...`.......P..............@..B................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):267600
                                          Entropy (8bit):6.740954275516009
                                          Encrypted:false
                                          SSDEEP:3072:QLJ5DZl9tX4gVd+eNCboJ2aRhI0YWoL5gcncQr0eByyerNC/7FhMu4O7RonFSdf0:sJlzI6d+vRUNqJnbcqRonFSdfeASHVb
                                          MD5:E59296FBD02590C3B596C45E4F0FB1C6
                                          SHA1:9A3CCCDC250CD7A901F4069A97BA3A096F3BD9A7
                                          SHA-256:1E9574F3E8C5013F971D8FA9DBA0DFA56466F1A06D44E95C83D149B9041EE380
                                          SHA-512:34B3A380105C194235DE539CBEBC6152C488ABF75FED6254B6CA24C52E42762E365B23200B50997C61FD8B13AD6983CA1D7707837B111C56A1CF91CADE4AAEAC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........yt............g.....t.....w......a....K.............h.....f.....b....Rich............PE..L...o.6L..................... ......L.............@.........................................................................\:...........y..............P...............................................@............................................text...a........................... ..`.rdata...m.......p..................@..@.data....?...P...0...P..............@....rsrc....y..........................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\donutstop98CustomCure.cnr

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File Type:Generic INItialization configuration [Text]
                                          Category:dropped
                                          Size (bytes):54038
                                          Entropy (8bit):5.544439484362196
                                          Encrypted:false
                                          SSDEEP:768:aQNig3CmxQGN03cgkQ1VURA3Svk1UUzvs/1:amiQ0GN0stvk1UUz+
                                          MD5:E4D93C4CC1659B75CBCB6805BC72DFBD
                                          SHA1:EB2370FA65793CC70D19AC590552FD16C9FE79F2
                                          SHA-256:68D67A34F6D1357C1E299F6A833E265AA3198DB160594552ABBD25F554AEDB6D
                                          SHA-512:F0D58C3D74432E4B8635AE04B3BC9379B25A90BDE4A0BE1112B1A0C99C6A9F129C2830C4581B278C77F824023F35E0EA0A9463A0EA9338F7B957D34CA3DBF680
                                          Malicious:false
                                          Preview:[vClnr_1.2.116.20140827]..; Vault Version: 3....[Text]..Type=Text....TXT_Msg_ENU=This will address your issue. Do you wish to continue?..TXT_Title_ENU=CustomCure....[CustomCure]..Type=Uninstall....; ============..; Actions..; ============....CDMFaddPath0=c:\windows\tasks\*.job....; ============..; CDP Actions..; ============....CDPaddPath0=%PROGRAMFILESDIR%\SlimCleaner Plus\SlimServiceFactory.exe....; ============..; CDRK Actions..; ============....CDRKbaseKey0=HKLM..CDRKregPath0=SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SlimService....CDRKbaseKey1=HKLM..CDRKregPath1=SYSTEM\CurrentControlSet\Control\SafeBoot\network\SlimService....CDRKbaseKey2=HKLM..CDRKregPath2=SOFTWARE\Microsoft\Windows NT\CurrentVersion\SlimService....CDRKbaseKey3=HKLM..CDRKregPath3=SOFTWARE\SlimService....CDRKbaseKey4=HKLM..CDRKregPath4=SYSTEM\CurrentControlSet\Services\SlimService....CDRKbaseKey5=HKLM..CDRKregPath5=SYSTEM\ControlSet000\Enum\Root\LEGACY_SlimService....CDRKbaseKey6=HKLM..CDRKregPath6=SYSTEM

                                          C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):181584
                                          Entropy (8bit):6.571719563577293
                                          Encrypted:false
                                          SSDEEP:3072:rsWokCfFmO1TjqAiucX4VHA8+6B7RonFSdfeASH97PzhhGz9/:t8FbljqRTR01RonFSdfeASHVC/
                                          MD5:3B81D4123064A71453E6CB120A695C8E
                                          SHA1:0AFEC0C1F1AD3BFD3847F0A8ABA9FDA0AA8A8669
                                          SHA-256:320EC75AAD0ED0C77A9EB13442F97FA38847230F33BC7FE6352075CCC0C524E1
                                          SHA-512:382EC9882BE6FF9E9CA0359D0C17EF832AE8B2B76BF987CC14DA0860D2B881401826EADDCF716A87BD853ED2E0189E6D682B2F7534899BDBA220376E2CC78CF9
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y.Z.7.Z.7.Z.7.S...[.7.}>J.N.7.}>Z...7.S...K.7.Z.6...7.}>Y.f.7.}>K.[.7.}>O.[.7.RichZ.7.........PE..L...:.~K.................p...0......*.............@.........................................................................<...........4...............P...........................................@...@............................................text...?j.......p.................. ..`.rdata..dC.......P..................@..@.data....1....... ..................@....rsrc...4...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.ini

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File Type:Generic INItialization configuration [preinst_tasks]
                                          Category:dropped
                                          Size (bytes):606
                                          Entropy (8bit):4.958458520226878
                                          Encrypted:false
                                          SSDEEP:12:V2dzxB3YNcmrA/upIswZcfQMl2DXanEIs4VdQYc/26tHQn:V2dzxB3YNKCIZcMSFyYc+6VQn
                                          MD5:BD0FFB1513EE242AA5C38F21B26CE2F7
                                          SHA1:8A67A1096CF4AEC51B76345A65291BE0DE584329
                                          SHA-256:3AA6E2E1301A86D656C94732C7F761C7EF439FB857149F3E182FB1D22710AED2
                                          SHA-512:9DFAA6F7F5E4B1509E55AD315324CAD24DAFB78AF1880FF9C41019E8C5EB3D749AA82904E99C413A2196F3F7FB544125AC15A43A808E143932C642EF3C1CAA93
                                          Malicious:false
                                          Preview:[Global]..Signature=EAC..Company=eAcceleration..CompanyDirectory="Acceleration Software"..Directory="Anti-Virus\customcleaner"..BaseDirDescrip="ProgramFilesDir"....[preinst_tasks]..num=1..file0="Eaccleaner.exe -d"....[com_servers]..num=0....[other_tasks]..num=0....[run]..num=1..file0="Eaccleaner.exe"....[system_requirements]..programtitle="Custom Cure"..nt4sp4=1..reqpoweruser=1....[other_files]..num=8..file0="EacCleaner.exe"..file1="vclnr.dll"..file2="setup.ini"..file3="setup.exe"..file4="sfx.exe"..file5="stops_dlg_header_tl.gif"..file6="stops_dlg_header_tm.gif"..file7="donutstop98CustomCure.cnr" ..

                                          C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):148992
                                          Entropy (8bit):6.7375278254409645
                                          Encrypted:false
                                          SSDEEP:3072:ceEmzrLeqi8WDR+7Ija1P+b7RonFSdfeASH97PzhhGiP7:hizHJRonFSdfeASHVT7
                                          MD5:83DC8617494A971AF3569C0076B62061
                                          SHA1:ADF365112F7FBF8A0668FE1691584EC34BB36DE1
                                          SHA-256:99A2D819C3F159D23B622E9C27E502D41AC9DCAF772BBAB6DC33DB0632938699
                                          SHA-512:D451D278B47302BD8B8D8731FA993823DFEA1F461E66F36F898B00149D3A050475D76FE58BC3388D28DA73516E868AA8DAE07EA3701870AC4F0B225E4132849A
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 16%
                                          • Antivirus: Virustotal, Detection: 21%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:I.L~(i.~(i.~(i.wP...(i.Y...n(i.wP..u(i.~(h..(i.Y....(i.Y...P(i.Y....(i.Y....(i.Rich~(i.................PE..L...D.~K.................>...................P....@..................................W......................................tu..x................................... R..............................0q..@............P...............................text....<.......>.................. ..`.rdata.../...P...0...B..............@..@.data...@N...........r..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\stops_dlg_header_tl.gif

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File Type:PC bitmap, Windows 3.x format, 179 x 33 x 8, cbSize 7018, bits offset 1078
                                          Category:dropped
                                          Size (bytes):7018
                                          Entropy (8bit):4.005820275786894
                                          Encrypted:false
                                          SSDEEP:48:aErlGcouTAO3N9r5i+ExAO+gGfMVq3t+KXg5SwPHM8ELOF82eUaNTp9q2WkHVHzm:aEg9y3MRjQ+KXgQzZ6GFBq2RkV
                                          MD5:ADDD5DB15ABAB9EFE2426177913C175C
                                          SHA1:38A9D26A8379083CFE3B6E1A95D77E6F66CEF498
                                          SHA-256:81D2F3AC9A5024AB72F71C6C4DD6D39A8D87E7383249FD63287108CEE9668220
                                          SHA-512:438C95AF0DDECC1AE96DC40C7334790BCFE7AE6B5FD7E8FF6577EDF5629FED5CB329B2449D71149D0DA087F13EEE07489F4B408C4798E629F85C734988AAAEFB
                                          Malicious:false
                                          Preview:BMj.......6...(.......!..........................................................................*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U.................*.*.*.U.*...*...*...*..**.***.U**..**..**..**..U*.*U*.UU*..U*..U*..U*...*.*.*.U.*...*...*...*...*.*.*.U.*...*...*..*...*.*.*.U.*...*...*...*...U.*.U.U.U...U...U...U..*U.**U.U*U..*U..*U..*U..UU.*UU.UUU..UU..UU..UU...U.*.U.U.U...U...U...U...U.*.U.U.U...U...U..U...U.*.U.U.U...U...U...U.....*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U...................*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U.................*..U...............*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U...........................&&&.333.???.LLL.YYY.fff.rrr...

                                          C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\stops_dlg_header_tm.gif

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File Type:PC bitmap, Windows 3.x format, 2 x 33 x 8, cbSize 1210, bits offset 1078
                                          Category:dropped
                                          Size (bytes):1210
                                          Entropy (8bit):3.1101395772875984
                                          Encrypted:false
                                          SSDEEP:12:RfHYctWGIPm0sMEmawIlzphJw+6clgqy4AdOTzafjs0YtPvgk3J3ZB+lkPafCip/:rWxO0sdm1Ifo7qTAdsabsN9r5D++CCiB
                                          MD5:C415DBA8F9A7FC0939E50460DA171AC1
                                          SHA1:703BBE66038705E0A410F5506810E3777EBE5F05
                                          SHA-256:300B17E374D0170F7D4B8AFEFE09D57AEAA4354B952026305E7FCFDFA5A17FF3
                                          SHA-512:5FABA12C954B9F77D80C22E0FE7AD4D7BA9727D714AA63DCCEBE9ACB5123FA4FCD324D9775C02B3FF8372C05230D7F866EB7C9FCA1E1121FEF9A8DB13E27CC5B
                                          Malicious:false
                                          Preview:BM........6...(.......!..........................................................................*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U.................*.*.*.U.*...*...*...*..**.***.U**..**..**..**..U*.*U*.UU*..U*..U*..U*...*.*.*.U.*...*...*...*...*.*.*.U.*...*...*..*...*.*.*.U.*...*...*...*...U.*.U.U.U...U...U...U..*U.**U.U*U..*U..*U..*U..UU.*UU.UUU..UU..UU..UU...U.*.U.U.U...U...U...U...U.*.U.U.U...U...U..U...U.*.U.U.U...U...U...U.....*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U...................*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U.................*..U...............*...U................*..**..U*...*...*...*...U..*U..UU...U...U...U......*...U...................*...U..................*...U...........................&&&.333.???.LLL.YYY.fff.rrr...

                                          C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\vclnr.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1109144
                                          Entropy (8bit):6.62206538482217
                                          Encrypted:false
                                          SSDEEP:24576:mR7h+4jEryQtN8mrFonqcxOSLTevajbpcS:mR7hTVQfR0dxOSLTsajbC
                                          MD5:93ED06BFE1454A396824A638C2BB89F1
                                          SHA1:D952977DFEFE77FC068E3263A13F0427CA237CEC
                                          SHA-256:433368DB62ED5320C639FBF39106BA6C7C262211C2D9CDB845C86B56A985E6F4
                                          SHA-512:7CF6EE0FD09DEACD515571068D6C8765731FE24FCAE8C34B1F83E01A16AFBBBD52151231FEFB5EC17A161096A7E7D24AB0B1762B4BB6273F1F3396B31DC9A814
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............h...h...h.V.....h.......h...7...h...5...h.....].h.....h......h...i...h.......h.......h.......h.......h.Rich..h.................PE..L.....3P...........!.....0..........wh.......@.......................................k..........................................,....P.......................`...y...E..................................@............@...............................text....(.......0.................. ..`.rdata..e....@.......@..............@..@.data....N.......@..................@....rsrc........P.......@..............@..@.reloc...{...`.......P..............@..B................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\~DFB826A80D0CA6DBC0.TMP

                                          Download File
                                          Process:C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):29696
                                          Entropy (8bit):4.087996639734289
                                          Encrypted:false
                                          SSDEEP:384:VRqMqt3FqMGqMpRqMqt3kqMGqMmRqMqt3:rqM6qMGqMvqM3qMGqMkqM
                                          MD5:1C214C3755606074292F5238190BD5D0
                                          SHA1:B258529F633D3E79BB6B9350972C0C9356A78254
                                          SHA-256:017F8FA23B08DFD1D3229366CED50D69BB35C6560842831C5568268FD1896524
                                          SHA-512:631CE4B4CDDB853C9F4EBCAE7068E62BF6023C5EEDE8BA30B310131748DAEEDEEEFC6BD623FACBC928F71D1CFF48B320BFBB729039980C082D9DE09157893EEF
                                          Malicious:false
                                          Preview:......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................%...8...........................................................&...'...(...).......................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.927792786528329
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          File size:941'640 bytes
                                          MD5:3eaa0fb10cc609ba960bb9bc9f503b81
                                          SHA1:4b20bfb6751fc27c6fee082436cbd3964961569a
                                          SHA256:8ceb160dd7b7001c380cd0db545a20fd5db3095dba35547018209e00081f75b4
                                          SHA512:0b6737b6be790825a732d4dbb48c1eb479b2033699276f06412c1c3925897ea91ddfce5482c022ab475fd7201617a11888a1235b19f2341ec6a25338b54d10ab
                                          SSDEEP:12288:hCscS1ThzlZBzuR1sQk8LcPZ/erPVTM5jxCj8BJbo4x/btBcDPy/MQkrVW4eOy4:tcSxPLztDdJe5o54j23dcmUZgz4
                                          TLSH:FA151212B2909166C6C705364ABB83EAAF35DFB15BA466DF5B4C39C20F322D01C3765B
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:I.L~(i.~(i.~(i.wP...(i.Y...n(i.wP..u(i.~(h..(i.Y....(i.Y...P(i.Y....(i.Y....(i.Rich~(i.................PE..L...D.~K...........

                                          File Icon

                                          Icon Hash:1313aaaae2683b17

                                          Static PE Info

                                          General

                                          Entrypoint:0x40cd95
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:
                                          Time Stamp:0x4B7ED944 [Fri Feb 19 18:32:36 2010 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:22977549f5973f29d9952f5032e325b2

                                          Entrypoint Preview

                                          Instruction
                                          call 00007FE4693CAA7Ah
                                          jmp 00007FE4693C5BABh
                                          int3
                                          push ebp
                                          mov ebp, esp
                                          push edi
                                          push esi
                                          mov esi, dword ptr [ebp+0Ch]
                                          mov ecx, dword ptr [ebp+10h]
                                          mov edi, dword ptr [ebp+08h]
                                          mov eax, ecx
                                          mov edx, ecx
                                          add eax, esi
                                          cmp edi, esi
                                          jbe 00007FE4693C5D9Ah
                                          cmp edi, eax
                                          jc 00007FE4693C5F3Ah
                                          cmp ecx, 00000100h
                                          jc 00007FE4693C5DB1h
                                          cmp dword ptr [0041BE04h], 00000000h
                                          je 00007FE4693C5DA8h
                                          push edi
                                          push esi
                                          and edi, 0Fh
                                          and esi, 0Fh
                                          cmp edi, esi
                                          pop esi
                                          pop edi
                                          jne 00007FE4693C5D9Ah
                                          pop esi
                                          pop edi
                                          pop ebp
                                          jmp 00007FE4693CAB48h
                                          test edi, 00000003h
                                          jne 00007FE4693C5DA7h
                                          shr ecx, 02h
                                          and edx, 03h
                                          cmp ecx, 08h
                                          jc 00007FE4693C5DBCh
                                          rep movsd
                                          jmp dword ptr [0040CF14h+edx*4]
                                          nop
                                          mov eax, edi
                                          mov edx, 00000003h
                                          sub ecx, 04h
                                          jc 00007FE4693C5D9Eh
                                          and eax, 03h
                                          add ecx, eax
                                          jmp dword ptr [0040CE28h+eax*4]
                                          jmp dword ptr [0040CF24h+ecx*4]
                                          nop
                                          jmp dword ptr [0040CEA8h+ecx*4]
                                          nop
                                          cmp dh, cl
                                          inc eax
                                          add byte ptr [esi+ecx*8+40h], ah
                                          add byte ptr [eax+230040CEh], cl
                                          ror dword ptr [edx-75F877FAh], 1
                                          inc esi
                                          add dword ptr [eax+468A0147h], ecx
                                          add al, cl
                                          jmp 00007FE46B83E597h
                                          add esi, 03h
                                          add edi, 03h
                                          cmp ecx, 08h
                                          jc 00007FE4693C5D5Eh
                                          rep movsd
                                          jmp dword ptr [00000000h+edx*4]

                                          Rich Headers

                                          Programming Language:
                                          • [ C ] VS2008 SP1 build 30729
                                          • [ASM] VS2005 build 50727
                                          • [IMP] VS2008 SP1 build 30729
                                          • [ C ] VS2005 build 50727
                                          • [C++] VS2005 build 50727
                                          • [RES] VS2005 build 50727
                                          • [LNK] VS2005 build 50727

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x175740x78.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d0000xb904.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x152200x1c.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x171300x40.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x150000x1d8.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x13ce60x13e001cfbf14bfaa8e4cf417b81028020f1bfFalse0.49914013364779874data6.383369062208267IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x150000x2fb20x3000dbb0d959af1dc7d7b6a2731a46d66cf7False0.407958984375data5.590990983922989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x180000x4e400x1a00311e51c732fa5f14497962d060446886False0.24128605769230768data2.8507402974392893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x1d0000xb9040xba007ec1f496d8e9fa1cf043874b8ca2aca6False0.7160618279569892data7.159539672714912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x1d2c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.4797297297297297
                                          RT_ICON0x1d3f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.3836705202312139
                                          RT_ICON0x1d9580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.6666666666666666
                                          RT_ICON0x1ddc00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.3346774193548387
                                          RT_ICON0x1e0a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.4905234657039711
                                          RT_ICON0x1e9500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.4277673545966229
                                          RT_ICON0x1f9f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.37572614107883817
                                          RT_ICON0x21fa00x60c7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9927346115035318
                                          RT_STRING0x280680x2eMatlab v4 mat-file (little endian) x, numeric, rows 0, columns 0EnglishUnited States0.6086956521739131
                                          RT_GROUP_ICON0x280980x76dataEnglishUnited States0.6864406779661016
                                          RT_VERSION0x281100x3d4dataEnglishUnited States0.42857142857142855
                                          RT_MANIFEST0x284e40x41dASCII text, with very long lines (809), with CRLF line terminatorsEnglishUnited States0.466286799620133

                                          Imports

                                          DLLImport
                                          KERNEL32.dllFindFirstFileA, lstrlenA, GetFileAttributesA, lstrcpynA, GetLastError, MultiByteToWideChar, AreFileApisANSI, SetLastError, GetFullPathNameA, GetProcAddress, GetModuleHandleA, FreeLibrary, LoadLibraryA, Sleep, GetSystemTimeAsFileTime, GetTempPathA, lstrcmpA, SetFilePointer, GetShortPathNameA, GetModuleFileNameA, GetCommandLineA, SetFileAttributesA, FindClose, SetEvent, lstrcmpiA, ResetEvent, CreateEventA, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, CreateDirectoryA, RemoveDirectoryA, DeleteFileA, GetTickCount, FindNextFileA, lstrcatA, HeapSize, FlushFileBuffers, SetStdHandle, lstrcpyA, WriteFile, CreateFileA, ReadFile, SetFileTime, CloseHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetLocaleInfoA, GetConsoleMode, ExitProcess, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, LCMapStringA, WideCharToMultiByte, LCMapStringW, DeleteCriticalSection, GetConsoleCP, SetHandleCount, GetStdHandle, GetFileType, RtlUnwind, InitializeCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, VirtualAlloc, HeapReAlloc, GetStringTypeA, GetStringTypeW
                                          USER32.dllPostMessageA, CharLowerA, wsprintfA, RegisterWindowMessageA, FindWindowA, MessageBoxA, IsWindow
                                          ADVAPI32.dllRegOpenKeyExA, RegQueryValueExA, RegCloseKey
                                          SHELL32.dllSHGetPathFromIDListA, SHGetDesktopFolder, SHGetMalloc
                                          ole32.dllCoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          No network behavior found

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:06:19:49
                                          Start date:29/03/2024
                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe"
                                          Imagebase:0x400000
                                          File size:941'640 bytes
                                          MD5 hash:3EAA0FB10CC609BA960BB9BC9F503B81
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:06:19:51
                                          Start date:29/03/2024
                                          Path:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe"
                                          Imagebase:0x400000
                                          File size:181'584 bytes
                                          MD5 hash:3B81D4123064A71453E6CB120A695C8E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 0%, ReversingLabs
                                          • Detection: 0%, Virustotal, Browse
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:06:19:51
                                          Start date:29/03/2024
                                          Path:C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d
                                          Imagebase:0x400000
                                          File size:267'600 bytes
                                          MD5 hash:E59296FBD02590C3B596C45E4F0FB1C6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 0%, ReversingLabs
                                          • Detection: 0%, Virustotal, Browse
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:06:19:51
                                          Start date:29/03/2024
                                          Path:C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exe
                                          Imagebase:0x400000
                                          File size:267'600 bytes
                                          MD5 hash:E59296FBD02590C3B596C45E4F0FB1C6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 0%, ReversingLabs
                                          • Detection: 0%, Virustotal, Browse
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:06:23:11
                                          Start date:29/03/2024
                                          Path:C:\Windows\System32\LogonUI.exe
                                          Wow64 process (32bit):false
                                          Commandline:"LogonUI.exe" /flags:0x4 /state0:0xa3f4f855 /state1:0x41c64e6d
                                          Imagebase:0x7ff75ff10000
                                          File size:13'824 bytes
                                          MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:8.5%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:11.4%
                                            Total number of Nodes:1606
                                            Total number of Limit Nodes:75
                                            execution_graph 8975 4096c6 8976 4096d0 8975->8976 8977 409769 8975->8977 8976->8975 8979 4096df 8976->8979 8978 409796 8977->8978 8980 409809 8977->8980 8981 40be40 __VEC_memcpy 8978->8981 8982 40be40 __VEC_memcpy 8979->8982 8983 409856 8980->8983 8986 4098b6 8980->8986 8998 409205 8981->8998 8982->8998 8984 40be40 __VEC_memcpy 8983->8984 8984->8998 8985 4099d8 9035 40a400 8985->9035 8986->8985 8987 40990c 8986->8987 8989 40be40 __VEC_memcpy 8987->8989 8989->8998 8990 409a34 8991 409a40 8990->8991 9006 409aae 8990->9006 8992 40be40 __VEC_memcpy 8991->8992 8992->8998 8993 409e21 9030 40ad70 8993->9030 8994 409b10 8996 40be40 __VEC_memcpy 8994->8996 8996->8998 8997 409e8f 8999 409f09 8997->8999 9000 409e9b 8997->9000 9002 409fb2 8999->9002 9008 409f32 8999->9008 9001 40be40 __VEC_memcpy 9000->9001 9001->8998 9038 40b120 9002->9038 9003 409c55 9005 40be40 __VEC_memcpy 9003->9005 9004 409d58 9007 40be40 __VEC_memcpy 9004->9007 9005->8998 9006->8993 9006->8994 9006->9003 9006->9004 9007->8998 9012 40be40 __VEC_memcpy 9008->9012 9011 40a04c 9013 40be40 __VEC_memcpy 9011->9013 9012->8998 9013->8998 9014 40a065 9015 40be40 __VEC_memcpy 9014->9015 9027 409030 9014->9027 9016 40a15a 9015->9016 9018 40a1a5 9016->9018 9019 40a1fe 9016->9019 9017 40be40 __VEC_memcpy 9017->9027 9021 40be40 __VEC_memcpy 9018->9021 9022 40be40 __VEC_memcpy 9019->9022 9020 4093a8 9024 40be40 __VEC_memcpy 9020->9024 9021->8998 9022->9027 9023 409261 9026 40be40 __VEC_memcpy 9023->9026 9024->8998 9025 40ae80 66 API calls 9025->9027 9026->8998 9027->8998 9027->9017 9027->9020 9027->9023 9027->9025 9028 4091ad 9027->9028 9029 40be40 __VEC_memcpy 9028->9029 9029->8998 9031 40a470 66 API calls 9030->9031 9032 40ad9c 9031->9032 9033 40a470 66 API calls 9032->9033 9034 40ada8 9032->9034 9033->9034 9034->8997 9036 40a470 66 API calls 9035->9036 9037 40a421 9036->9037 9037->8990 9042 40b166 9038->9042 9039 40bd86 9040 40be40 __VEC_memcpy 9039->9040 9052 40a040 9040->9052 9041 40b2f7 9044 40be40 __VEC_memcpy 9041->9044 9042->9039 9042->9041 9043 40b4de 9042->9043 9046 40b5db 9042->9046 9047 40b6f5 9042->9047 9048 40b447 9042->9048 9042->9052 9045 40be40 __VEC_memcpy 9043->9045 9044->9052 9045->9052 9049 40be40 __VEC_memcpy 9046->9049 9050 40be40 __VEC_memcpy 9047->9050 9051 40be40 __VEC_memcpy 9048->9051 9049->9052 9050->9052 9051->9052 9052->9011 9052->9014 9359 40a8d0 9360 40a8df 9359->9360 9361 40aaa5 9360->9361 9362 405490 66 API calls 9360->9362 9362->9360 8948 401216 GetModuleHandleA GetProcAddress 8949 401241 GetLongPathNameA 8948->8949 8950 401254 8948->8950 8951 401249 GetLastError 8949->8951 8954 40126e 8949->8954 8955 40106f GetFileAttributesA 8950->8955 8951->8950 8951->8954 8956 4010ad GetFullPathNameA 8955->8956 8974 4010a6 8955->8974 8957 4010d0 8956->8957 8956->8974 8959 4010e3 SHGetDesktopFolder 8957->8959 8960 4010d4 SetLastError 8957->8960 8958 40c69a ___ansicp 5 API calls 8961 40120c 8958->8961 8962 4010f5 AreFileApisANSI MultiByteToWideChar 8959->8962 8959->8974 8960->8974 8961->8954 8963 401129 8962->8963 8964 40111a GetLastError 8962->8964 8966 401125 SetLastError 8963->8966 8967 40116a SHGetPathFromIDListA 8963->8967 8964->8966 8964->8974 8966->8974 8968 401180 8967->8968 8969 401192 lstrlenA 8967->8969 8968->8969 8970 401188 SetLastError 8968->8970 8971 4011b8 lstrcpynA 8969->8971 8972 4011ac SetLastError 8969->8972 8973 4011ce SHGetMalloc 8970->8973 8971->8973 8972->8973 8973->8974 8974->8958 7206 40cbb5 7261 40e070 7206->7261 7208 40cbc1 GetStartupInfoA GetProcessHeap HeapAlloc 7209 40cc00 GetVersionExA 7208->7209 7210 40cbf3 7208->7210 7212 40cc10 GetProcessHeap HeapFree 7209->7212 7213 40cc1e GetProcessHeap HeapFree 7209->7213 7391 40cb50 7210->7391 7215 40cbfa __fcloseall 7212->7215 7214 40cc4a 7213->7214 7262 411a25 HeapCreate 7214->7262 7217 40cc8b 7218 40cc97 7217->7218 7220 40cb50 _fast_error_exit 66 API calls 7217->7220 7399 40f25f GetModuleHandleA 7218->7399 7220->7218 7221 40cc9d 7222 40cca1 7221->7222 7223 40cca9 __RTC_Initialize 7221->7223 7224 40cb50 _fast_error_exit 66 API calls 7222->7224 7272 410767 7223->7272 7225 40cca8 7224->7225 7225->7223 7227 40ccb6 7228 40ccc2 GetCommandLineA 7227->7228 7229 40ccba 7227->7229 7287 411895 7228->7287 7432 40c834 7229->7432 7235 40ccdc 7236 40cce0 7235->7236 7237 40cce8 7235->7237 7238 40c834 __amsg_exit 66 API calls 7236->7238 7313 411569 7237->7313 7240 40cce7 7238->7240 7240->7237 7242 40ccf1 7244 40c834 __amsg_exit 66 API calls 7242->7244 7243 40ccf9 7327 40c950 7243->7327 7246 40ccf8 7244->7246 7246->7243 7247 40ccff 7248 40cd04 7247->7248 7249 40cd0b 7247->7249 7251 40c834 __amsg_exit 66 API calls 7248->7251 7333 41150c 7249->7333 7252 40cd0a 7251->7252 7252->7249 7253 40cd10 7254 40cd15 7253->7254 7339 402129 7253->7339 7254->7253 7257 40cd3b 7450 40cae6 7257->7450 7261->7208 7263 411a45 7262->7263 7264 411a48 7262->7264 7263->7217 7453 4119ca 7264->7453 7267 411a57 7462 411c7d HeapAlloc 7267->7462 7268 411a7b 7268->7217 7271 411a66 HeapDestroy 7271->7263 7732 40e070 7272->7732 7274 410773 GetStartupInfoA 7275 4127bc __calloc_crt 66 API calls 7274->7275 7282 410794 7275->7282 7276 4109b2 __fcloseall 7276->7227 7277 41092f GetStdHandle 7281 4108f9 7277->7281 7278 4127bc __calloc_crt 66 API calls 7278->7282 7279 410994 SetHandleCount 7279->7276 7280 410941 GetFileType 7280->7281 7281->7276 7281->7277 7281->7279 7281->7280 7285 4113fc ___crtInitCritSecAndSpinCount 66 API calls 7281->7285 7282->7276 7282->7278 7282->7281 7283 41087c 7282->7283 7283->7276 7283->7281 7284 4108a5 GetFileType 7283->7284 7286 4113fc ___crtInitCritSecAndSpinCount 66 API calls 7283->7286 7284->7283 7285->7281 7286->7283 7288 4118b1 GetEnvironmentStringsW 7287->7288 7289 4118d0 7287->7289 7290 4118c5 GetLastError 7288->7290 7291 4118b9 7288->7291 7289->7291 7292 41196b 7289->7292 7290->7289 7293 4118eb GetEnvironmentStringsW 7291->7293 7300 4118fa WideCharToMultiByte 7291->7300 7294 411973 GetEnvironmentStrings 7292->7294 7298 40ccd2 7292->7298 7293->7298 7293->7300 7294->7298 7299 411983 7294->7299 7296 411960 FreeEnvironmentStringsW 7296->7298 7297 41192e 7302 41277c __malloc_crt 66 API calls 7297->7302 7439 4117dc 7298->7439 7301 41277c __malloc_crt 66 API calls 7299->7301 7300->7296 7300->7297 7303 41199c 7301->7303 7304 411934 7302->7304 7305 4119a3 FreeEnvironmentStringsA 7303->7305 7306 4119af 7303->7306 7304->7296 7307 41193d WideCharToMultiByte 7304->7307 7305->7298 7733 40cda0 7306->7733 7309 411957 7307->7309 7310 41194e 7307->7310 7309->7296 7312 40d262 __fcloseall 66 API calls 7310->7312 7312->7309 7314 411576 7313->7314 7316 41157b _strlen 7313->7316 7737 40eb03 7314->7737 7317 4127bc __calloc_crt 66 API calls 7316->7317 7320 40cced 7316->7320 7325 4115ae _strlen 7317->7325 7318 411609 7319 40d262 __fcloseall 66 API calls 7318->7319 7319->7320 7320->7242 7320->7243 7321 4127bc __calloc_crt 66 API calls 7321->7325 7322 41162e 7323 40d262 __fcloseall 66 API calls 7322->7323 7323->7320 7325->7318 7325->7320 7325->7321 7325->7322 7326 40ded0 __invoke_watson 10 API calls 7325->7326 7741 413279 7325->7741 7326->7325 7328 40c959 __cinit 7327->7328 8180 410ec0 7328->8180 7330 40c978 __initterm_e 7332 40c999 __cinit 7330->7332 8184 410729 7330->8184 7332->7247 7334 411518 7333->7334 7336 41151d 7333->7336 7335 40eb03 ___initmbctable 110 API calls 7334->7335 7335->7336 7337 411559 7336->7337 8295 41416b 7336->8295 7337->7253 7340 402171 _memset 7339->7340 7341 4021a7 CreateEventA 7340->7341 7342 4021d4 RegisterWindowMessageA RegisterWindowMessageA FindWindowA GetModuleFileNameA 7341->7342 7343 4021cd ResetEvent 7341->7343 8301 4018c2 7342->8301 7343->7342 7346 402271 7349 402349 7346->7349 7350 40227e lstrcmpiA 7346->7350 7347 40223c 8380 4012ea 7347->8380 8308 40140e 7349->8308 7353 402295 7350->7353 7354 4022f8 lstrcmpiA 7350->7354 7351 402252 MessageBoxA 7356 40226a 7351->7356 7358 4022a4 lstrcpyA 7353->7358 7359 4022b7 7353->7359 7354->7349 7355 40230f 7354->7355 7361 402322 CreateEventA GetLastError 7355->7361 7366 40c69a ___ansicp 5 API calls 7356->7366 7363 4022c6 7358->7363 8384 4019ef 7359->8384 7367 402311 CloseHandle Sleep 7361->7367 7368 402343 CloseHandle 7361->7368 7362 40235e lstrcpyA 8324 401f79 7362->8324 7364 4022e0 7363->7364 7365 4022cf lstrcpyA 7363->7365 7371 401f79 162 API calls 7364->7371 7365->7364 7372 402462 7366->7372 7367->7361 7368->7349 7371->7356 7372->7257 7388 40cac4 7372->7388 7375 402438 7375->7356 7376 40243d SetEvent CloseHandle 7375->7376 7376->7356 7377 4023bc MessageBoxA 7378 4023ce 7377->7378 8347 401317 7378->8347 7381 40240c 7383 4027ad 3 API calls 7381->7383 7385 402427 7383->7385 7385->7375 8396 4027e8 7385->8396 7386 4023f4 MessageBoxA 7386->7381 8889 40c9e2 7388->8889 7390 40cad1 7390->7257 7392 40cb59 7391->7392 7393 40cb5e 7391->7393 7394 410e3f __FF_MSGBANNER 66 API calls 7392->7394 7395 410c9f _malloc 66 API calls 7393->7395 7394->7393 7396 40cb67 7395->7396 7397 40c87e _malloc 3 API calls 7396->7397 7398 40cb71 7397->7398 7398->7215 7400 40f271 7399->7400 7401 40f27a GetProcAddress GetProcAddress GetProcAddress GetProcAddress 7399->7401 8917 40efb3 7400->8917 7403 40f2c4 TlsAlloc 7401->7403 7406 40f312 TlsSetValue 7403->7406 7407 40f3de 7403->7407 7406->7407 7408 40f323 7406->7408 7407->7221 8928 40cb04 7408->8928 7411 40ee93 __initp_misc_cfltcvt_tab 66 API calls 7412 40f333 7411->7412 7413 40ee93 __initp_misc_cfltcvt_tab 66 API calls 7412->7413 7414 40f343 7413->7414 7415 40ee93 __initp_misc_cfltcvt_tab 66 API calls 7414->7415 7416 40f353 7415->7416 7417 40ee93 __initp_misc_cfltcvt_tab 66 API calls 7416->7417 7418 40f363 7417->7418 8935 40fa4c 7418->8935 7421 40f3d9 7423 40efb3 __mtterm 69 API calls 7421->7423 7422 40ef0a _raise 66 API calls 7424 40f384 7422->7424 7423->7407 7424->7421 7425 4127bc __calloc_crt 66 API calls 7424->7425 7426 40f39d 7425->7426 7426->7421 7427 40ef0a _raise 66 API calls 7426->7427 7428 40f3b7 7427->7428 7428->7421 7429 40f3be 7428->7429 7430 40eff0 _raise 66 API calls 7429->7430 7431 40f3c6 GetCurrentThreadId 7430->7431 7431->7407 7433 410e3f __FF_MSGBANNER 66 API calls 7432->7433 7434 40c839 7433->7434 7435 410c9f _malloc 66 API calls 7434->7435 7436 40c842 7435->7436 7437 40ef0a _raise 66 API calls 7436->7437 7438 40c84d 7437->7438 7438->7228 7440 4117f4 GetModuleFileNameA 7439->7440 7441 4117ef 7439->7441 7443 41181b 7440->7443 7442 40eb03 ___initmbctable 110 API calls 7441->7442 7442->7440 8942 411644 7443->8942 7445 411877 7445->7235 7447 41277c __malloc_crt 66 API calls 7448 41185d 7447->7448 7448->7445 7449 411644 _parse_cmdline 76 API calls 7448->7449 7449->7445 7451 40c9e2 _raise 66 API calls 7450->7451 7452 40caf1 7451->7452 7452->7215 7464 40c8dd 7453->7464 7456 4119f0 7478 40c914 7456->7478 7459 4119fc 7460 411a0b 7459->7460 7461 40ded0 __invoke_watson 10 API calls 7459->7461 7460->7267 7460->7268 7461->7460 7463 411a61 7462->7463 7463->7268 7463->7271 7465 40c8e8 7464->7465 7467 40c90e 7465->7467 7485 40e02b 7465->7485 7467->7456 7471 40ded0 7467->7471 7721 40c620 7471->7721 7473 40df61 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7474 40dfa4 GetCurrentProcess TerminateProcess 7473->7474 7476 40df98 __invoke_watson 7473->7476 7723 40c69a 7474->7723 7476->7474 7477 40dfc4 7477->7456 7479 40c91f 7478->7479 7480 40c944 7479->7480 7481 40e02b _write_string 66 API calls 7479->7481 7480->7459 7482 40c924 7481->7482 7483 40dfcc _raise 66 API calls 7482->7483 7484 40c934 7483->7484 7484->7459 7491 40f0af GetLastError 7485->7491 7487 40c8ed 7488 40dfcc 7487->7488 7489 40ef0a _raise 66 API calls 7488->7489 7490 40dfda __invoke_watson 7489->7490 7505 40ef81 TlsGetValue 7491->7505 7494 40f11a SetLastError 7494->7487 7499 40f111 7539 40d262 7499->7539 7500 40f0f9 7525 40eff0 7500->7525 7503 40f101 GetCurrentThreadId 7503->7494 7504 40f117 7504->7494 7506 40ef94 7505->7506 7507 40efaf 7505->7507 7508 40ef0a _raise 64 API calls 7506->7508 7507->7494 7510 4127bc 7507->7510 7509 40ef9f TlsSetValue 7508->7509 7509->7507 7514 4127c0 7510->7514 7512 40f0d8 7512->7494 7515 40ef0a TlsGetValue 7512->7515 7513 4127e0 Sleep 7513->7514 7514->7512 7514->7513 7552 40d105 7514->7552 7516 40ef1d 7515->7516 7517 40ef3e GetModuleHandleA 7515->7517 7516->7517 7520 40ef27 TlsGetValue 7516->7520 7518 40ef36 7517->7518 7519 40ef4f 7517->7519 7518->7499 7518->7500 7689 40ee27 7519->7689 7523 40ef32 7520->7523 7522 40ef54 7522->7518 7524 40ef58 GetProcAddress 7522->7524 7523->7517 7523->7518 7524->7518 7694 40e070 7525->7694 7527 40effc GetModuleHandleA 7528 40f04d InterlockedIncrement 7527->7528 7529 40f01e 7527->7529 7530 40fbc2 __lock 62 API calls 7528->7530 7531 40ee27 __initp_misc_cfltcvt_tab 62 API calls 7529->7531 7534 40f074 7530->7534 7532 40f023 7531->7532 7532->7528 7533 40f027 GetProcAddress GetProcAddress 7532->7533 7533->7528 7695 40ec61 InterlockedIncrement 7534->7695 7536 40f093 7707 40f0a6 7536->7707 7538 40f0a0 __fcloseall 7538->7503 7540 40d26e __fcloseall 7539->7540 7541 40d2ad 7540->7541 7543 40fbc2 __lock 64 API calls 7540->7543 7547 40d2e7 __fcloseall __dosmaperr 7540->7547 7542 40d2c2 HeapFree 7541->7542 7541->7547 7544 40d2d4 7542->7544 7542->7547 7549 40d285 ___sbh_find_block 7543->7549 7545 40e02b _write_string 64 API calls 7544->7545 7546 40d2d9 GetLastError 7545->7546 7546->7547 7547->7504 7548 40d29f 7717 40d2b8 7548->7717 7549->7548 7711 411cf0 7549->7711 7553 40d111 __fcloseall 7552->7553 7554 40d129 7553->7554 7564 40d148 _memset 7553->7564 7555 40e02b _write_string 65 API calls 7554->7555 7556 40d12e 7555->7556 7557 40dfcc _raise 65 API calls 7556->7557 7561 40d13e __fcloseall 7557->7561 7558 40d1ba RtlAllocateHeap 7558->7564 7561->7514 7564->7558 7564->7561 7565 40fbc2 7564->7565 7572 412499 7564->7572 7578 40d201 7564->7578 7581 410745 7564->7581 7566 40fbd5 7565->7566 7567 40fbe8 EnterCriticalSection 7565->7567 7584 40faff 7566->7584 7567->7564 7569 40fbdb 7569->7567 7570 40c834 __amsg_exit 65 API calls 7569->7570 7571 40fbe7 7570->7571 7571->7567 7573 4124c5 7572->7573 7574 41255e 7573->7574 7577 412567 7573->7577 7677 412004 7573->7677 7574->7577 7684 4120b4 7574->7684 7577->7564 7688 40faea LeaveCriticalSection 7578->7688 7580 40d208 7580->7564 7582 40ef0a _raise 66 API calls 7581->7582 7583 410750 7582->7583 7583->7564 7585 40fb0b __fcloseall 7584->7585 7599 40fb31 7585->7599 7610 410e3f 7585->7610 7591 40fb41 __fcloseall 7591->7569 7593 40fb62 7596 40fbc2 __lock 66 API calls 7593->7596 7594 40fb53 7595 40e02b _write_string 66 API calls 7594->7595 7595->7591 7598 40fb69 7596->7598 7600 40fb71 7598->7600 7601 40fb9d 7598->7601 7599->7591 7656 41277c 7599->7656 7661 4113fc 7600->7661 7603 40d262 __fcloseall 66 API calls 7601->7603 7604 40fb8e 7603->7604 7674 40fbb9 7604->7674 7605 40fb7c 7605->7604 7607 40d262 __fcloseall 66 API calls 7605->7607 7608 40fb88 7607->7608 7609 40e02b _write_string 66 API calls 7608->7609 7609->7604 7611 413fd8 __FF_MSGBANNER 66 API calls 7610->7611 7612 410e46 7611->7612 7613 410e53 7612->7613 7614 413fd8 __FF_MSGBANNER 66 API calls 7612->7614 7615 410c9f _malloc 66 API calls 7613->7615 7617 40fb20 7613->7617 7614->7613 7616 410e6b 7615->7616 7618 410c9f _malloc 66 API calls 7616->7618 7619 410c9f 7617->7619 7618->7617 7620 410cab 7619->7620 7621 40fb27 7620->7621 7622 413fd8 __FF_MSGBANNER 63 API calls 7620->7622 7653 40c87e 7621->7653 7623 410ccb 7622->7623 7624 410e06 GetStdHandle 7623->7624 7626 413fd8 __FF_MSGBANNER 63 API calls 7623->7626 7624->7621 7625 410e14 _strlen 7624->7625 7625->7621 7629 410e2e WriteFile 7625->7629 7627 410cdc 7626->7627 7627->7624 7628 410cee 7627->7628 7628->7621 7630 413279 _strcpy_s 63 API calls 7628->7630 7629->7621 7631 410d10 7630->7631 7632 410d24 GetModuleFileNameA 7631->7632 7633 40ded0 __invoke_watson 10 API calls 7631->7633 7634 410d42 7632->7634 7638 410d65 _strlen 7632->7638 7635 410d21 7633->7635 7636 413279 _strcpy_s 63 API calls 7634->7636 7635->7632 7637 410d52 7636->7637 7637->7638 7640 40ded0 __invoke_watson 10 API calls 7637->7640 7639 410da8 7638->7639 7642 4131c6 _malloc 63 API calls 7638->7642 7641 41310b _strcat_s 63 API calls 7639->7641 7640->7638 7643 410dbb 7641->7643 7644 410d95 7642->7644 7645 410dcc 7643->7645 7647 40ded0 __invoke_watson 10 API calls 7643->7647 7644->7639 7649 40ded0 __invoke_watson 10 API calls 7644->7649 7646 41310b _strcat_s 63 API calls 7645->7646 7648 410ddd 7646->7648 7647->7645 7650 410dee 7648->7650 7651 40ded0 __invoke_watson 10 API calls 7648->7651 7649->7639 7652 413e1b _malloc 63 API calls 7650->7652 7651->7650 7652->7621 7654 40c858 ___crtCorExitProcess GetModuleHandleA GetProcAddress 7653->7654 7655 40c887 ExitProcess 7654->7655 7658 412780 7656->7658 7657 40f95d _malloc 65 API calls 7657->7658 7658->7657 7659 40fb4c 7658->7659 7660 412798 Sleep 7658->7660 7659->7593 7659->7594 7660->7658 7662 411408 __fcloseall 7661->7662 7663 40ef0a _raise 64 API calls 7662->7663 7664 411418 7663->7664 7665 40c8dd ___crtInitCritSecAndSpinCount 64 API calls 7664->7665 7670 41146c __fcloseall 7664->7670 7666 411428 7665->7666 7667 411437 7666->7667 7671 40ded0 __invoke_watson 10 API calls 7666->7671 7668 411461 7667->7668 7669 411440 GetModuleHandleA 7667->7669 7673 40ee93 __initp_misc_cfltcvt_tab 64 API calls 7668->7673 7669->7668 7672 41144f GetProcAddress 7669->7672 7670->7605 7671->7667 7672->7668 7673->7670 7675 40faea _flsall LeaveCriticalSection 7674->7675 7676 40fbc0 7675->7676 7676->7591 7678 412017 HeapReAlloc 7677->7678 7679 41204b HeapAlloc 7677->7679 7680 412035 7678->7680 7682 412039 7678->7682 7679->7680 7681 41206e VirtualAlloc 7679->7681 7680->7574 7681->7680 7683 412088 HeapFree 7681->7683 7682->7679 7683->7680 7685 4120c9 VirtualAlloc 7684->7685 7687 412110 7685->7687 7687->7577 7687->7687 7688->7580 7690 40c914 _malloc 65 API calls 7689->7690 7691 40ee42 7690->7691 7692 40ee4d GetModuleHandleA 7691->7692 7693 40ee49 __initp_misc_cfltcvt_tab 7691->7693 7692->7693 7693->7522 7694->7527 7696 40ec7c InterlockedIncrement 7695->7696 7697 40ec7f 7695->7697 7696->7697 7698 40ec89 InterlockedIncrement 7697->7698 7699 40ec8c 7697->7699 7698->7699 7700 40ec96 InterlockedIncrement 7699->7700 7701 40ec99 7699->7701 7700->7701 7702 40eca3 InterlockedIncrement 7701->7702 7704 40eca6 7701->7704 7702->7704 7703 40ecbb InterlockedIncrement 7703->7704 7704->7703 7705 40eccb InterlockedIncrement 7704->7705 7706 40ecd4 InterlockedIncrement 7704->7706 7705->7704 7706->7536 7710 40faea LeaveCriticalSection 7707->7710 7709 40f0ad 7709->7538 7710->7709 7712 411d2d 7711->7712 7716 411fcf ___sbh_free_block 7711->7716 7713 411f19 VirtualFree 7712->7713 7712->7716 7714 411f7d 7713->7714 7715 411f8c VirtualFree HeapFree 7714->7715 7714->7716 7715->7716 7716->7548 7720 40faea LeaveCriticalSection 7717->7720 7719 40d2bf 7719->7541 7720->7719 7722 40c62c __VEC_memzero 7721->7722 7722->7473 7724 40c6a2 7723->7724 7725 40c6a4 IsDebuggerPresent 7723->7725 7724->7477 7731 412bf5 7725->7731 7728 40e42b SetUnhandledExceptionFilter UnhandledExceptionFilter 7729 40e450 GetCurrentProcess TerminateProcess 7728->7729 7730 40e448 __invoke_watson 7728->7730 7729->7477 7730->7729 7731->7728 7732->7274 7734 40cdb8 7733->7734 7735 40cddf __VEC_memcpy 7734->7735 7736 40cde7 FreeEnvironmentStringsA 7734->7736 7735->7736 7736->7298 7738 40eb0c 7737->7738 7739 40eb13 7737->7739 7750 40e969 7738->7750 7739->7316 7742 413286 7741->7742 7743 41328e 7741->7743 7742->7743 7746 4132b5 7742->7746 7744 40e02b _write_string 66 API calls 7743->7744 7749 413293 7744->7749 7745 40dfcc _raise 66 API calls 7748 4132a2 7745->7748 7747 40e02b _write_string 66 API calls 7746->7747 7746->7748 7747->7749 7748->7325 7749->7745 7751 40e975 __fcloseall 7750->7751 7781 40f126 7751->7781 7755 40e988 7802 40e716 7755->7802 7758 41277c __malloc_crt 66 API calls 7759 40e9a9 7758->7759 7760 40eac8 __fcloseall 7759->7760 7809 40e790 7759->7809 7760->7739 7763 40ead5 7763->7760 7767 40eae8 7763->7767 7769 40d262 __fcloseall 66 API calls 7763->7769 7764 40e9d9 InterlockedDecrement 7765 40e9e9 7764->7765 7766 40e9fa InterlockedIncrement 7764->7766 7765->7766 7771 40d262 __fcloseall 66 API calls 7765->7771 7766->7760 7768 40ea10 7766->7768 7770 40e02b _write_string 66 API calls 7767->7770 7768->7760 7773 40fbc2 __lock 66 API calls 7768->7773 7769->7767 7770->7760 7772 40e9f9 7771->7772 7772->7766 7775 40ea24 InterlockedDecrement 7773->7775 7776 40eaa0 7775->7776 7777 40eab3 InterlockedIncrement 7775->7777 7776->7777 7779 40d262 __fcloseall 66 API calls 7776->7779 7819 40eaca 7777->7819 7780 40eab2 7779->7780 7780->7777 7782 40f0af _raise 66 API calls 7781->7782 7783 40f12c 7782->7783 7784 40e97e 7783->7784 7785 40c834 __amsg_exit 66 API calls 7783->7785 7786 40e672 7784->7786 7785->7784 7787 40e67e __fcloseall 7786->7787 7788 40f126 _LocaleUpdate::_LocaleUpdate 66 API calls 7787->7788 7789 40e683 7788->7789 7790 40fbc2 __lock 66 API calls 7789->7790 7799 40e695 7789->7799 7791 40e6b3 7790->7791 7792 40e6fc 7791->7792 7793 40e6e4 InterlockedIncrement 7791->7793 7794 40e6ca InterlockedDecrement 7791->7794 7822 40e70d 7792->7822 7793->7792 7794->7793 7798 40e6d5 7794->7798 7796 40c834 __amsg_exit 66 API calls 7797 40e6a3 __fcloseall 7796->7797 7797->7755 7798->7793 7800 40d262 __fcloseall 66 API calls 7798->7800 7799->7796 7799->7797 7801 40e6e3 7800->7801 7801->7793 7826 40c6a9 7802->7826 7805 40e751 7807 40e756 GetACP 7805->7807 7808 40e743 7805->7808 7806 40e733 GetOEMCP 7806->7808 7807->7808 7808->7758 7808->7760 7810 40e716 getSystemCP 78 API calls 7809->7810 7811 40e7ae 7810->7811 7812 40e7b9 setSBCS 7811->7812 7815 40e7fd IsValidCodePage 7811->7815 7818 40e822 _memset __setmbcp 7811->7818 7813 40c69a ___ansicp 5 API calls 7812->7813 7814 40e967 7813->7814 7814->7763 7814->7764 7815->7812 7816 40e80f GetCPInfo 7815->7816 7816->7812 7816->7818 8017 40e4e8 GetCPInfo 7818->8017 8179 40faea LeaveCriticalSection 7819->8179 7821 40ead1 7821->7760 7825 40faea LeaveCriticalSection 7822->7825 7824 40e714 7824->7799 7825->7824 7827 40c6b8 7826->7827 7833 40c705 7826->7833 7828 40f126 _LocaleUpdate::_LocaleUpdate 66 API calls 7827->7828 7829 40c6bd 7828->7829 7830 40c6e5 7829->7830 7834 40edb1 7829->7834 7832 40e672 _LocaleUpdate::_LocaleUpdate 68 API calls 7830->7832 7830->7833 7832->7833 7833->7805 7833->7806 7835 40edbd __fcloseall 7834->7835 7836 40f126 _LocaleUpdate::_LocaleUpdate 66 API calls 7835->7836 7837 40edc2 7836->7837 7838 40edf0 7837->7838 7840 40edd4 7837->7840 7839 40fbc2 __lock 66 API calls 7838->7839 7841 40edf7 7839->7841 7842 40f126 _LocaleUpdate::_LocaleUpdate 66 API calls 7840->7842 7849 40ed73 7841->7849 7847 40edd9 7842->7847 7846 40ede7 __fcloseall 7846->7830 7847->7846 7848 40c834 __amsg_exit 66 API calls 7847->7848 7848->7846 7850 40ed77 7849->7850 7851 40eda9 7849->7851 7850->7851 7852 40ec61 ___addlocaleref 8 API calls 7850->7852 7857 40ee1b 7851->7857 7853 40ed8a 7852->7853 7853->7851 7860 40ece7 7853->7860 8016 40faea LeaveCriticalSection 7857->8016 7859 40ee22 7859->7847 7861 40ecf0 InterlockedDecrement 7860->7861 7862 40ed6f 7860->7862 7863 40ed06 InterlockedDecrement 7861->7863 7864 40ed09 7861->7864 7862->7851 7874 40eb21 7862->7874 7863->7864 7865 40ed13 InterlockedDecrement 7864->7865 7866 40ed16 7864->7866 7865->7866 7867 40ed20 InterlockedDecrement 7866->7867 7868 40ed23 7866->7868 7867->7868 7869 40ed2d InterlockedDecrement 7868->7869 7871 40ed30 7868->7871 7869->7871 7870 40ed45 InterlockedDecrement 7870->7871 7871->7870 7872 40ed55 InterlockedDecrement 7871->7872 7873 40ed5e InterlockedDecrement 7871->7873 7872->7871 7873->7862 7875 40eba2 7874->7875 7877 40eb35 7874->7877 7876 40d262 __fcloseall 66 API calls 7875->7876 7878 40ebef 7875->7878 7879 40ebc3 7876->7879 7877->7875 7880 40eb69 7877->7880 7888 40d262 __fcloseall 66 API calls 7877->7888 7885 40ec16 7878->7885 7928 412eb2 7878->7928 7882 40d262 __fcloseall 66 API calls 7879->7882 7892 40d262 __fcloseall 66 API calls 7880->7892 7903 40eb8a 7880->7903 7884 40ebd6 7882->7884 7890 40d262 __fcloseall 66 API calls 7884->7890 7887 40ec55 7885->7887 7891 40d262 66 API calls __fcloseall 7885->7891 7886 40d262 __fcloseall 66 API calls 7893 40eb97 7886->7893 7894 40d262 __fcloseall 66 API calls 7887->7894 7895 40eb5e 7888->7895 7889 40d262 __fcloseall 66 API calls 7889->7885 7898 40ebe4 7890->7898 7891->7885 7899 40eb7f 7892->7899 7900 40d262 __fcloseall 66 API calls 7893->7900 7896 40ec5b 7894->7896 7904 413082 7895->7904 7896->7851 7901 40d262 __fcloseall 66 API calls 7898->7901 7920 413042 7899->7920 7900->7875 7901->7878 7903->7886 7905 41308b 7904->7905 7919 413108 7904->7919 7906 41309c 7905->7906 7907 40d262 __fcloseall 66 API calls 7905->7907 7908 4130ae 7906->7908 7909 40d262 __fcloseall 66 API calls 7906->7909 7907->7906 7910 40d262 __fcloseall 66 API calls 7908->7910 7912 4130c0 7908->7912 7909->7908 7910->7912 7911 4130d2 7914 4130e4 7911->7914 7915 40d262 __fcloseall 66 API calls 7911->7915 7912->7911 7913 40d262 __fcloseall 66 API calls 7912->7913 7913->7911 7916 4130f6 7914->7916 7917 40d262 __fcloseall 66 API calls 7914->7917 7915->7914 7918 40d262 __fcloseall 66 API calls 7916->7918 7916->7919 7917->7916 7918->7919 7919->7880 7921 41307f 7920->7921 7922 41304b 7920->7922 7921->7903 7923 41305b 7922->7923 7924 40d262 __fcloseall 66 API calls 7922->7924 7925 41306d 7923->7925 7926 40d262 __fcloseall 66 API calls 7923->7926 7924->7923 7925->7921 7927 40d262 __fcloseall 66 API calls 7925->7927 7926->7925 7927->7921 7929 412ebf 7928->7929 8015 40ec0f 7928->8015 7930 40d262 __fcloseall 66 API calls 7929->7930 7931 412ec7 7930->7931 7932 40d262 __fcloseall 66 API calls 7931->7932 7933 412ecf 7932->7933 7934 40d262 __fcloseall 66 API calls 7933->7934 7935 412ed7 7934->7935 7936 40d262 __fcloseall 66 API calls 7935->7936 7937 412edf 7936->7937 7938 40d262 __fcloseall 66 API calls 7937->7938 7939 412ee7 7938->7939 7940 40d262 __fcloseall 66 API calls 7939->7940 7941 412eef 7940->7941 7942 40d262 __fcloseall 66 API calls 7941->7942 7943 412ef6 7942->7943 7944 40d262 __fcloseall 66 API calls 7943->7944 7945 412efe 7944->7945 7946 40d262 __fcloseall 66 API calls 7945->7946 7947 412f06 7946->7947 7948 40d262 __fcloseall 66 API calls 7947->7948 7949 412f0e 7948->7949 7950 40d262 __fcloseall 66 API calls 7949->7950 7951 412f16 7950->7951 7952 40d262 __fcloseall 66 API calls 7951->7952 7953 412f1e 7952->7953 7954 40d262 __fcloseall 66 API calls 7953->7954 7955 412f26 7954->7955 7956 40d262 __fcloseall 66 API calls 7955->7956 7957 412f2e 7956->7957 7958 40d262 __fcloseall 66 API calls 7957->7958 7959 412f36 7958->7959 7960 40d262 __fcloseall 66 API calls 7959->7960 7961 412f3e 7960->7961 7962 40d262 __fcloseall 66 API calls 7961->7962 7963 412f49 7962->7963 7964 40d262 __fcloseall 66 API calls 7963->7964 7965 412f51 7964->7965 7966 40d262 __fcloseall 66 API calls 7965->7966 7967 412f59 7966->7967 7968 40d262 __fcloseall 66 API calls 7967->7968 7969 412f61 7968->7969 7970 40d262 __fcloseall 66 API calls 7969->7970 7971 412f69 7970->7971 7972 40d262 __fcloseall 66 API calls 7971->7972 7973 412f71 7972->7973 7974 40d262 __fcloseall 66 API calls 7973->7974 7975 412f79 7974->7975 7976 40d262 __fcloseall 66 API calls 7975->7976 7977 412f81 7976->7977 7978 40d262 __fcloseall 66 API calls 7977->7978 7979 412f89 7978->7979 7980 40d262 __fcloseall 66 API calls 7979->7980 7981 412f91 7980->7981 7982 40d262 __fcloseall 66 API calls 7981->7982 7983 412f99 7982->7983 7984 40d262 __fcloseall 66 API calls 7983->7984 7985 412fa1 7984->7985 7986 40d262 __fcloseall 66 API calls 7985->7986 7987 412fa9 7986->7987 7988 40d262 __fcloseall 66 API calls 7987->7988 7989 412fb1 7988->7989 7990 40d262 __fcloseall 66 API calls 7989->7990 7991 412fb9 7990->7991 7992 40d262 __fcloseall 66 API calls 7991->7992 7993 412fc1 7992->7993 7994 40d262 __fcloseall 66 API calls 7993->7994 7995 412fcf 7994->7995 7996 40d262 __fcloseall 66 API calls 7995->7996 7997 412fda 7996->7997 7998 40d262 __fcloseall 66 API calls 7997->7998 7999 412fe5 7998->7999 8000 40d262 __fcloseall 66 API calls 7999->8000 8001 412ff0 8000->8001 8002 40d262 __fcloseall 66 API calls 8001->8002 8003 412ffb 8002->8003 8004 40d262 __fcloseall 66 API calls 8003->8004 8005 413006 8004->8005 8006 40d262 __fcloseall 66 API calls 8005->8006 8007 413011 8006->8007 8008 40d262 __fcloseall 66 API calls 8007->8008 8009 41301c 8008->8009 8010 40d262 __fcloseall 66 API calls 8009->8010 8011 413027 8010->8011 8012 40d262 __fcloseall 66 API calls 8011->8012 8013 413032 8012->8013 8014 40d262 __fcloseall 66 API calls 8013->8014 8014->8015 8015->7889 8016->7859 8020 40e51f _memset 8017->8020 8026 40e5c8 8017->8026 8027 412e72 8020->8027 8022 40c69a ___ansicp 5 API calls 8024 40e66a 8022->8024 8024->7818 8025 40f785 ___crtLCMapStringA 101 API calls 8025->8026 8026->8022 8028 40c6a9 _LocaleUpdate::_LocaleUpdate 76 API calls 8027->8028 8029 412e83 8028->8029 8037 412cba 8029->8037 8032 40f785 8033 40c6a9 _LocaleUpdate::_LocaleUpdate 76 API calls 8032->8033 8034 40f796 8033->8034 8132 40f3e3 8034->8132 8038 412d04 8037->8038 8039 412cd9 GetStringTypeW 8037->8039 8040 412cf1 8038->8040 8042 412deb 8038->8042 8039->8040 8041 412cf9 GetLastError 8039->8041 8043 412d3d MultiByteToWideChar 8040->8043 8060 412de5 8040->8060 8041->8038 8083 4133b0 GetLocaleInfoA 8042->8083 8049 412d6a 8043->8049 8043->8060 8045 40c69a ___ansicp 5 API calls 8047 40e583 8045->8047 8047->8032 8048 412e3c GetStringTypeA 8052 412e57 8048->8052 8048->8060 8053 412d7f _memset __crtLCMapStringA_stat 8049->8053 8061 40f95d 8049->8061 8051 412db8 MultiByteToWideChar 8056 412ddf 8051->8056 8057 412dce GetStringTypeW 8051->8057 8058 40d262 __fcloseall 66 API calls 8052->8058 8053->8051 8053->8060 8079 40c72b 8056->8079 8057->8056 8058->8060 8060->8045 8062 40fa0a 8061->8062 8068 40f96b 8061->8068 8063 410745 _malloc 65 API calls 8062->8063 8064 40fa10 8063->8064 8066 40e02b _write_string 65 API calls 8064->8066 8065 410e3f __FF_MSGBANNER 65 API calls 8065->8068 8067 40fa16 8066->8067 8067->8053 8068->8065 8070 410c9f _malloc 65 API calls 8068->8070 8071 40f9ce HeapAlloc 8068->8071 8072 40c87e _malloc 3 API calls 8068->8072 8073 40f9f5 8068->8073 8075 410745 _malloc 65 API calls 8068->8075 8076 40f9f3 8068->8076 8078 40fa01 8068->8078 8114 40f90e 8068->8114 8070->8068 8071->8068 8072->8068 8074 40e02b _write_string 65 API calls 8073->8074 8074->8076 8075->8068 8077 40e02b _write_string 65 API calls 8076->8077 8077->8078 8078->8053 8080 40c733 8079->8080 8082 40c744 8079->8082 8081 40d262 __fcloseall 66 API calls 8080->8081 8080->8082 8081->8082 8082->8060 8084 4133e1 8083->8084 8085 4133dc 8083->8085 8125 414954 8084->8125 8087 40c69a ___ansicp 5 API calls 8085->8087 8088 412e0f 8087->8088 8088->8048 8088->8060 8089 4133f7 8088->8089 8090 413435 GetCPInfo 8089->8090 8091 4134bf 8089->8091 8092 4134aa MultiByteToWideChar 8090->8092 8093 41344c 8090->8093 8094 40c69a ___ansicp 5 API calls 8091->8094 8092->8091 8098 413465 _strlen 8092->8098 8093->8092 8095 413452 GetCPInfo 8093->8095 8096 412e30 8094->8096 8095->8092 8097 41345f 8095->8097 8096->8048 8096->8060 8097->8092 8097->8098 8099 40f95d _malloc 66 API calls 8098->8099 8101 413497 _memset __crtLCMapStringA_stat 8098->8101 8099->8101 8100 4134f4 MultiByteToWideChar 8102 41352b 8100->8102 8103 41350c 8100->8103 8101->8091 8101->8100 8104 40c72b __freea 66 API calls 8102->8104 8105 413530 8103->8105 8106 413513 WideCharToMultiByte 8103->8106 8104->8091 8107 41353b WideCharToMultiByte 8105->8107 8108 41354f 8105->8108 8106->8102 8107->8102 8107->8108 8109 4127bc __calloc_crt 66 API calls 8108->8109 8110 413557 8109->8110 8110->8102 8111 413560 WideCharToMultiByte 8110->8111 8111->8102 8112 413572 8111->8112 8113 40d262 __fcloseall 66 API calls 8112->8113 8113->8102 8115 40f91a __fcloseall 8114->8115 8116 40f94b __fcloseall 8115->8116 8117 40fbc2 __lock 66 API calls 8115->8117 8116->8068 8118 40f930 8117->8118 8119 412499 ___sbh_alloc_block 5 API calls 8118->8119 8120 40f93b 8119->8120 8122 40f954 8120->8122 8123 40faea _flsall LeaveCriticalSection 8122->8123 8124 40f95b 8123->8124 8124->8116 8128 41492b 8125->8128 8129 414942 8128->8129 8130 414700 strtoxl 90 API calls 8129->8130 8131 41494f 8130->8131 8131->8085 8133 40f402 LCMapStringW 8132->8133 8137 40f41d 8132->8137 8134 40f425 GetLastError 8133->8134 8133->8137 8134->8137 8135 40f61a 8139 4133b0 ___ansicp 90 API calls 8135->8139 8136 40f477 8138 40f490 MultiByteToWideChar 8136->8138 8160 40f611 8136->8160 8137->8135 8137->8136 8146 40f4bd 8138->8146 8138->8160 8141 40f642 8139->8141 8140 40c69a ___ansicp 5 API calls 8142 40e5a3 8140->8142 8143 40f736 LCMapStringA 8141->8143 8144 40f65b 8141->8144 8141->8160 8142->8025 8178 40f692 8143->8178 8147 4133f7 ___convertcp 73 API calls 8144->8147 8145 40f50e MultiByteToWideChar 8148 40f527 LCMapStringW 8145->8148 8175 40f608 8145->8175 8150 40f95d _malloc 66 API calls 8146->8150 8157 40f4d6 __crtLCMapStringA_stat 8146->8157 8151 40f66d 8147->8151 8153 40f548 8148->8153 8148->8175 8149 40f75d 8158 40d262 __fcloseall 66 API calls 8149->8158 8149->8160 8150->8157 8155 40f677 LCMapStringA 8151->8155 8151->8160 8152 40c72b __freea 66 API calls 8152->8160 8156 40f550 8153->8156 8164 40f579 8153->8164 8154 40d262 __fcloseall 66 API calls 8154->8149 8162 40f699 8155->8162 8155->8178 8161 40f562 LCMapStringW 8156->8161 8156->8175 8157->8145 8157->8160 8158->8160 8159 40f594 __crtLCMapStringA_stat 8163 40f5c8 LCMapStringW 8159->8163 8159->8175 8160->8140 8161->8175 8166 40f95d _malloc 66 API calls 8162->8166 8173 40f6aa _memset __crtLCMapStringA_stat 8162->8173 8167 40f602 8163->8167 8169 40f5e0 WideCharToMultiByte 8163->8169 8164->8159 8165 40f95d _malloc 66 API calls 8164->8165 8165->8159 8166->8173 8170 40c72b __freea 66 API calls 8167->8170 8168 40f6e8 LCMapStringA 8171 40f704 8168->8171 8172 40f708 8168->8172 8169->8167 8170->8175 8177 40c72b __freea 66 API calls 8171->8177 8176 4133f7 ___convertcp 73 API calls 8172->8176 8173->8168 8173->8178 8175->8152 8176->8171 8177->8178 8178->8149 8178->8154 8179->7821 8181 410ec4 8180->8181 8183 410edc 8181->8183 8187 40ee93 TlsGetValue 8181->8187 8183->7330 8197 4106ed 8184->8197 8186 410732 8186->7332 8188 40eea6 8187->8188 8189 40eec7 GetModuleHandleA 8187->8189 8188->8189 8190 40eeb0 TlsGetValue 8188->8190 8191 40eed8 8189->8191 8192 40eebf 8189->8192 8194 40eebb 8190->8194 8193 40ee27 __initp_misc_cfltcvt_tab 62 API calls 8191->8193 8192->8181 8195 40eedd 8193->8195 8194->8189 8194->8192 8195->8192 8196 40eee1 GetProcAddress 8195->8196 8196->8192 8198 4106f9 __fcloseall 8197->8198 8205 40c893 8198->8205 8204 41071a __fcloseall 8204->8186 8206 40fbc2 __lock 66 API calls 8205->8206 8207 40c89a 8206->8207 8208 410605 8207->8208 8209 40ef0a _raise 66 API calls 8208->8209 8210 410615 8209->8210 8211 40ef0a _raise 66 API calls 8210->8211 8212 410626 8211->8212 8221 4106a9 8212->8221 8228 413c40 8212->8228 8214 41068f 8216 40ee93 __initp_misc_cfltcvt_tab 66 API calls 8214->8216 8215 410644 8215->8214 8218 410666 8215->8218 8241 412804 8215->8241 8217 41069e 8216->8217 8219 40ee93 __initp_misc_cfltcvt_tab 66 API calls 8217->8219 8218->8221 8222 412804 __realloc_crt 73 API calls 8218->8222 8223 41067d 8218->8223 8219->8221 8225 410723 8221->8225 8222->8223 8223->8221 8224 40ee93 __initp_misc_cfltcvt_tab 66 API calls 8223->8224 8224->8214 8291 40c89c 8225->8291 8229 413c4c __fcloseall 8228->8229 8230 413c79 8229->8230 8231 413c5c 8229->8231 8232 413cba HeapSize 8230->8232 8234 40fbc2 __lock 66 API calls 8230->8234 8233 40e02b _write_string 66 API calls 8231->8233 8237 413c71 __fcloseall 8232->8237 8235 413c61 8233->8235 8238 413c89 ___sbh_find_block 8234->8238 8236 40dfcc _raise 66 API calls 8235->8236 8236->8237 8237->8215 8246 413cda 8238->8246 8245 412808 8241->8245 8243 41284a 8243->8218 8244 41282b Sleep 8244->8245 8245->8243 8245->8244 8250 4144e5 8245->8250 8249 40faea LeaveCriticalSection 8246->8249 8248 413cb5 8248->8232 8248->8237 8249->8248 8251 4144f1 __fcloseall 8250->8251 8252 414506 8251->8252 8253 4144f8 8251->8253 8255 414519 8252->8255 8256 41450d 8252->8256 8254 40f95d _malloc 66 API calls 8253->8254 8272 414500 __fcloseall __dosmaperr 8254->8272 8263 41468b 8255->8263 8285 414526 ___sbh_resize_block ___sbh_find_block 8255->8285 8257 40d262 __fcloseall 66 API calls 8256->8257 8257->8272 8258 4146be 8260 410745 _malloc 66 API calls 8258->8260 8259 40fbc2 __lock 66 API calls 8259->8285 8262 4146c4 8260->8262 8261 414690 HeapReAlloc 8261->8263 8261->8272 8264 40e02b _write_string 66 API calls 8262->8264 8263->8258 8263->8261 8265 4146e2 8263->8265 8266 410745 _malloc 66 API calls 8263->8266 8270 4146d8 8263->8270 8264->8272 8267 40e02b _write_string 66 API calls 8265->8267 8265->8272 8266->8263 8269 4146eb GetLastError 8267->8269 8269->8272 8271 40e02b _write_string 66 API calls 8270->8271 8274 414659 8271->8274 8272->8245 8273 4145b1 HeapAlloc 8273->8285 8274->8272 8276 41465e GetLastError 8274->8276 8275 414606 HeapReAlloc 8275->8285 8276->8272 8277 412499 ___sbh_alloc_block 5 API calls 8277->8285 8278 414671 8278->8272 8280 40e02b _write_string 66 API calls 8278->8280 8279 410745 _malloc 66 API calls 8279->8285 8282 41467e 8280->8282 8281 411cf0 VirtualFree VirtualFree HeapFree ___sbh_free_block 8281->8285 8282->8269 8282->8272 8283 414654 8286 40e02b _write_string 66 API calls 8283->8286 8284 40cda0 __VEC_memcpy _realloc 8284->8285 8285->8258 8285->8259 8285->8272 8285->8273 8285->8275 8285->8277 8285->8278 8285->8279 8285->8281 8285->8283 8285->8284 8287 414629 8285->8287 8286->8274 8290 40faea LeaveCriticalSection 8287->8290 8289 414630 8289->8285 8290->8289 8294 40faea LeaveCriticalSection 8291->8294 8293 40c8a3 8293->8204 8294->8293 8298 41411a 8295->8298 8299 40c6a9 _LocaleUpdate::_LocaleUpdate 76 API calls 8298->8299 8300 41412b 8299->8300 8300->7336 8302 401901 _memset 8301->8302 8303 401908 lstrcpyA GetLongPathNameA CharLowerA 8302->8303 8307 401935 8302->8307 8421 4024ea 8303->8421 8305 40c69a ___ansicp 5 API calls 8306 401988 lstrcmpiA 8305->8306 8306->7346 8306->7347 8307->8305 8309 40144a _memset 8308->8309 8310 40145e GetTempPathA 8309->8310 8311 401484 8310->8311 8323 401517 8310->8323 8425 402770 8311->8425 8312 40c69a ___ansicp 5 API calls 8315 40152b 8312->8315 8315->7356 8315->7362 8316 4012ea 102 API calls 8317 4014b4 8316->8317 8318 4014e9 GetFileAttributesA 8317->8318 8319 4014fa 8318->8319 8320 4014bc Sleep GetSystemTimeAsFileTime 8318->8320 8428 402618 8319->8428 8321 4012ea 102 API calls 8320->8321 8321->8318 8323->8312 8325 401fca _memset 8324->8325 8326 40210d 8325->8326 8327 401ffe SetLastError 8325->8327 8328 40c69a ___ansicp 5 API calls 8326->8328 8442 401dc5 8327->8442 8330 40211f 8328->8330 8344 4027ad 8330->8344 8334 40203c CreateFileA 8334->8326 8335 402063 ReadFile SetFilePointer 8334->8335 8340 402085 8335->8340 8338 402104 FindCloseChangeNotification 8338->8326 8339 4020a5 SetLastError SetFilePointer 8339->8338 8339->8340 8340->8338 8340->8339 8341 4020c3 lstrcmpA 8340->8341 8478 401600 8340->8478 8489 401535 8340->8489 8499 401e96 8340->8499 8341->8338 8341->8340 8343 4020f2 SetFilePointer 8343->8338 8343->8340 8593 40246c 8344->8593 8348 401352 _memset 8347->8348 8349 401361 lstrcpyA 8348->8349 8350 40139c 8348->8350 8600 4012ae 8349->8600 8352 40c69a ___ansicp 5 API calls 8350->8352 8354 401406 8352->8354 8353 40137e GetFileAttributesA 8355 4013a1 lstrcpyA 8353->8355 8356 401392 8353->8356 8354->7381 8364 401ab2 8354->8364 8357 4012ae 8355->8357 8602 402526 8356->8602 8359 4013b6 GetFileAttributesA 8357->8359 8359->8350 8360 4013c1 LoadLibraryA 8359->8360 8360->8350 8361 4013d3 GetProcAddress 8360->8361 8362 4013e3 8361->8362 8363 4013ec FreeLibrary 8361->8363 8362->8363 8363->8350 8365 401aeb _memset 8364->8365 8366 4012ea 102 API calls 8365->8366 8367 401b1a GetFileAttributesA 8366->8367 8368 401b30 8367->8368 8369 401bca 8367->8369 8370 4019ef 10 API calls 8368->8370 8371 40c69a ___ansicp 5 API calls 8369->8371 8374 401b41 8370->8374 8372 401be0 8371->8372 8372->7381 8372->7386 8373 402526 11 API calls 8375 401ba3 8373->8375 8376 401b65 GetCommandLineA 8374->8376 8379 401b7c 8374->8379 8375->8369 8377 401bba PostMessageA 8375->8377 8378 401b71 lstrlenA 8376->8378 8376->8379 8377->8369 8378->8379 8379->8373 8381 4012fd 8380->8381 8382 401315 8381->8382 8614 414bc8 8381->8614 8382->7351 8385 401a22 _memset 8384->8385 8386 401a9c 8385->8386 8388 401a30 GetModuleFileNameA 8385->8388 8387 40c69a ___ansicp 5 API calls 8386->8387 8389 401aae 8387->8389 8388->8386 8390 401a4c 8388->8390 8389->7363 8391 401a67 lstrlenA 8390->8391 8393 4024ea lstrlenA 8390->8393 8391->8386 8392 401a79 GetShortPathNameA 8391->8392 8392->8386 8394 401a8e lstrcpyA 8392->8394 8395 401a60 8393->8395 8394->8386 8395->8391 8397 402823 _memset 8396->8397 8398 4029c3 8397->8398 8399 40285e lstrlenA 8397->8399 8401 40c69a ___ansicp 5 API calls 8398->8401 8399->8398 8400 402870 lstrcpyA 8399->8400 8402 402770 lstrlenA 8400->8402 8403 4029d6 8401->8403 8404 40288e lstrcatA FindFirstFileA 8402->8404 8403->7375 8404->8398 8405 4028bd 8404->8405 8406 4028d2 lstrcmpA 8405->8406 8407 402974 FindNextFileA 8406->8407 8408 4028e9 lstrcmpA 8406->8408 8407->8406 8409 402985 FindClose RemoveDirectoryA GetTickCount GetFileAttributesA 8407->8409 8408->8407 8410 4028fc wsprintfA 8408->8410 8409->8398 8411 4029a5 8409->8411 8412 402928 8410->8412 8413 40292f DeleteFileA 8410->8413 8414 4029ab GetTickCount 8411->8414 8412->8407 8415 4027e8 6 API calls 8412->8415 8413->8407 8416 402939 GetTickCount GetFileAttributesA 8413->8416 8414->8398 8417 4029b1 Sleep GetFileAttributesA 8414->8417 8415->8412 8416->8407 8418 40294c 8416->8418 8417->8398 8417->8414 8419 402957 GetTickCount 8418->8419 8419->8407 8420 40295e Sleep GetFileAttributesA 8419->8420 8420->8407 8420->8419 8422 4024f6 8421->8422 8423 4024fe 8421->8423 8422->8423 8424 402503 lstrlenA 8422->8424 8423->8307 8424->8423 8426 40277b lstrlenA 8425->8426 8427 40148e GetSystemTimeAsFileTime 8425->8427 8426->8427 8427->8316 8429 402655 _memset 8428->8429 8430 402660 GetFileAttributesA 8429->8430 8431 40274e 8429->8431 8430->8431 8433 402670 lstrlenA 8430->8433 8432 40c69a ___ansicp 5 API calls 8431->8432 8434 402766 8432->8434 8433->8431 8435 402682 lstrcpyA 8433->8435 8434->8323 8436 402692 8435->8436 8437 4026f5 GetFileAttributesA 8436->8437 8439 402722 GetFileAttributesA 8436->8439 8437->8436 8438 402709 CreateDirectoryA 8437->8438 8438->8436 8440 402733 CreateDirectoryA Sleep 8439->8440 8441 402744 GetFileAttributesA 8439->8441 8440->8441 8441->8431 8443 401e08 _memset 8442->8443 8444 401e79 8443->8444 8446 401e13 lstrlenA 8443->8446 8445 40c69a ___ansicp 5 API calls 8444->8445 8447 401e8c 8445->8447 8446->8444 8448 401e1e 8446->8448 8447->8326 8455 401719 8447->8455 8449 401e47 lstrcpyA 8448->8449 8451 401e2e 8448->8451 8450 401e52 GetFileAttributesA 8449->8450 8450->8444 8452 401e61 lstrcpynA 8450->8452 8453 4019ef 10 API calls 8451->8453 8452->8444 8454 401e3a 8453->8454 8454->8450 8457 40176e _memset 8455->8457 8456 4018a5 8458 40c69a ___ansicp 5 API calls 8456->8458 8457->8456 8459 40178b lstrlenA 8457->8459 8460 4018b8 8458->8460 8461 401796 8459->8461 8460->8326 8460->8334 8462 4024ea lstrlenA 8461->8462 8477 4017a6 8461->8477 8463 4017c3 8462->8463 8464 40185c lstrlenA 8463->8464 8467 4017d9 GetLongPathNameA 8463->8467 8464->8456 8465 40186d 8464->8465 8466 402770 lstrlenA 8465->8466 8469 40187b 8466->8469 8468 4024ea lstrlenA 8467->8468 8473 4017f8 _memset 8468->8473 8470 402618 14 API calls 8469->8470 8471 401887 8470->8471 8471->8456 8472 40188f lstrcpynA 8471->8472 8472->8456 8473->8464 8474 401822 lstrlenA 8473->8474 8475 401837 8474->8475 8474->8477 8476 4024ea lstrlenA 8475->8476 8476->8477 8477->8464 8479 401628 _memset 8478->8479 8484 4016fb 8478->8484 8482 401654 SetFilePointer 8479->8482 8480 40c69a ___ansicp 5 API calls 8481 40170b 8480->8481 8481->8340 8485 401673 _memset 8482->8485 8483 4016f3 SetFilePointer 8483->8484 8484->8480 8485->8483 8486 4016a4 SetFilePointer 8485->8486 8486->8485 8487 4016b4 ReadFile 8486->8487 8487->8485 8488 4016cd lstrcmpA 8487->8488 8488->8484 8488->8485 8490 401567 _memset 8489->8490 8491 40158a lstrcpyA SetFilePointer 8490->8491 8492 4015ec 8490->8492 8491->8492 8493 4015aa ReadFile 8491->8493 8494 40c69a ___ansicp 5 API calls 8492->8494 8493->8492 8495 4015c0 8493->8495 8496 4015fb 8494->8496 8497 4015c9 lstrcmpA 8495->8497 8496->8340 8497->8492 8498 4015de 8497->8498 8498->8492 8500 401eb4 8499->8500 8501 401eb9 CoTaskMemAlloc CoTaskMemAlloc 8499->8501 8500->8501 8502 401f63 CoTaskMemFree CoTaskMemFree 8501->8502 8503 401ed7 8501->8503 8502->8343 8503->8502 8504 401edf ReadFile 8503->8504 8504->8502 8505 401ef6 8504->8505 8513 402ab0 8505->8513 8507 401f47 8519 401be8 8507->8519 8509 401f53 8509->8502 8510 401f07 8510->8502 8510->8507 8510->8509 8511 401f21 CoTaskMemRealloc 8510->8511 8512 402ab0 67 API calls 8510->8512 8511->8502 8511->8510 8512->8510 8514 402ad4 8513->8514 8518 402aca 8513->8518 8514->8518 8535 404b90 8514->8535 8518->8510 8520 401c31 _memset 8519->8520 8521 401c55 lstrlenA 8520->8521 8522 401c6c 8521->8522 8534 401cb5 8521->8534 8523 401c80 lstrcpynA lstrcmpA 8522->8523 8522->8534 8529 401ca6 8523->8529 8523->8534 8524 40c69a ___ansicp 5 API calls 8525 401cc8 8524->8525 8525->8509 8527 4012ea 102 API calls 8527->8529 8528 4024ea lstrlenA 8528->8529 8529->8527 8529->8528 8530 401d38 CreateFileA 8529->8530 8531 402618 14 API calls 8529->8531 8529->8534 8588 401992 8529->8588 8532 401db8 GetLastError 8530->8532 8533 401d5a WriteFile SetFileTime FindCloseChangeNotification SetFileAttributesA 8530->8533 8531->8530 8532->8534 8533->8529 8533->8534 8534->8524 8542 404a20 8535->8542 8537 402b11 8537->8518 8538 404bb0 8537->8538 8539 404bbc 8538->8539 8541 404bd3 8538->8541 8539->8541 8561 408fd0 8539->8561 8541->8518 8543 404a40 8542->8543 8544 404a29 8542->8544 8543->8537 8544->8543 8546 408f20 8544->8546 8547 408f37 8546->8547 8548 408f43 8547->8548 8550 405490 8547->8550 8548->8543 8551 405499 8550->8551 8554 40d223 8551->8554 8555 40d105 __calloc_impl 66 API calls 8554->8555 8556 40d23b 8555->8556 8557 4054b2 8556->8557 8558 40e02b _write_string 66 API calls 8556->8558 8557->8548 8559 40d251 8558->8559 8559->8557 8560 40e02b _write_string 66 API calls 8559->8560 8560->8557 8569 40900d 8561->8569 8562 409205 8562->8539 8563 4093a8 8566 40be40 __VEC_memcpy 8563->8566 8564 40be40 __VEC_memcpy 8564->8569 8565 409261 8568 40be40 __VEC_memcpy 8565->8568 8566->8562 8568->8562 8569->8562 8569->8563 8569->8564 8569->8565 8570 4091ad 8569->8570 8572 40ae80 8569->8572 8578 40be40 8570->8578 8573 40ae96 8572->8573 8577 40afdd 8572->8577 8584 40a470 8573->8584 8575 40af80 8576 40a470 66 API calls 8575->8576 8576->8577 8577->8569 8579 40be63 8578->8579 8580 40cda0 _realloc __VEC_memcpy 8579->8580 8583 40bf0b 8580->8583 8581 40bfe9 8581->8562 8582 40cda0 _realloc __VEC_memcpy 8582->8581 8583->8581 8583->8582 8586 40a5b1 8584->8586 8585 40a5f1 8585->8575 8586->8585 8587 405490 66 API calls 8586->8587 8587->8586 8589 4019ea 8588->8589 8590 40199d 8588->8590 8589->8529 8590->8589 8591 4019b3 IsWindow 8590->8591 8591->8589 8592 4019be PostMessageA 8591->8592 8592->8589 8594 40247b 8593->8594 8595 4023ad 8593->8595 8594->8595 8596 402480 RegOpenKeyExA 8594->8596 8595->7375 8595->7377 8595->7378 8596->8595 8597 40249a RegQueryValueExA 8596->8597 8598 4024b4 8597->8598 8599 4024b5 RegCloseKey 8597->8599 8598->8599 8599->8595 8601 4012cb 8600->8601 8601->8353 8603 402564 _memset 8602->8603 8604 4025fb 8603->8604 8605 40258d lstrcpyA 8603->8605 8606 40c69a ___ansicp 5 API calls 8604->8606 8607 4025a8 CreateProcessA 8605->8607 8608 40259e 8605->8608 8609 40260e 8606->8609 8607->8604 8610 4025c3 CloseHandle WaitForSingleObject 8607->8610 8608->8607 8609->8350 8611 4025e1 GetExitCodeProcess 8610->8611 8612 4025f6 CloseHandle 8610->8612 8611->8612 8613 4025f2 8611->8613 8612->8604 8613->8612 8617 414ccb 8614->8617 8620 414c1a 8617->8620 8621 414c48 8620->8621 8622 414c28 8620->8622 8623 414c74 8621->8623 8625 414c57 8621->8625 8624 40e02b _write_string 66 API calls 8622->8624 8635 40d532 8623->8635 8626 414c2d 8624->8626 8627 40e02b _write_string 66 API calls 8625->8627 8629 40dfcc _raise 66 API calls 8626->8629 8630 414c5c 8627->8630 8633 414be6 8629->8633 8632 40dfcc _raise 66 API calls 8630->8632 8632->8633 8633->8382 8636 40c6a9 _LocaleUpdate::_LocaleUpdate 76 API calls 8635->8636 8637 40d58d 8636->8637 8638 40d592 8637->8638 8639 40d653 8637->8639 8693 410451 8637->8693 8640 40e02b _write_string 66 API calls 8638->8640 8639->8638 8667 40d678 __output_l __aulldvrm _strlen 8639->8667 8642 40d597 8640->8642 8645 40dfcc _raise 66 API calls 8642->8645 8643 40d5d2 8644 40d600 8643->8644 8646 410451 __flsbuf 66 API calls 8643->8646 8644->8638 8650 410451 __flsbuf 66 API calls 8644->8650 8647 40d5a7 8645->8647 8649 40d5e0 8646->8649 8648 40c69a ___ansicp 5 API calls 8647->8648 8651 40de9e 8648->8651 8649->8644 8653 410451 __flsbuf 66 API calls 8649->8653 8652 40d625 8650->8652 8651->8633 8672 40fbf3 8651->8672 8652->8639 8657 410451 __flsbuf 66 API calls 8652->8657 8655 40d5ee 8653->8655 8656 410451 __flsbuf 66 API calls 8655->8656 8656->8644 8658 40d633 8657->8658 8658->8639 8660 410451 __flsbuf 66 API calls 8658->8660 8659 40d491 100 API calls _write_string 8659->8667 8662 40d641 8660->8662 8661 40de67 8665 40e02b _write_string 66 API calls 8661->8665 8664 410451 __flsbuf 66 API calls 8662->8664 8663 40d262 __fcloseall 66 API calls 8663->8667 8664->8639 8665->8642 8666 40d4c4 100 API calls _write_multi_char 8666->8667 8667->8647 8667->8659 8667->8661 8667->8663 8667->8666 8668 41277c __malloc_crt 66 API calls 8667->8668 8669 40d4e8 100 API calls _write_string 8667->8669 8670 412b3a 78 API calls _wctomb_s 8667->8670 8671 40ef0a 66 API calls _raise 8667->8671 8700 40f7c8 8667->8700 8668->8667 8669->8667 8670->8667 8671->8667 8673 410451 __flsbuf 66 API calls 8672->8673 8674 40fc01 8673->8674 8675 40fc23 8674->8675 8676 40fc0c 8674->8676 8678 40fc27 8675->8678 8686 40fc34 __flsbuf 8675->8686 8677 40e02b _write_string 66 API calls 8676->8677 8685 40fc11 8677->8685 8679 40e02b _write_string 66 API calls 8678->8679 8679->8685 8680 40fd22 8682 410375 __locking 100 API calls 8680->8682 8681 40fca2 8683 40fcb9 8681->8683 8688 40fcd6 8681->8688 8682->8685 8716 410375 8683->8716 8685->8633 8686->8685 8689 40fc89 8686->8689 8692 40fc94 8686->8692 8703 4128ee 8686->8703 8688->8685 8741 41384e 8688->8741 8689->8692 8713 413967 8689->8713 8692->8680 8692->8681 8694 410479 8693->8694 8695 41045c 8693->8695 8694->8643 8696 40e02b _write_string 66 API calls 8695->8696 8697 410461 8696->8697 8698 40dfcc _raise 66 API calls 8697->8698 8699 410471 8698->8699 8699->8643 8701 40c6a9 _LocaleUpdate::_LocaleUpdate 76 API calls 8700->8701 8702 40f7d9 8701->8702 8702->8667 8704 412905 8703->8704 8705 4128f7 8703->8705 8708 412930 8704->8708 8709 40e02b _write_string 66 API calls 8704->8709 8706 40e02b _write_string 66 API calls 8705->8706 8707 4128fc 8706->8707 8707->8689 8708->8689 8710 412919 8709->8710 8711 40dfcc _raise 66 API calls 8710->8711 8712 412929 8711->8712 8712->8689 8714 41277c __malloc_crt 66 API calls 8713->8714 8715 413977 8714->8715 8715->8692 8717 410381 __fcloseall 8716->8717 8718 4103a4 8717->8718 8719 410389 8717->8719 8721 4103b2 8718->8721 8725 4103f3 8718->8725 8773 40e03e 8719->8773 8723 40e03e __dosmaperr 66 API calls 8721->8723 8724 4103b7 8723->8724 8727 40e02b _write_string 66 API calls 8724->8727 8776 413a9d 8725->8776 8726 40e02b _write_string 66 API calls 8734 410396 __fcloseall 8726->8734 8729 4103be 8727->8729 8731 40dfcc _raise 66 API calls 8729->8731 8730 4103f9 8732 410406 8730->8732 8733 41041c 8730->8733 8731->8734 8786 40fd53 8732->8786 8736 40e02b _write_string 66 API calls 8733->8736 8734->8685 8738 410421 8736->8738 8737 410414 8845 410447 8737->8845 8739 40e03e __dosmaperr 66 API calls 8738->8739 8739->8737 8742 41385a __fcloseall 8741->8742 8743 413887 8742->8743 8744 41386b 8742->8744 8746 413895 8743->8746 8748 4138b6 8743->8748 8745 40e03e __dosmaperr 66 API calls 8744->8745 8747 413870 8745->8747 8749 40e03e __dosmaperr 66 API calls 8746->8749 8752 40e02b _write_string 66 API calls 8747->8752 8750 4138d6 8748->8750 8751 4138fc 8748->8751 8753 41389a 8749->8753 8754 40e03e __dosmaperr 66 API calls 8750->8754 8755 413a9d ___lock_fhandle 67 API calls 8751->8755 8766 413878 __fcloseall 8752->8766 8756 40e02b _write_string 66 API calls 8753->8756 8757 4138db 8754->8757 8758 413902 8755->8758 8759 4138a1 8756->8759 8760 40e02b _write_string 66 API calls 8757->8760 8761 41392b 8758->8761 8762 41390f 8758->8762 8763 40dfcc _raise 66 API calls 8759->8763 8765 4138e2 8760->8765 8764 40e02b _write_string 66 API calls 8761->8764 8767 4137cb __lseeki64_nolock 68 API calls 8762->8767 8763->8766 8768 413930 8764->8768 8769 40dfcc _raise 66 API calls 8765->8769 8766->8685 8770 413920 8767->8770 8771 40e03e __dosmaperr 66 API calls 8768->8771 8769->8766 8885 41395d 8770->8885 8771->8770 8774 40f0af _raise 66 API calls 8773->8774 8775 40e043 8774->8775 8775->8726 8777 413aa9 __fcloseall 8776->8777 8778 413b04 8777->8778 8780 40fbc2 __lock 66 API calls 8777->8780 8779 413b09 EnterCriticalSection 8778->8779 8781 413b26 __fcloseall 8778->8781 8779->8781 8782 413ad5 8780->8782 8781->8730 8783 413aec 8782->8783 8784 4113fc ___crtInitCritSecAndSpinCount 66 API calls 8782->8784 8848 413b34 8783->8848 8784->8783 8787 40fd8f 8786->8787 8819 40fd88 8786->8819 8788 40fd93 8787->8788 8789 40fdba 8787->8789 8790 40e03e __dosmaperr 66 API calls 8788->8790 8794 40fe22 8789->8794 8795 40fdfc 8789->8795 8793 40fd98 8790->8793 8791 40c69a ___ansicp 5 API calls 8792 41036d 8791->8792 8792->8737 8797 40e02b _write_string 66 API calls 8793->8797 8796 40fe39 8794->8796 8852 4137cb 8794->8852 8798 40e03e __dosmaperr 66 API calls 8795->8798 8802 4128ee __flsbuf 66 API calls 8796->8802 8801 40fd9f 8797->8801 8799 40fe01 8798->8799 8803 40e02b _write_string 66 API calls 8799->8803 8804 40dfcc _raise 66 API calls 8801->8804 8805 40fe47 8802->8805 8806 40fe0a 8803->8806 8804->8819 8807 410089 8805->8807 8811 40f126 _LocaleUpdate::_LocaleUpdate 66 API calls 8805->8811 8808 40dfcc _raise 66 API calls 8806->8808 8809 4102c4 WriteFile 8807->8809 8810 410099 8807->8810 8808->8819 8812 4102eb GetLastError 8809->8812 8813 41006e 8809->8813 8814 41013d 8810->8814 8834 4100a7 8810->8834 8815 40fe62 GetConsoleMode 8811->8815 8812->8813 8817 410327 8813->8817 8813->8819 8821 410300 8813->8821 8833 4101ec 8814->8833 8836 410149 8814->8836 8815->8807 8816 40fe87 8815->8816 8816->8807 8818 40fe96 GetConsoleCP 8816->8818 8817->8819 8820 40e02b _write_string 66 API calls 8817->8820 8818->8813 8843 40feb3 8818->8843 8819->8791 8823 410344 8820->8823 8825 410308 8821->8825 8826 41031c 8821->8826 8822 4100f7 WriteFile 8822->8812 8822->8834 8828 40e03e __dosmaperr 66 API calls 8823->8828 8824 41023f WideCharToMultiByte 8824->8812 8830 410272 WriteFile 8824->8830 8829 40e02b _write_string 66 API calls 8825->8829 8865 40e051 8826->8865 8828->8819 8835 41030d 8829->8835 8832 4102a0 GetLastError 8830->8832 8830->8833 8831 4101a2 WriteFile 8831->8812 8831->8836 8832->8833 8833->8813 8833->8817 8833->8824 8833->8830 8834->8813 8834->8817 8834->8822 8838 40e03e __dosmaperr 66 API calls 8835->8838 8836->8813 8836->8817 8836->8831 8838->8819 8839 41377e 78 API calls __locking 8839->8843 8840 4135a9 11 API calls __putwch_nolock 8840->8843 8841 40ff53 WideCharToMultiByte 8841->8813 8842 40ff7e WriteFile 8841->8842 8842->8812 8842->8843 8843->8812 8843->8813 8843->8839 8843->8840 8843->8841 8844 40ffc0 WriteFile 8843->8844 8862 40f7fe 8843->8862 8844->8812 8844->8843 8884 413b3d LeaveCriticalSection 8845->8884 8847 41044f 8847->8734 8851 40faea LeaveCriticalSection 8848->8851 8850 413b3b 8850->8778 8851->8850 8870 413a2c 8852->8870 8854 4137e7 8855 413800 SetFilePointer 8854->8855 8856 4137ef 8854->8856 8857 413818 GetLastError 8855->8857 8860 4137f4 8855->8860 8858 40e02b _write_string 66 API calls 8856->8858 8859 413822 8857->8859 8857->8860 8858->8860 8861 40e051 __dosmaperr 66 API calls 8859->8861 8860->8796 8861->8860 8863 40f7c8 __isleadbyte_l 76 API calls 8862->8863 8864 40f809 8863->8864 8864->8843 8866 40e03e __dosmaperr 66 API calls 8865->8866 8867 40e057 __dosmaperr 8866->8867 8868 40e02b _write_string 66 API calls 8867->8868 8869 40e06b 8868->8869 8869->8819 8871 413a35 8870->8871 8872 413a4c 8870->8872 8873 40e03e __dosmaperr 66 API calls 8871->8873 8875 40e03e __dosmaperr 66 API calls 8872->8875 8877 413a99 8872->8877 8874 413a3a 8873->8874 8876 40e02b _write_string 66 API calls 8874->8876 8878 413a7a 8875->8878 8879 413a42 8876->8879 8877->8854 8880 40e02b _write_string 66 API calls 8878->8880 8879->8854 8881 413a81 8880->8881 8882 40dfcc _raise 66 API calls 8881->8882 8883 413a91 8882->8883 8883->8854 8884->8847 8888 413b3d LeaveCriticalSection 8885->8888 8887 413965 8887->8766 8888->8887 8890 40c9ee __fcloseall 8889->8890 8891 40fbc2 __lock 66 API calls 8890->8891 8892 40c9f5 8891->8892 8893 40ca74 _raise 8892->8893 8894 40ca19 8892->8894 8908 40caaf 8893->8908 8896 40ef0a _raise 66 API calls 8894->8896 8898 40ca24 8896->8898 8899 40ef0a _raise 66 API calls 8898->8899 8905 40ca32 8899->8905 8901 40caa3 8902 40c87e _malloc 3 API calls 8901->8902 8904 40caac __fcloseall 8902->8904 8903 40ca64 _raise 8903->8893 8904->7390 8905->8903 8907 40ef0a _raise 66 API calls 8905->8907 8913 40ef01 8905->8913 8907->8905 8909 40cab5 8908->8909 8910 40ca90 8908->8910 8916 40faea LeaveCriticalSection 8909->8916 8910->8904 8912 40faea LeaveCriticalSection 8910->8912 8912->8901 8914 40ee93 __initp_misc_cfltcvt_tab 66 API calls 8913->8914 8915 40ef08 8914->8915 8915->8905 8916->8910 8918 40efbd 8917->8918 8921 40efc9 8917->8921 8919 40ef0a _raise 66 API calls 8918->8919 8919->8921 8920 40efdd TlsFree 8922 40efeb 8920->8922 8921->8920 8921->8922 8923 40faaf DeleteCriticalSection 8922->8923 8924 40fac7 8922->8924 8925 40d262 __fcloseall 66 API calls 8923->8925 8926 40fad9 DeleteCriticalSection 8924->8926 8927 40f276 8924->8927 8925->8922 8926->8924 8927->7221 8929 40ef01 _raise 66 API calls 8928->8929 8930 40cb0a __init_pointers 8929->8930 8939 411054 8930->8939 8933 40ee93 __initp_misc_cfltcvt_tab 66 API calls 8934 40cb46 8933->8934 8934->7411 8936 40fa55 8935->8936 8937 40f370 8936->8937 8938 4113fc ___crtInitCritSecAndSpinCount 66 API calls 8936->8938 8937->7421 8937->7422 8938->8936 8940 40ee93 __initp_misc_cfltcvt_tab 66 API calls 8939->8940 8941 40cb3c 8940->8941 8941->8933 8943 411661 8942->8943 8944 41416b _parse_cmdline 76 API calls 8943->8944 8946 4116ce 8943->8946 8944->8943 8945 4117cc 8945->7445 8945->7447 8946->8945 8947 41416b 76 API calls _parse_cmdline 8946->8947 8947->8946

                                            Executed Functions

                                            Function 00402129 Relevance: 72.0, APIs: 26, Strings: 15, Instructions: 238stringwindowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 0040216C
                                            • _memset.LIBCMT ref: 00402180
                                            • _memset.LIBCMT ref: 00402194
                                            • _memset.LIBCMT ref: 004021A2
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,{05AD7668-6C34-4226-9DE5-A911D0B140D8}), ref: 004021C4
                                            • ResetEvent.KERNEL32(00000000), ref: 004021CE
                                            • RegisterWindowMessageA.USER32(EaccelerationInstallProgressMsg), ref: 004021D9
                                            • RegisterWindowMessageA.USER32(EaccelerationInstallAbort), ref: 004021E9
                                            • FindWindowA.USER32(EaccelerationInstall_DataReceivingWindowClass,00000000), ref: 004021FA
                                            • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00402213
                                            • lstrcmpiA.KERNEL32(?,/InstallerId), ref: 00402232
                                            • MessageBoxA.USER32(00000000,?,eAcceleration Installer,00040040), ref: 00402264
                                            • lstrcmpiA.KERNEL32(?,/Cmd_Extract), ref: 0040228B
                                            • lstrcpyA.KERNEL32(?,?), ref: 004022B3
                                            • lstrcpyA.KERNEL32(?,?), ref: 004022DE
                                            • lstrcmpiA.KERNEL32(?,-we), ref: 00402305
                                            • CloseHandle.KERNEL32(?), ref: 00402311
                                            • Sleep.KERNEL32(000007D0), ref: 0040231C
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0040232E
                                            • GetLastError.KERNEL32 ref: 00402333
                                            • CloseHandle.KERNEL32(?), ref: 00402343
                                            • lstrcpyA.KERNEL32(?,?), ref: 0040236C
                                            • MessageBoxA.USER32(00000000,Click 'OK' to resume install of eAcceleration Products.,eAcceleration,00000000), ref: 004023C8
                                            • MessageBoxA.USER32(00000000,?,Error: Could Not Find Setup.exe,00040000), ref: 00402406
                                            • SetEvent.KERNEL32(?), ref: 00402440
                                            • CloseHandle.KERNEL32(?), ref: 00402449
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Message$Event_memset$CloseHandleWindowlstrcmpilstrcpy$CreateRegister$ErrorFileFindLastModuleNameResetSleep
                                            • String ID: -we$/Cmd_Extract$/InstallerId$Click 'OK' to resume install of eAcceleration Products.$DelFolder$EaccelerationInstallAbort$EaccelerationInstallProgressMsg$EaccelerationInstall_DataReceivingWindowClass$Error: Could Not Find Setup.exe$ExecSetup$Software\eAcceleration\Install$The I.D. value for this installer executable is:%u (0x%x)$eAcceleration$eAcceleration Installer${05AD7668-6C34-4226-9DE5-A911D0B140D8}
                                            • API String ID: 836737559-71516208
                                            • Opcode ID: 4bf115dbb311a94f49e567a7324d6e8a77c79711c6ee68ae6c38fc472422e1e0
                                            • Instruction ID: 8445385014258f1c5835d779a6844de32001c4d0175b5f93f2f8c8da7657eef8
                                            • Opcode Fuzzy Hash: 4bf115dbb311a94f49e567a7324d6e8a77c79711c6ee68ae6c38fc472422e1e0
                                            • Instruction Fuzzy Hash: 11914071900648EFDB20AFA1DD89FDE7BACEB49304F10853AFA05E71A1D6B89544CF58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004027E8 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 150stringfilesleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 0040281E
                                            • _memset.LIBCMT ref: 0040283A
                                            • _memset.LIBCMT ref: 0040284E
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 0040285F
                                            • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 00402878
                                              • Part of subcall function 00402770: lstrlenA.KERNEL32(?,00000104,0040148E,?,00000000), ref: 0040277C
                                            • lstrcatA.KERNEL32(?,*.*,?,00000001,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 0040289A
                                            • FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 004028AB
                                            • lstrcmpA.KERNEL32(?,004154CC,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 004028DB
                                            • lstrcmpA.KERNEL32(?,004154C8,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 004028F2
                                            • wsprintfA.USER32 ref: 0040290F
                                            • DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 0040292F
                                            • GetTickCount.KERNEL32 ref: 00402939
                                            • GetFileAttributesA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 00402945
                                            • GetTickCount.KERNEL32 ref: 00402957
                                            • Sleep.KERNEL32(00000005,?,?,?,?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 00402960
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 0040296D
                                            • FindNextFileA.KERNELBASE(?,?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 0040297B
                                            • FindClose.KERNEL32(?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 00402988
                                            • RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 00402991
                                            • GetTickCount.KERNEL32 ref: 00402997
                                            • GetFileAttributesA.KERNELBASE(?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 0040299E
                                            • GetTickCount.KERNEL32 ref: 004029AB
                                            • Sleep.KERNEL32(00000005,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 004029B3
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,Software\eAcceleration\Install,80000002,00000000), ref: 004029BC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File$AttributesCountTick$Find_memset$Sleeplstrcmplstrlen$CloseDeleteDirectoryFirstNextRemovelstrcatlstrcpywsprintf
                                            • String ID: %s\%s$*.*$Software\eAcceleration\Install
                                            • API String ID: 2347288209-1609546006
                                            • Opcode ID: 360b418d4a1fded0eadfcedb810b7bf425c6b5498ef8ad5d3d3cb4bf112b5eb3
                                            • Instruction ID: c020ae8afad587403ad6567c70a66eb4b1264854bd49cd4f5b7ec97616a3c4cb
                                            • Opcode Fuzzy Hash: 360b418d4a1fded0eadfcedb810b7bf425c6b5498ef8ad5d3d3cb4bf112b5eb3
                                            • Instruction Fuzzy Hash: AA514AB19006089BDB209FF4DD88BDE7BBCAF48314F20463BE519E71D1D7789A458B68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401317 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 88librarystringloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 0040134D
                                            • lstrcpyA.KERNEL32(?,?), ref: 0040136D
                                            • GetFileAttributesA.KERNELBASE(?), ref: 00401388
                                            • lstrcpyA.KERNEL32(?,?), ref: 004013A5
                                            • GetFileAttributesA.KERNELBASE(?), ref: 004013BA
                                            • LoadLibraryA.KERNEL32(?), ref: 004013C5
                                            • GetProcAddress.KERNEL32(00000000,CheckSysAndDisplayErrors), ref: 004013D9
                                            • FreeLibrary.KERNEL32(00000000), ref: 004013ED
                                              • Part of subcall function 00402526: _memset.LIBCMT ref: 0040255F
                                              • Part of subcall function 00402526: _memset.LIBCMT ref: 00402575
                                              • Part of subcall function 00402526: lstrcpyA.KERNEL32(?,?,?,?,?,74DE83C0,00000104,74DF3310), ref: 00402594
                                              • Part of subcall function 00402526: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,74DE83C0,00000104,74DF3310), ref: 004025B9
                                              • Part of subcall function 00402526: CloseHandle.KERNEL32(?,?,?,?,74DE83C0,00000104,74DF3310), ref: 004025CC
                                              • Part of subcall function 00402526: WaitForSingleObject.KERNEL32(?,?,?,?,?,74DE83C0,00000104,74DF3310), ref: 004025D7
                                              • Part of subcall function 00402526: GetExitCodeProcess.KERNELBASE(?,?), ref: 004025E8
                                              • Part of subcall function 00402526: CloseHandle.KERNEL32(?,?,?,?,74DE83C0,00000104,74DF3310), ref: 004025F9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _memsetlstrcpy$AttributesCloseFileHandleLibraryProcess$AddressCodeCreateExitFreeLoadObjectProcSingleWait
                                            • String ID: CheckSysAndDisplayErrors$\syscheck.dll$\syscheck.exe
                                            • API String ID: 1106719430-2207763174
                                            • Opcode ID: 5b8f0d92696344bbe634c1e7a75d2effa94b0fab30ad17a949e05aa752936745
                                            • Instruction ID: f0c1d21d81e68db32ab0fbbc4f73812798623cfc1e8e88811eba7d0ac649df08
                                            • Opcode Fuzzy Hash: 5b8f0d92696344bbe634c1e7a75d2effa94b0fab30ad17a949e05aa752936745
                                            • Instruction Fuzzy Hash: 1E215072900518ABDB20DBB5DC84FDEBBBCAF89314F20052AE824F31D2D63895458F68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040140E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95timesleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00401445
                                            • _memset.LIBCMT ref: 00401459
                                            • GetTempPathA.KERNEL32(00000105,?), ref: 00401476
                                              • Part of subcall function 00402770: lstrlenA.KERNEL32(?,00000104,0040148E,?,00000000), ref: 0040277C
                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 00401498
                                            • Sleep.KERNEL32(00000005), ref: 004014BE
                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 004014CB
                                            • GetFileAttributesA.KERNELBASE(?), ref: 004014F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Time$File$System_memset$AttributesPathSleepTemplstrlen
                                            • String ID: %s\EAC%u_%8.8x
                                            • API String ID: 3819444313-578419197
                                            • Opcode ID: de564b9c2073bdb6c9836df68afc3e3e4f7fdc7d70ad44e3d1709634599318f1
                                            • Instruction ID: 7718a0c0b0f49a17e30a11998a7c2d1e10ebcfc85d53e8e24a7e1147fa749a90
                                            • Opcode Fuzzy Hash: de564b9c2073bdb6c9836df68afc3e3e4f7fdc7d70ad44e3d1709634599318f1
                                            • Instruction Fuzzy Hash: C331FB7290054CAEDB30EFF5CC85EDE7BACFF49304F10452AA519E7192D6799A088F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401BE8 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150stringfiletimeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00401C2C
                                            • _memset.LIBCMT ref: 00401C41
                                            • _memset.LIBCMT ref: 00401C50
                                            • lstrlenA.KERNEL32(EAC-ARCHIVEDATA00,?,?,?,?,?,?,00000000,?,?), ref: 00401C60
                                            • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,?,?,?,00000000,?,?), ref: 00401C89
                                            • lstrcmpA.KERNEL32(?,EAC-ARCHIVEDATA00,?,?,?,?,?,?,00000000,?,?), ref: 00401C98
                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000,?,00000000,0000005C), ref: 00401D4C
                                            • WriteFile.KERNELBASE(00000000,?,?,?,00000000), ref: 00401D6B
                                            • SetFileTime.KERNELBASE(?,?,?,00000000), ref: 00401D80
                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401D89
                                            • SetFileAttributesA.KERNELBASE(?,?), ref: 00401D98
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401DB8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File$_memset$AttributesChangeCloseCreateErrorFindLastNotificationTimeWritelstrcmplstrcpynlstrlen
                                            • String ID: %s\%s$EAC-ARCHIVEDATA00
                                            • API String ID: 2748298248-1039776125
                                            • Opcode ID: a5d778ab43d71dcdca36ed31285e803ec6884c60a11d5274b16291314085e9a6
                                            • Instruction ID: 50c55ef185a134e7c5a5b6ddaa53ca074a39d0f568657131e61b4e4f94a11248
                                            • Opcode Fuzzy Hash: a5d778ab43d71dcdca36ed31285e803ec6884c60a11d5274b16291314085e9a6
                                            • Instruction Fuzzy Hash: F4514C71500248AFDB70DFB5DC88FEE7BACAF09304F50452AB949E7191DB749604CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401600 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111filestringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 145 401600-401622 146 401628-40168d call 40c620 call 40127e call 401000 SetFilePointer call 40c620 * 2 145->146 147 4016fc-40170f call 40c69a 145->147 160 4016f3-4016f9 SetFilePointer 146->160 161 40168f-401695 146->161 162 4016fb 160->162 163 401698-4016b2 call 40c620 SetFilePointer 161->163 162->147 166 4016e2-4016f1 163->166 167 4016b4-4016cb ReadFile 163->167 166->160 166->163 167->166 168 4016cd-4016e0 lstrcmpA 167->168 168->166 169 401710-401717 168->169 169->162
                                            APIs
                                            • _memset.LIBCMT ref: 00401633
                                            • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 0040165F
                                            • _memset.LIBCMT ref: 0040166E
                                            • _memset.LIBCMT ref: 0040167A
                                            • _memset.LIBCMT ref: 0040169F
                                            • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004016AD
                                            • ReadFile.KERNELBASE(?,?,00000064,?,00000000), ref: 004016C3
                                            • lstrcmpA.KERNEL32(?,?), ref: 004016D8
                                            • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004016F9
                                            Strings
                                            • {33D55E00-1916-4656-A942-92D420609FC0}, xrefs: 0040163B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File_memset$Pointer$Readlstrcmp
                                            • String ID: {33D55E00-1916-4656-A942-92D420609FC0}
                                            • API String ID: 3908948077-2389466153
                                            • Opcode ID: c7bd881776fd9ca2a2b1eb687a55321d0f7bc6884e05a8ecaba6c13fb3deb79e
                                            • Instruction ID: ef60d0110b56e9c841f43e8849a78ec6f62d222c12fe9a1220c9534ce959902c
                                            • Opcode Fuzzy Hash: c7bd881776fd9ca2a2b1eb687a55321d0f7bc6884e05a8ecaba6c13fb3deb79e
                                            • Instruction Fuzzy Hash: 2F314F7190020CAFDB10DFA8CC81EEF7BBCAF08354F14062AF524F6191D73999048B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401F79 Relevance: 16.6, APIs: 11, Instructions: 143filestringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 170 401f79-401fef call 40c620 * 2 175 401ff5-401ff8 170->175 176 40210d-402126 call 40c69a 170->176 175->176 177 401ffe-40201a SetLastError call 401dc5 175->177 177->176 182 402020-402036 call 401719 177->182 182->176 185 40203c-40205d CreateFileA 182->185 185->176 186 402063-402083 ReadFile SetFilePointer 185->186 187 402085-4020a3 call 401600 call 401535 186->187 192 402104-402107 FindCloseChangeNotification 187->192 193 4020a5-4020bd SetLastError SetFilePointer 187->193 192->176 193->192 194 4020bf-4020c1 193->194 195 4020e0-402102 call 401e96 SetFilePointer 194->195 196 4020c3-4020d7 lstrcmpA 194->196 195->187 195->192 196->192 197 4020d9 196->197 197->195
                                            APIs
                                            • _memset.LIBCMT ref: 00401FC5
                                            • _memset.LIBCMT ref: 00401FD3
                                            • SetLastError.KERNEL32(00000000), ref: 00401FFF
                                              • Part of subcall function 00401DC5: _memset.LIBCMT ref: 00401E03
                                              • Part of subcall function 00401DC5: lstrlenA.KERNEL32(?), ref: 00401E14
                                              • Part of subcall function 00401DC5: GetFileAttributesA.KERNELBASE(?), ref: 00401E56
                                              • Part of subcall function 00401DC5: lstrcpynA.KERNEL32(?,?,?), ref: 00401E6C
                                              • Part of subcall function 00401719: _memset.LIBCMT ref: 00401769
                                              • Part of subcall function 00401719: lstrlenA.KERNEL32(?), ref: 0040178C
                                              • Part of subcall function 00401719: lstrlenA.KERNEL32(?,?,00000000,0000005C), ref: 00401863
                                              • Part of subcall function 00401719: lstrcpynA.KERNEL32(?,?,?,?,?,00000000), ref: 0040189F
                                            • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040204F
                                            • ReadFile.KERNELBASE(00000000,?,00000007,?,00000000), ref: 00402072
                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 00402083
                                              • Part of subcall function 00401600: _memset.LIBCMT ref: 00401633
                                              • Part of subcall function 00401600: SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 0040165F
                                              • Part of subcall function 00401600: _memset.LIBCMT ref: 0040166E
                                              • Part of subcall function 00401600: _memset.LIBCMT ref: 0040167A
                                              • Part of subcall function 00401600: _memset.LIBCMT ref: 0040169F
                                              • Part of subcall function 00401600: SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004016AD
                                              • Part of subcall function 00401600: ReadFile.KERNELBASE(?,?,00000064,?,00000000), ref: 004016C3
                                              • Part of subcall function 00401600: lstrcmpA.KERNEL32(?,?), ref: 004016D8
                                              • Part of subcall function 00401600: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004016F9
                                              • Part of subcall function 00401535: _memset.LIBCMT ref: 00401562
                                              • Part of subcall function 00401535: _memset.LIBCMT ref: 00401571
                                              • Part of subcall function 00401535: _memset.LIBCMT ref: 0040157D
                                              • Part of subcall function 00401535: lstrcpyA.KERNEL32(?,{33D55E00-1916-4656-A942-92D420609FC0}), ref: 00401593
                                              • Part of subcall function 00401535: SetFilePointer.KERNELBASE(?,0000009C,00000000,00000001), ref: 0040159F
                                              • Part of subcall function 00401535: ReadFile.KERNEL32(?,?,00000064,?,00000000), ref: 004015B6
                                              • Part of subcall function 00401535: lstrcmpA.KERNEL32(?,?), ref: 004015D4
                                            • SetLastError.KERNEL32(00000000), ref: 004020A6
                                            • SetFilePointer.KERNELBASE(?,-00000064,00000000,00000001), ref: 004020B8
                                            • lstrcmpA.KERNEL32(?,00415308), ref: 004020CF
                                            • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 004020FC
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00402107
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: File$_memset$Pointer$Readlstrcmplstrlen$ErrorLastlstrcpyn$AttributesChangeCloseCreateFindNotificationlstrcpy
                                            • String ID:
                                            • API String ID: 1051430818-0
                                            • Opcode ID: 13ac95c922d9e5cc5d4f65822e2c68a4ec25d67df32a6ed463bc5d7bc58d39f0
                                            • Instruction ID: 9589f183c3d1373be8930f066a14ab95d265d5f20ef843e1f2006315c9f5e8ca
                                            • Opcode Fuzzy Hash: 13ac95c922d9e5cc5d4f65822e2c68a4ec25d67df32a6ed463bc5d7bc58d39f0
                                            • Instruction Fuzzy Hash: 23415D71900218AFEB319FA5DC84EEEBBBCEB49354F10013AFA05EB191D6B459058F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402618 Relevance: 15.1, APIs: 10, Instructions: 111stringsleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 200 402618-40265a call 40c620 203 402660-40266a GetFileAttributesA 200->203 204 402755-40276d call 40c69a 200->204 206 402670-40267c lstrlenA 203->206 207 40274e 203->207 206->204 209 402682-40268f lstrcpyA 206->209 207->204 210 402692-40269e call 4024c5 209->210 213 4026a0-4026ac call 4024c5 210->213 214 4026ae-4026b3 210->214 213->214 223 402722-402731 GetFileAttributesA 213->223 216 4026f5-402707 GetFileAttributesA 214->216 217 4026b5-4026be 214->217 221 402715-40271d 216->221 222 402709-40270f CreateDirectoryA 216->222 219 4026c0-4026c5 217->219 220 4026c7-4026cc 217->220 219->220 224 4026d5-4026d9 219->224 220->216 225 4026ce-4026d3 220->225 221->210 222->221 226 402733-40273e CreateDirectoryA Sleep 223->226 227 402744-40274c GetFileAttributesA 223->227 228 4026db-4026dd 224->228 229 4026df-4026e7 224->229 225->216 225->224 226->227 227->204 227->207 228->229 230 4026f0-4026f3 228->230 229->216 231 4026e9-4026ee 229->231 230->210 231->216 231->230
                                            APIs
                                            • _memset.LIBCMT ref: 00402650
                                            • GetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00402661
                                            • lstrlenA.KERNEL32(?,?,?,?), ref: 00402671
                                            • lstrcpyA.KERNEL32(?,?,00000104,?,?,?,?), ref: 00402689
                                            • GetFileAttributesA.KERNELBASE(?,?,0000005C,?,?,?), ref: 004026FE
                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 0040270F
                                            • GetFileAttributesA.KERNELBASE(?,00000001,0000002F,00000001,0000005C,?,?,?), ref: 0040272C
                                            • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?), ref: 00402736
                                            • Sleep.KERNELBASE(00000014,?,?,?), ref: 0040273E
                                            • GetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00402745
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AttributesFile$CreateDirectory$Sleep_memsetlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 839522043-0
                                            • Opcode ID: 40ebaff7cde6c2313a329981a74c762905b04aeeafde32014087918bb02aab93
                                            • Instruction ID: 33b7de2d5f3e4a1401c4ab541916a461282f9c19954992083aaab48077a471c6
                                            • Opcode Fuzzy Hash: 40ebaff7cde6c2313a329981a74c762905b04aeeafde32014087918bb02aab93
                                            • Instruction Fuzzy Hash: BA41E7318005499ADB309FB4CD8CBDE7BA8AB08314F604D3AE565F71C2DBBD99449F68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401AB2 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104stringwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 232 401ab2-401b2a call 40c620 * 2 call 4012ea GetFileAttributesA 239 401b30-401b3c call 4019ef 232->239 240 401bcd-401be7 call 40c69a 232->240 243 401b41-401b43 239->243 245 401b45-401b6f call 4012ae * 2 GetCommandLineA 243->245 246 401b96-401ba5 call 402526 243->246 245->246 257 401b71-401b7a lstrlenA 245->257 252 401ba7-401baf 246->252 253 401bca 246->253 252->253 254 401bb1-401bb8 252->254 253->240 254->253 256 401bba-401bc4 PostMessageA 254->256 256->253 257->246 258 401b7c-401b91 call 4012ae * 2 257->258 258->246
                                            APIs
                                            • _memset.LIBCMT ref: 00401AE6
                                            • _memset.LIBCMT ref: 00401B01
                                            • GetFileAttributesA.KERNELBASE(?), ref: 00401B21
                                              • Part of subcall function 004019EF: _memset.LIBCMT ref: 00401A1D
                                              • Part of subcall function 004019EF: GetModuleFileNameA.KERNEL32(?,00000104), ref: 00401A42
                                              • Part of subcall function 004019EF: lstrlenA.KERNEL32(?), ref: 00401A6E
                                              • Part of subcall function 004019EF: GetShortPathNameA.KERNEL32(?,?,?), ref: 00401A84
                                              • Part of subcall function 004019EF: lstrcpyA.KERNEL32(?,?), ref: 00401A96
                                            • GetCommandLineA.KERNEL32 ref: 00401B65
                                            • lstrlenA.KERNEL32(00000000), ref: 00401B72
                                            • PostMessageA.USER32(00000000,0000C1C0,00000000,?), ref: 00401BC4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _memset$FileNamelstrlen$AttributesCommandLineMessageModulePathPostShortlstrcpy
                                            • String ID: /Cmd $%s\setup.exe
                                            • API String ID: 1726511820-1678359503
                                            • Opcode ID: 656f8668b4965cf01c09347d56cd11d1f0a52cf4fab62cabba9efb3a4c952193
                                            • Instruction ID: bb7ee3e4791e5a6daafc201ded24775022d84c1433794cc7d45fc6fb90cc8b24
                                            • Opcode Fuzzy Hash: 656f8668b4965cf01c09347d56cd11d1f0a52cf4fab62cabba9efb3a4c952193
                                            • Instruction Fuzzy Hash: 0D3132B1A00608ABEB309FB5DC85FDB77ACAF49314F10453EB929F71D1E77895058A28
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401535 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81stringfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 283 401535-401588 call 40c620 * 3 290 40158a-4015a8 lstrcpyA SetFilePointer 283->290 291 4015ec 283->291 290->291 293 4015aa-4015be ReadFile 290->293 292 4015ee-4015ff call 40c69a 291->292 293->291 295 4015c0-4015dc call 401000 lstrcmpA 293->295 295->291 299 4015de-4015e3 295->299 299->292 300 4015e5-4015ea 299->300 300->292
                                            APIs
                                            • _memset.LIBCMT ref: 00401562
                                            • _memset.LIBCMT ref: 00401571
                                            • _memset.LIBCMT ref: 0040157D
                                            • lstrcpyA.KERNEL32(?,{33D55E00-1916-4656-A942-92D420609FC0}), ref: 00401593
                                            • SetFilePointer.KERNELBASE(?,0000009C,00000000,00000001), ref: 0040159F
                                            • ReadFile.KERNEL32(?,?,00000064,?,00000000), ref: 004015B6
                                            • lstrcmpA.KERNEL32(?,?), ref: 004015D4
                                            Strings
                                            • {33D55E00-1916-4656-A942-92D420609FC0}, xrefs: 0040158A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _memset$File$PointerReadlstrcmplstrcpy
                                            • String ID: {33D55E00-1916-4656-A942-92D420609FC0}
                                            • API String ID: 3364451754-2389466153
                                            • Opcode ID: 5924950c6a99590b686e555a1be2e0bacb963a154aa2e7e486bc60067ca5d9c3
                                            • Instruction ID: 34f2a64c773a5c2390bd5199e061d5aa004fc8f6d1b578755e1902c5f27298aa
                                            • Opcode Fuzzy Hash: 5924950c6a99590b686e555a1be2e0bacb963a154aa2e7e486bc60067ca5d9c3
                                            • Instruction Fuzzy Hash: D3213B72600208EFDB14DFA8CCC5EEE77ACAB48314F44013AFA25E71D1D679D9088B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402526 Relevance: 12.1, APIs: 8, Instructions: 85processstringsynchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 301 402526-40258b call 40c620 * 2 306 4025fb-402615 call 40c69a 301->306 307 40258d-40259c lstrcpyA 301->307 309 4025a8-4025c1 CreateProcessA 307->309 310 40259e-4025a5 307->310 309->306 312 4025c3-4025df CloseHandle WaitForSingleObject 309->312 310->309 313 4025e1-4025f0 GetExitCodeProcess 312->313 314 4025f6-4025f9 CloseHandle 312->314 313->314 315 4025f2 313->315 314->306 315->314
                                            APIs
                                            • _memset.LIBCMT ref: 0040255F
                                            • _memset.LIBCMT ref: 00402575
                                            • lstrcpyA.KERNEL32(?,?,?,?,?,74DE83C0,00000104,74DF3310), ref: 00402594
                                            • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,74DE83C0,00000104,74DF3310), ref: 004025B9
                                            • CloseHandle.KERNEL32(?,?,?,?,74DE83C0,00000104,74DF3310), ref: 004025CC
                                            • WaitForSingleObject.KERNEL32(?,?,?,?,?,74DE83C0,00000104,74DF3310), ref: 004025D7
                                            • GetExitCodeProcess.KERNELBASE(?,?), ref: 004025E8
                                            • CloseHandle.KERNEL32(?,?,?,?,74DE83C0,00000104,74DF3310), ref: 004025F9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CloseHandleProcess_memset$CodeCreateExitObjectSingleWaitlstrcpy
                                            • String ID:
                                            • API String ID: 3752598642-0
                                            • Opcode ID: 97d34530287cbcb1ff2767ece91fadfe5833992ceeb31631e12e64bc7ff3913d
                                            • Instruction ID: dc3fff0f274494551a67e20d60c503e27f7b0db0bbe64d9330e25dad48dca682
                                            • Opcode Fuzzy Hash: 97d34530287cbcb1ff2767ece91fadfe5833992ceeb31631e12e64bc7ff3913d
                                            • Instruction Fuzzy Hash: E8311EB1D0050DEEDB20DFA8DC84AEEBBBCFB48314F10452AE615B61A0DB759D049F68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401216 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 316 401216-40123f GetModuleHandleA GetProcAddress 317 401241-401247 GetLongPathNameA 316->317 318 40125d-40126c call 40106f 316->318 319 401276-40127c 317->319 320 401249-401252 GetLastError 317->320 324 40126e-401273 318->324 319->324 320->319 322 401254-40125a 320->322 322->318
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32), ref: 00401220
                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 0040122C
                                            • GetLongPathNameA.KERNELBASE(?,?,?), ref: 00401241
                                            • GetLastError.KERNEL32 ref: 00401249
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AddressErrorHandleLastLongModuleNamePathProc
                                            • String ID: GetLongPathNameA$KERNEL32
                                            • API String ID: 1507741363-371381169
                                            • Opcode ID: 232af2952a8666a750465abedff78da29803a4dd0fe3971d4fd695e4b6186ba8
                                            • Instruction ID: 4af11045464827baae23121ccc00f9ff79dda482ef8d6d24c6a076b5acdbe5ce
                                            • Opcode Fuzzy Hash: 232af2952a8666a750465abedff78da29803a4dd0fe3971d4fd695e4b6186ba8
                                            • Instruction Fuzzy Hash: 86F09033540659EBCF116FE5AC08DCB7F66EB993A0701817AF904F6270CB7588509BA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401E96 Relevance: 9.1, APIs: 6, Instructions: 88memoryfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 325 401e96-401eb2 326 401eb4-401eb6 325->326 327 401eb9-401ed1 CoTaskMemAlloc * 2 325->327 326->327 328 401f63-401f78 CoTaskMemFree * 2 327->328 329 401ed7-401ed9 327->329 329->328 330 401edf-401ef4 ReadFile 329->330 330->328 331 401ef6-401f0c call 402ab0 330->331 334 401f47-401f4e call 401be8 331->334 335 401f0e 331->335 338 401f53-401f5d 334->338 337 401f12-401f15 335->337 339 401f17-401f1f 337->339 340 401f5f 337->340 338->328 339->328 341 401f21-401f2d CoTaskMemRealloc 339->341 340->328 341->328 342 401f2f-401f45 call 402ab0 341->342 342->334 342->337
                                            APIs
                                            • CoTaskMemAlloc.OLE32(?), ref: 00401EC3
                                            • CoTaskMemAlloc.OLE32(?), ref: 00401EC9
                                            • ReadFile.KERNELBASE(?,00000000,?,?,00000000), ref: 00401EEC
                                            • CoTaskMemRealloc.OLE32(00000000,?), ref: 00401F23
                                            • CoTaskMemFree.OLE32(00000000), ref: 00401F6C
                                            • CoTaskMemFree.OLE32(00000000), ref: 00401F6F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Task$AllocFree$FileReadRealloc
                                            • String ID:
                                            • API String ID: 2083587514-0
                                            • Opcode ID: 750be38010290871f2629b788473fbb01561f6f613fe6952832112fb4bc900a6
                                            • Instruction ID: fc7592c3d088cae382aced483a8e9b9132643075aa0dce1421cf44765ac98ee1
                                            • Opcode Fuzzy Hash: 750be38010290871f2629b788473fbb01561f6f613fe6952832112fb4bc900a6
                                            • Instruction Fuzzy Hash: D2215972C0010ABBDF119FA5DD80AEFBBBCEF48354F154076E904B22A0E7358E109BA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401DC5 Relevance: 7.6, APIs: 5, Instructions: 71stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 345 401dc5-401e0d call 40c620 348 401e79-401e93 call 40c69a 345->348 349 401e0f-401e11 345->349 349->348 351 401e13-401e1c lstrlenA 349->351 351->348 353 401e1e-401e23 351->353 354 401e25-401e28 353->354 355 401e47-401e4c lstrcpyA 353->355 357 401e2a-401e2c 354->357 358 401e2e-401e45 call 4019ef call 4012ae 354->358 356 401e52-401e5f GetFileAttributesA 355->356 356->348 359 401e61-401e72 lstrcpynA 356->359 357->355 357->358 358->356 359->348
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AttributesFile_memsetlstrcpylstrcpynlstrlen
                                            • String ID:
                                            • API String ID: 3156717511-0
                                            • Opcode ID: 2e0cf5a74f09e8b50675a6715e6adaa746a7ac5d15e718206defb220a2c9181a
                                            • Instruction ID: fd1b1d504f3d851efde7a5fbafb82b7ee541279cdf5a8f4990652ddbd700fa67
                                            • Opcode Fuzzy Hash: 2e0cf5a74f09e8b50675a6715e6adaa746a7ac5d15e718206defb220a2c9181a
                                            • Instruction Fuzzy Hash: CF218371900508DBEB309FB5DC84FDF77BDAF49318F10412AE915E3292D73995048BA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004019EF Relevance: 7.6, APIs: 5, Instructions: 67stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 364 4019ef-401a29 call 40c620 367 401a2b-401a2e 364->367 368 401a9f-401aaf call 40c69a 364->368 367->368 370 401a30-401a4a GetModuleFileNameA 367->370 370->368 372 401a4c-401a4f 370->372 373 401a51-401a62 call 4024ea 372->373 374 401a67-401a77 lstrlenA 372->374 373->374 380 401a64 373->380 374->368 375 401a79-401a8c GetShortPathNameA 374->375 377 401a9c-401a9e 375->377 378 401a8e-401a96 lstrcpyA 375->378 377->368 378->377 380->374
                                            APIs
                                            • _memset.LIBCMT ref: 00401A1D
                                            • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00401A42
                                            • lstrlenA.KERNEL32(?), ref: 00401A6E
                                            • GetShortPathNameA.KERNEL32(?,?,?), ref: 00401A84
                                            • lstrcpyA.KERNEL32(?,?), ref: 00401A96
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Name$FileModulePathShort_memsetlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 259234414-0
                                            • Opcode ID: b05064e4e1b44f0249e16609e698181cf34efcac9e91c6d52335d6dd6527280a
                                            • Instruction ID: 73bf967a4462113c03900341c0dbd5b8d5badba5b3f509ca0ff9276c9d2b9bcf
                                            • Opcode Fuzzy Hash: b05064e4e1b44f0249e16609e698181cf34efcac9e91c6d52335d6dd6527280a
                                            • Instruction Fuzzy Hash: AB11A231600209EFDB20DFA1DC84DEF7BACAB55304F00407AE584E6190DA749EC48F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004018C2 Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CharLongLowerNamePath_memsetlstrcpy
                                            • String ID:
                                            • API String ID: 1879347461-0
                                            • Opcode ID: 42cf79dabc4dde4d36eea4348a52983f39fd98264b69967e6cdcbc58019ab966
                                            • Instruction ID: 117b9f3619efdc9ecd67f78028e2da31467b428d4de10c7c64efd9a39e5ad120
                                            • Opcode Fuzzy Hash: 42cf79dabc4dde4d36eea4348a52983f39fd98264b69967e6cdcbc58019ab966
                                            • Instruction Fuzzy Hash: 0B21D3B29001589FEB20DFB8DC94AEEBBBDEB49314F14413EE595E3182D6388404CB24
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040246C Relevance: 4.5, APIs: 3, Instructions: 35registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?), ref: 00402490
                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 004024AA
                                            • RegCloseKey.ADVAPI32(?), ref: 004024B8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID:
                                            • API String ID: 3677997916-0
                                            • Opcode ID: d6a19d5e8a7735a4224c6badc96be7e0dd8fac1d41af58e16a84fc80dbd9b5b8
                                            • Instruction ID: d649381ebb0b7a31f027831fe6836c6311abbffdf2edc4a6c6e6d5acaec95006
                                            • Opcode Fuzzy Hash: d6a19d5e8a7735a4224c6badc96be7e0dd8fac1d41af58e16a84fc80dbd9b5b8
                                            • Instruction Fuzzy Hash: F6F0F431600228FBCF228F81DE099DFBF69FF48B94B408026F905A1160D3798A20EBD4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00411A25 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040CC8B,00000001), ref: 00411A36
                                            • HeapDestroy.KERNEL32 ref: 00411A6C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Heap$CreateDestroy
                                            • String ID:
                                            • API String ID: 3296620671-0
                                            • Opcode ID: c711b15b32cff5a88115b91cc140fdb0d1279184e74482ab331e983d1487cbb8
                                            • Instruction ID: 7d12de8dba505c612040395798a85da8d0bb2dc11f7394e6e0772aedfb159cd3
                                            • Opcode Fuzzy Hash: c711b15b32cff5a88115b91cc140fdb0d1279184e74482ab331e983d1487cbb8
                                            • Instruction Fuzzy Hash: F2E09BB1656301EAEB119B309D053F639E4EB40386F00883BF645C48B4FB7C8580964C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040C87E Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___crtCorExitProcess.LIBCMT ref: 0040C882
                                              • Part of subcall function 0040C858: GetModuleHandleA.KERNEL32(mscoree.dll,0040C887,00000214,0040F996,000000FF,0000001E,00000001,00000000,00000000,?,00412789,0040F0D8,00000001,00000001,0040FB4C,00000018), ref: 0040C85D
                                              • Part of subcall function 0040C858: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040C86D
                                            • ExitProcess.KERNEL32 ref: 0040C88C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                            • String ID:
                                            • API String ID: 2427264223-0
                                            • Opcode ID: 0ecefbffc0992c33c3a7615fee55301a40e447d600f8c39a77e13550b9c8953a
                                            • Instruction ID: 2743ab548c0a998656c04b8e989298e78e6c07ee639c4b064da7943ccc94937b
                                            • Opcode Fuzzy Hash: 0ecefbffc0992c33c3a7615fee55301a40e447d600f8c39a77e13550b9c8953a
                                            • Instruction Fuzzy Hash: 1DB09231044104EAC6013B10DD0A4497A61EF80701B10843EB04C000B08B714C50AA49
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405490 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _calloc
                                            • String ID:
                                            • API String ID: 1679841372-0
                                            • Opcode ID: ca6f9aaec7cdeb91368d7afcce3ffa5b84d5e9c09e941abd79e40b8ccee1a739
                                            • Instruction ID: 6446b3337f298e90df4f7b2533d82f1ad37cbf2860a73fb5941e9df252a0f229
                                            • Opcode Fuzzy Hash: ca6f9aaec7cdeb91368d7afcce3ffa5b84d5e9c09e941abd79e40b8ccee1a739
                                            • Instruction Fuzzy Hash: 96D017B240020DABCF00CF98D881AEB33A8BB44314F04C42EBD2C8B240D638E560CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 0040C69A Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • IsDebuggerPresent.KERNEL32 ref: 0040E419
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040E42E
                                            • UnhandledExceptionFilter.KERNEL32(004158BC), ref: 0040E439
                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0040E455
                                            • TerminateProcess.KERNEL32(00000000), ref: 0040E45C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                            • String ID:
                                            • API String ID: 2579439406-0
                                            • Opcode ID: 2a2777a56a1f62d08314bcc07d2c1c4b82d5e3e02b2411b90daa5502b580335a
                                            • Instruction ID: 8172709c46c8b3dde8d5dc294361e955c3a14abb2bafd715c7a1bd08bcc9fd5a
                                            • Opcode Fuzzy Hash: 2a2777a56a1f62d08314bcc07d2c1c4b82d5e3e02b2411b90daa5502b580335a
                                            • Instruction Fuzzy Hash: C121CCB8900308DBD701DF29FC896C87BA0FB18304F50C17AE828972B0E7B459A48F8D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004114FE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000114C1), ref: 00411503
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: aaa1dec560e552fc36833349d468d9d704c2a1487d0981cfd5e25f390950e977
                                            • Instruction ID: da622e86432a5865e7ade608e3c11b3ede675b1cbd33857cd02ff8cb98715e9b
                                            • Opcode Fuzzy Hash: aaa1dec560e552fc36833349d468d9d704c2a1487d0981cfd5e25f390950e977
                                            • Instruction Fuzzy Hash: 84900270692960D6470127705D497C525D09BA8F0275145616105C8065DA9440405559
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00410C9F Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _strcpy_s.LIBCMT ref: 00410D0B
                                            • __invoke_watson.LIBCMT ref: 00410D1C
                                            • GetModuleFileNameA.KERNEL32(00000000,0041B761,00000104,0040F0D8,00000001,00000214), ref: 00410D38
                                            • _strcpy_s.LIBCMT ref: 00410D4D
                                            • __invoke_watson.LIBCMT ref: 00410D60
                                            • _strlen.LIBCMT ref: 00410D69
                                            • _strlen.LIBCMT ref: 00410D76
                                            • __invoke_watson.LIBCMT ref: 00410DA3
                                            • _strcat_s.LIBCMT ref: 00410DB6
                                            • __invoke_watson.LIBCMT ref: 00410DC7
                                            • _strcat_s.LIBCMT ref: 00410DD8
                                            • __invoke_watson.LIBCMT ref: 00410DE9
                                            • GetStdHandle.KERNEL32(000000F4,00000001,00000001,00000000,76ED5E70,00000003,00410E6B,000000FC,0040F985,00000001,00000000,00000000,?,00412789,0040F0D8,00000001), ref: 00410E08
                                            • _strlen.LIBCMT ref: 00410E29
                                            • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00412789,0040F0D8,00000001,00000001,0040FB4C,00000018,00417350,0000000C,0040FBDB,00000001), ref: 00410E33
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                            • API String ID: 1879448924-4022980321
                                            • Opcode ID: 110e8edbb9dd5d9f986ac1312c220aee1575bcda5b180abd3fe5c19b515e045b
                                            • Instruction ID: c80ad4303a355d354c917c102402fa48d45f4e440d82214a1aa8ebab9ffc4f2c
                                            • Opcode Fuzzy Hash: 110e8edbb9dd5d9f986ac1312c220aee1575bcda5b180abd3fe5c19b515e045b
                                            • Instruction Fuzzy Hash: 143161B1A403117AE61036A69C46FEB3A0CDB51759F14053BFD09A52D3FB9D99C180FD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040F25F Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0040CC9D), ref: 0040F265
                                            • __mtterm.LIBCMT ref: 0040F271
                                              • Part of subcall function 0040EFB3: TlsFree.KERNEL32(0000000C,0040F3DE), ref: 0040EFDE
                                              • Part of subcall function 0040EFB3: DeleteCriticalSection.KERNEL32(00000000,00000000,74DEDFB0,00000001,0040F3DE), ref: 0040FAB0
                                              • Part of subcall function 0040EFB3: DeleteCriticalSection.KERNEL32(0000000C,74DEDFB0,00000001,0040F3DE), ref: 0040FADA
                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040F287
                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0040F294
                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0040F2A1
                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0040F2AE
                                            • TlsAlloc.KERNEL32 ref: 0040F2FE
                                            • TlsSetValue.KERNEL32(00000000), ref: 0040F319
                                            • __init_pointers.LIBCMT ref: 0040F323
                                            • __calloc_crt.LIBCMT ref: 0040F398
                                            • GetCurrentThreadId.KERNEL32 ref: 0040F3C8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                            • API String ID: 2125014093-3819984048
                                            • Opcode ID: c2a674e7731e13e1bf8b43556d4b7b32c43f2481059ad83317bd1f609a58b684
                                            • Instruction ID: a342f4fc59424dcc99e29f4e61f1509b478c9e2537165357241af7a64bde8314
                                            • Opcode Fuzzy Hash: c2a674e7731e13e1bf8b43556d4b7b32c43f2481059ad83317bd1f609a58b684
                                            • Instruction Fuzzy Hash: 75315071A41701FEC721AB76BD056CA7EA2EB44368714893BE414E66E1EB788450CFDC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00413E1B Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0041B748,00410E01,0041B748,Microsoft Visual C++ Runtime Library,00012010), ref: 00413E48
                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00413E64
                                              • Part of subcall function 0040EE93: TlsGetValue.KERNEL32(00000000,0040EF08,00000000,00413E29,00000000,00000000,00000314,?,?,?,0041B748,00410E01,0041B748,Microsoft Visual C++ Runtime Library,00012010), ref: 0040EEA0
                                              • Part of subcall function 0040EE93: TlsGetValue.KERNEL32(00000005,?,?,?,0041B748,00410E01,0041B748,Microsoft Visual C++ Runtime Library,00012010), ref: 0040EEB7
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00413E81
                                              • Part of subcall function 0040EE93: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0041B748,00410E01,0041B748,Microsoft Visual C++ Runtime Library,00012010), ref: 0040EECC
                                              • Part of subcall function 0040EE93: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040EEE7
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00413E96
                                            • __invoke_watson.LIBCMT ref: 00413EB7
                                              • Part of subcall function 0040DED0: _memset.LIBCMT ref: 0040DF5C
                                              • Part of subcall function 0040DED0: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 0040DF7A
                                              • Part of subcall function 0040DED0: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 0040DF84
                                              • Part of subcall function 0040DED0: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0040DF8E
                                              • Part of subcall function 0040DED0: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 0040DFA9
                                              • Part of subcall function 0040DED0: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 0040DFB0
                                              • Part of subcall function 0040EF0A: TlsGetValue.KERNEL32(00000000,0040EF9F), ref: 0040EF17
                                              • Part of subcall function 0040EF0A: TlsGetValue.KERNEL32(00000005), ref: 0040EF2E
                                              • Part of subcall function 0040EF0A: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040EF43
                                              • Part of subcall function 0040EF0A: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040EF5E
                                            • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00413ECB
                                            • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00413EE3
                                            • __invoke_watson.LIBCMT ref: 00413F56
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                            • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                            • API String ID: 2940365033-1046234306
                                            • Opcode ID: bbe50153ad525b1ba4fff3991f507f992940fba5b8547c216f46a930b3242336
                                            • Instruction ID: b8199d56b96a2b3cb1da8729240a62c4ec3f84fe592fee8c6407703add50c317
                                            • Opcode Fuzzy Hash: bbe50153ad525b1ba4fff3991f507f992940fba5b8547c216f46a930b3242336
                                            • Instruction Fuzzy Hash: 604192B1D08305AACF10AFA5DC859EF7BB8EB04315B14487FF501E2681DB7C9B858A9D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040106F Relevance: 21.1, APIs: 14, Instructions: 142COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32(?,00000000), ref: 0040109B
                                            • GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 004010C0
                                            • SetLastError.KERNEL32(0000006F), ref: 004010D6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileFullLastNamePath
                                            • String ID:
                                            • API String ID: 1971955501-0
                                            • Opcode ID: 5cbfb3847f5d2970feca3fd6ed8205c26d1f336f8b9e47f5ca8c41602dcd3b9d
                                            • Instruction ID: 3ae7cfb35d3a28fc99d4ff7b47b523eb3e7e0a569c4edc9335cf318afe8cbd11
                                            • Opcode Fuzzy Hash: 5cbfb3847f5d2970feca3fd6ed8205c26d1f336f8b9e47f5ca8c41602dcd3b9d
                                            • Instruction Fuzzy Hash: 8A413471A00148EFDB249FB4DC88AEE77BDBB8D314F10453AF61ADB1A0D73499058B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EFF0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,004172E8,0000000C,0040F101,00000000,00000000), ref: 0040F001
                                            • GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040F035
                                            • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040F045
                                            • InterlockedIncrement.KERNEL32(00418BF8), ref: 0040F067
                                            • __lock.LIBCMT ref: 0040F06F
                                            • ___addlocaleref.LIBCMT ref: 0040F08E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                            • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                            • API String ID: 1036688887-2843748187
                                            • Opcode ID: 8c702716d7b5dad219fa57686b30de91586226c888544945a16dc04b354f71a1
                                            • Instruction ID: 31a7a27252150badec976e9035bfd6001bfe3312d07fb8ccb109bde4c470296b
                                            • Opcode Fuzzy Hash: 8c702716d7b5dad219fa57686b30de91586226c888544945a16dc04b354f71a1
                                            • Instruction Fuzzy Hash: B81160B0900B01DEE7209F76C845BDABBE0AF44314F10883FE499A6291CB7CA945CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E790 Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • getSystemCP.LIBCMT ref: 0040E7A9
                                              • Part of subcall function 0040E716: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040E723
                                              • Part of subcall function 0040E716: GetOEMCP.KERNEL32(00000000), ref: 0040E73D
                                            • setSBCS.LIBCMT ref: 0040E7BB
                                              • Part of subcall function 0040E493: _memset.LIBCMT ref: 0040E4A6
                                            • IsValidCodePage.KERNEL32(-00000030), ref: 0040E801
                                            • GetCPInfo.KERNEL32(00000000,?), ref: 0040E814
                                            • _memset.LIBCMT ref: 0040E82C
                                            • setSBUpLow.LIBCMT ref: 0040E8FF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                                            • String ID:
                                            • API String ID: 2658552758-0
                                            • Opcode ID: d06d89ca8721487a3172968655db03d372d8560b3890cf2643e4b2fbcddcae32
                                            • Instruction ID: e33aa2861ec287faf251f8d8a2b5d71e8b0ee36f1272fd82b1d56aa1e3b6e312
                                            • Opcode Fuzzy Hash: d06d89ca8721487a3172968655db03d372d8560b3890cf2643e4b2fbcddcae32
                                            • Instruction Fuzzy Hash: 9A510471D002158BDF25DF67C8806BABBA4EF44304F14C87BD985AB2C2D63C8952CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401719 Relevance: 10.6, APIs: 7, Instructions: 135stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00401769
                                            • lstrlenA.KERNEL32(?), ref: 0040178C
                                            • GetLongPathNameA.KERNEL32(?,?,00000104), ref: 004017E2
                                            • _memset.LIBCMT ref: 0040180E
                                            • lstrlenA.KERNEL32(?,?,00000000,0000005C), ref: 00401828
                                            • lstrlenA.KERNEL32(?,?,00000000,0000005C), ref: 00401863
                                            • lstrcpynA.KERNEL32(?,?,?,?,?,00000000), ref: 0040189F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: lstrlen$_memset$LongNamePathlstrcpyn
                                            • String ID:
                                            • API String ID: 2427026194-0
                                            • Opcode ID: 53a3187f1d8abafb7ffb8c04469abdd5d2c6f6e8cc74f88d46f80f6467f5bf8d
                                            • Instruction ID: 06295104160c08d648608a430a7af9b59f0c4ecd9464bdb179b6727d7ea84170
                                            • Opcode Fuzzy Hash: 53a3187f1d8abafb7ffb8c04469abdd5d2c6f6e8cc74f88d46f80f6467f5bf8d
                                            • Instruction Fuzzy Hash: 20412372900248AEEB30AFB5DC85FDA77ACAF45304F14413EEA09F71D2DB7896048B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EE93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(00000000,0040EF08,00000000,00413E29,00000000,00000000,00000314,?,?,?,0041B748,00410E01,0041B748,Microsoft Visual C++ Runtime Library,00012010), ref: 0040EEA0
                                            • TlsGetValue.KERNEL32(00000005,?,?,?,0041B748,00410E01,0041B748,Microsoft Visual C++ Runtime Library,00012010), ref: 0040EEB7
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0041B748,00410E01,0041B748,Microsoft Visual C++ Runtime Library,00012010), ref: 0040EECC
                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040EEE7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Value$AddressHandleModuleProc
                                            • String ID: EncodePointer$KERNEL32.DLL
                                            • API String ID: 1929421221-3682587211
                                            • Opcode ID: 36ae36d76802ccc74aa80c583529835d74a3a5c3e93755c70c4d1e43d53cbf4d
                                            • Instruction ID: 73dc7dbda7024e7fffbbd03168adb1d69dc8cf932f0e52be306906b2668ccab4
                                            • Opcode Fuzzy Hash: 36ae36d76802ccc74aa80c583529835d74a3a5c3e93755c70c4d1e43d53cbf4d
                                            • Instruction Fuzzy Hash: E2F06230641527EBC6615B76ED04AEB3EA49F447517054C73F858E62E0CB38CC628AEE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EF0A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(00000000,0040EF9F), ref: 0040EF17
                                            • TlsGetValue.KERNEL32(00000005), ref: 0040EF2E
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040EF43
                                            • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040EF5E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Value$AddressHandleModuleProc
                                            • String ID: DecodePointer$KERNEL32.DLL
                                            • API String ID: 1929421221-629428536
                                            • Opcode ID: d935a26459105d574cb2e38cf0386b5d4426bd69948a5f5b949bd66d25ad9d91
                                            • Instruction ID: 59488569f254f47f8ca9fa940a5f7688ee3026b07a523450d261427d325dfa61
                                            • Opcode Fuzzy Hash: d935a26459105d574cb2e38cf0386b5d4426bd69948a5f5b949bd66d25ad9d91
                                            • Instruction Fuzzy Hash: 09F09630545613FBD7115B76ED04ADB3AA49F447507048876F858F62F0CB38DC62C6AD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D262 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 0040D280
                                              • Part of subcall function 0040FBC2: __mtinitlocknum.LIBCMT ref: 0040FBD6
                                              • Part of subcall function 0040FBC2: __amsg_exit.LIBCMT ref: 0040FBE2
                                              • Part of subcall function 0040FBC2: EnterCriticalSection.KERNEL32(?,?,?,0040D186,00000004,00417248,0000000C,004127CF,00000000,00000000,00000000,00000000,00000000,0040F0D8,00000001,00000214), ref: 0040FBEA
                                            • ___sbh_find_block.LIBCMT ref: 0040D28B
                                            • ___sbh_free_block.LIBCMT ref: 0040D29A
                                            • HeapFree.KERNEL32(00000000,00000001,00417268,0000000C,0040FBA3,00000000,00417350,0000000C,0040FBDB,00000001,?,?,0040D186,00000004,00417248,0000000C), ref: 0040D2CA
                                            • GetLastError.KERNEL32 ref: 0040D2DB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                            • String ID:
                                            • API String ID: 2714421763-0
                                            • Opcode ID: 58e9ebdd246eada6d6ede97d038750b347c7b50b40a68ad533d2021e6ec9690e
                                            • Instruction ID: b21d02b56b4334eec184bfd22a73a14c37061e5d3a450bccea11b4b96e94e8ff
                                            • Opcode Fuzzy Hash: 58e9ebdd246eada6d6ede97d038750b347c7b50b40a68ad533d2021e6ec9690e
                                            • Instruction Fuzzy Hash: A9018F31D00311EADB206BF29C06B9E7B64AF00328F10817FF400B61D2DA7CC8448A9D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041366B Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041369B
                                            • __isleadbyte_l.LIBCMT ref: 004136CF
                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,FF000002,?,00000000,?,?,?,0040FF47,?,?,00000001), ref: 00413700
                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,0040FF47,?,?,00000001), ref: 0041376E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                            • String ID:
                                            • API String ID: 3058430110-0
                                            • Opcode ID: 05e1a337a2b4fe55ade8d994766c538232f0d57f04f4102561f13e7daf20b54d
                                            • Instruction ID: 337693de5dd7e6e7628e33ad7de0e69ea7657ffd9e11afdcebbe219fc47fff10
                                            • Opcode Fuzzy Hash: 05e1a337a2b4fe55ade8d994766c538232f0d57f04f4102561f13e7daf20b54d
                                            • Instruction Fuzzy Hash: C031D071A00285FFDB20DFA4C884AFE7BA5AF01312F1585AEE4608B2D1D3349E90DB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E672 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040F126: __amsg_exit.LIBCMT ref: 0040F134
                                            • __amsg_exit.LIBCMT ref: 0040E69E
                                            • __lock.LIBCMT ref: 0040E6AE
                                            • InterlockedDecrement.KERNEL32(?), ref: 0040E6CB
                                            • InterlockedIncrement.KERNEL32(02101660), ref: 0040E6F6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                            • String ID:
                                            • API String ID: 4129207761-0
                                            • Opcode ID: f01fb3a8e742b265315539429a824ecd7c840d210e1b41ae5ac75e1e657cbc03
                                            • Instruction ID: 3e79fc51856547ac4543ac5f143fa932bd736f64cfe0a2635a873b3a8f9e770a
                                            • Opcode Fuzzy Hash: f01fb3a8e742b265315539429a824ecd7c840d210e1b41ae5ac75e1e657cbc03
                                            • Instruction Fuzzy Hash: 24017C31D00621EBCB21AB66A80678AB7606B14714F44483BE410772C1CB7CA861CE9E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040F0AF Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000042,?,0040F12C,?,0040C6BD,00000000,0040D58D,?,?,?,00000000), ref: 0040F0B1
                                              • Part of subcall function 0040EF81: TlsGetValue.KERNEL32(?,0040F0C4), ref: 0040EF88
                                              • Part of subcall function 0040EF81: TlsSetValue.KERNEL32(00000000), ref: 0040EFA9
                                            • __calloc_crt.LIBCMT ref: 0040F0D3
                                              • Part of subcall function 004127BC: __calloc_impl.LIBCMT ref: 004127CA
                                              • Part of subcall function 004127BC: Sleep.KERNEL32(00000000,0040F0D8,00000001,00000214), ref: 004127E1
                                              • Part of subcall function 0040EF0A: TlsGetValue.KERNEL32(00000000,0040EF9F), ref: 0040EF17
                                              • Part of subcall function 0040EF0A: TlsGetValue.KERNEL32(00000005), ref: 0040EF2E
                                              • Part of subcall function 0040EFF0: GetModuleHandleA.KERNEL32(KERNEL32.DLL,004172E8,0000000C,0040F101,00000000,00000000), ref: 0040F001
                                              • Part of subcall function 0040EFF0: GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040F035
                                              • Part of subcall function 0040EFF0: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040F045
                                              • Part of subcall function 0040EFF0: InterlockedIncrement.KERNEL32(00418BF8), ref: 0040F067
                                              • Part of subcall function 0040EFF0: __lock.LIBCMT ref: 0040F06F
                                              • Part of subcall function 0040EFF0: ___addlocaleref.LIBCMT ref: 0040F08E
                                            • GetCurrentThreadId.KERNEL32 ref: 0040F103
                                            • SetLastError.KERNEL32(00000000), ref: 0040F11B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                            • String ID:
                                            • API String ID: 1081334783-0
                                            • Opcode ID: 48634b3e7a430741ceed802ca4965c02897bb85b145dbf33438fafd522fcfc3c
                                            • Instruction ID: 15a13f23eb78aa7c0d6a0cd3da37c3b2228dfced68170ffb91a12e002182c986
                                            • Opcode Fuzzy Hash: 48634b3e7a430741ceed802ca4965c02897bb85b145dbf33438fafd522fcfc3c
                                            • Instruction Fuzzy Hash: FDF08132A45622FAC6312BB5BC0A6DA7A54AF84771710493EF551AA1D2CF3CC81186DC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D2F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1636416718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1636403856.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636466289.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: __calloc_crt
                                            • String ID: TXA
                                            • API String ID: 3494438863-3880646948
                                            • Opcode ID: 758c08539aa0d2855f2d12fea939569670c3fbc6bb1966207b8e68bf078ac663
                                            • Instruction ID: 0ee29593bf2473f58c0ae5fde9123932bf871ef7e4e6c70846eacbef051850bf
                                            • Opcode Fuzzy Hash: 758c08539aa0d2855f2d12fea939569670c3fbc6bb1966207b8e68bf078ac663
                                            • Instruction Fuzzy Hash: 6F112931B047105BE7289E9EBC817E63392EB88724B24C13FE911D73D4E77C9882468E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:9.8%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:10.9%
                                            Total number of Nodes:2000
                                            Total number of Limit Nodes:81
                                            execution_graph 10459 40974a 10514 40b2d0 10459->10514 10461 409756 GetStartupInfoA GetProcessHeap HeapAlloc 10462 409795 GetVersionExA 10461->10462 10463 409788 10461->10463 10465 4097b3 GetProcessHeap HeapFree 10462->10465 10466 4097a5 GetProcessHeap HeapFree 10462->10466 10605 4096e5 10463->10605 10467 4097df 10465->10467 10468 40978f ___BuildCatchObjectHelper 10466->10468 10515 40f360 HeapCreate 10467->10515 10470 409820 10472 4096e5 _fast_error_exit 67 API calls 10470->10472 10474 40982c 10470->10474 10472->10474 10473 409832 10475 409836 10473->10475 10476 40983e __RTC_Initialize 10473->10476 10613 40a668 GetModuleHandleA 10474->10613 10477 4096e5 _fast_error_exit 67 API calls 10475->10477 10525 40bc1a 10476->10525 10478 40983d 10477->10478 10478->10476 10480 40984b 10481 409857 GetCommandLineA 10480->10481 10482 40984f 10480->10482 10540 40f188 10481->10540 10646 40e7ab 10482->10646 10488 409871 10489 409875 10488->10489 10490 40987d 10488->10490 10491 40e7ab __amsg_exit 67 API calls 10489->10491 10565 40ee5c 10490->10565 10493 40987c 10491->10493 10493->10490 10495 409886 10497 40e7ab __amsg_exit 67 API calls 10495->10497 10496 40988e 10579 40e8c7 10496->10579 10499 40988d 10497->10499 10499->10496 10500 409894 10501 4098a0 10500->10501 10502 409899 10500->10502 10585 40edff 10501->10585 10503 40e7ab __amsg_exit 67 API calls 10502->10503 10505 40989f 10503->10505 10505->10501 10506 4098a5 10507 4098aa 10506->10507 10591 4074a8 10506->10591 10507->10506 10509 4098c1 10510 4098d0 10509->10510 10602 40ea3b 10509->10602 10664 40ea5d 10510->10664 10514->10461 10516 40f380 10515->10516 10517 40f383 10515->10517 10516->10470 10667 40f305 10517->10667 10520 40f392 10676 40f5f5 HeapAlloc 10520->10676 10521 40f3b6 10521->10470 10524 40f3a1 HeapDestroy 10524->10516 10951 40b2d0 10525->10951 10527 40bc26 GetStartupInfoA 10528 4101f1 __calloc_crt 67 API calls 10527->10528 10535 40bc47 10528->10535 10529 40be65 ___BuildCatchObjectHelper 10529->10480 10530 40bde2 GetStdHandle 10534 40bdac 10530->10534 10531 4101f1 __calloc_crt 67 API calls 10531->10535 10532 40be47 SetHandleCount 10532->10529 10533 40bdf4 GetFileType 10533->10534 10534->10529 10534->10530 10534->10532 10534->10533 10536 4107e6 ___crtInitCritSecAndSpinCount 67 API calls 10534->10536 10535->10529 10535->10531 10535->10534 10537 40bd2f 10535->10537 10536->10534 10537->10529 10537->10534 10538 40bd58 GetFileType 10537->10538 10539 4107e6 ___crtInitCritSecAndSpinCount 67 API calls 10537->10539 10538->10537 10539->10537 10541 40f1c3 10540->10541 10542 40f1a4 GetEnvironmentStringsW 10540->10542 10544 40f1ac 10541->10544 10545 40f25e 10541->10545 10543 40f1b8 GetLastError 10542->10543 10542->10544 10543->10541 10546 40f1ed WideCharToMultiByte 10544->10546 10547 40f1de GetEnvironmentStringsW 10544->10547 10548 40f266 GetEnvironmentStrings 10545->10548 10549 409867 10545->10549 10552 40f221 10546->10552 10553 40f253 FreeEnvironmentStringsW 10546->10553 10547->10546 10547->10549 10548->10549 10550 40f276 10548->10550 10653 40f0cf 10549->10653 10554 4101b1 __malloc_crt 67 API calls 10550->10554 10555 4101b1 __malloc_crt 67 API calls 10552->10555 10553->10549 10556 40f28f 10554->10556 10557 40f227 10555->10557 10558 40f296 FreeEnvironmentStringsA 10556->10558 10560 40f2a2 _memcpy_s 10556->10560 10557->10553 10559 40f230 WideCharToMultiByte 10557->10559 10558->10549 10561 40f241 10559->10561 10562 40f24a 10559->10562 10563 40f2aa FreeEnvironmentStringsA 10560->10563 10564 409934 __freea 67 API calls 10561->10564 10562->10553 10563->10549 10564->10562 10566 40ee69 10565->10566 10567 40ee6e _strlen 10565->10567 10952 40d7ab 10566->10952 10569 409882 10567->10569 10570 4101f1 __calloc_crt 67 API calls 10567->10570 10569->10495 10569->10496 10577 40eea1 _strlen 10570->10577 10571 40eefc 10572 409934 __freea 67 API calls 10571->10572 10572->10569 10573 4101f1 __calloc_crt 67 API calls 10573->10577 10574 40ef21 10576 409934 __freea 67 API calls 10574->10576 10576->10569 10577->10569 10577->10571 10577->10573 10577->10574 10578 4083de __invoke_watson 10 API calls 10577->10578 10956 409fae 10577->10956 10578->10577 10581 40e8d0 __except_handler4 10579->10581 11396 412446 10581->11396 10582 40e8ef __initterm_e 10584 40e910 __except_handler4 10582->10584 11400 40a910 10582->11400 10584->10500 10586 40ee0b 10585->10586 10588 40ee10 10585->10588 10587 40d7ab ___initmbctable 111 API calls 10586->10587 10587->10588 10590 40ee4c 10588->10590 11510 4128d7 10588->11510 10590->10506 11516 4010dd 10591->11516 10601 4074ea 10601->10509 13429 40e959 10602->13429 10604 40ea48 10604->10510 10606 4096f3 10605->10606 10607 4096ee 10605->10607 10609 40eac7 _abort 67 API calls 10606->10609 10608 40ec67 __FF_MSGBANNER 67 API calls 10607->10608 10608->10606 10610 4096fc 10609->10610 10611 40e7f5 _malloc 3 API calls 10610->10611 10612 409706 10611->10612 10612->10468 10614 40a683 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 10613->10614 10615 40a67a 10613->10615 10617 40a6cd TlsAlloc 10614->10617 13457 40a3bc 10615->13457 10620 40a7e7 10617->10620 10621 40a71b TlsSetValue 10617->10621 10620->10473 10621->10620 10622 40a72c 10621->10622 13468 40ea7b 10622->13468 10625 40a29c __initp_misc_cfltcvt_tab 67 API calls 10626 40a73c 10625->10626 10627 40a29c __initp_misc_cfltcvt_tab 67 API calls 10626->10627 10628 40a74c 10627->10628 10629 40a29c __initp_misc_cfltcvt_tab 67 API calls 10628->10629 10630 40a75c 10629->10630 10631 40a29c __initp_misc_cfltcvt_tab 67 API calls 10630->10631 10632 40a76c 10631->10632 13475 40f44e 10632->13475 10635 40a7e2 10636 40a3bc __mtterm 70 API calls 10635->10636 10636->10620 10637 40a313 __mtterm 67 API calls 10638 40a78d 10637->10638 10638->10635 10639 4101f1 __calloc_crt 67 API calls 10638->10639 10640 40a7a6 10639->10640 10640->10635 10641 40a313 __mtterm 67 API calls 10640->10641 10642 40a7c0 10641->10642 10642->10635 10643 40a7c7 10642->10643 10644 40a3f9 _raise 67 API calls 10643->10644 10645 40a7cf GetCurrentThreadId 10644->10645 10645->10620 10647 40ec67 __FF_MSGBANNER 67 API calls 10646->10647 10648 40e7b0 10647->10648 10649 40eac7 _abort 67 API calls 10648->10649 10650 40e7b9 10649->10650 10651 40a313 __mtterm 67 API calls 10650->10651 10652 409856 10651->10652 10652->10481 10654 40f0e2 10653->10654 10655 40f0e7 GetModuleFileNameA 10653->10655 10656 40d7ab ___initmbctable 111 API calls 10654->10656 10657 40f10e 10655->10657 10656->10655 13482 40ef37 10657->13482 10659 40f16a 10659->10488 10661 4101b1 __malloc_crt 67 API calls 10662 40f150 10661->10662 10662->10659 10663 40ef37 _parse_cmdline 77 API calls 10662->10663 10663->10659 10665 40e959 _abort 67 API calls 10664->10665 10666 4098d5 10665->10666 10666->10468 10678 40e854 10667->10678 10670 40f32b 10692 40e88b 10670->10692 10673 40f337 10674 4083de __invoke_watson 10 API calls 10673->10674 10675 40f346 10673->10675 10674->10675 10675->10520 10675->10521 10677 40f39c 10676->10677 10677->10521 10677->10524 10679 40e85f 10678->10679 10680 40e885 10679->10680 10699 409e70 10679->10699 10680->10670 10685 4083de 10680->10685 10940 4081c0 10685->10940 10687 40846f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10688 4084b2 GetCurrentProcess TerminateProcess 10687->10688 10689 4084a6 __invoke_watson 10687->10689 10942 40803d 10688->10942 10689->10688 10691 4084d2 10691->10670 10693 40e896 10692->10693 10694 409e70 _memcpy_s 67 API calls 10693->10694 10695 40e8bb 10693->10695 10696 40e89b 10694->10696 10695->10673 10697 4084da _memcpy_s 67 API calls 10696->10697 10698 40e8ab 10697->10698 10698->10673 10705 40a4b8 GetLastError 10699->10705 10701 409e75 10702 4084da 10701->10702 10703 40a313 __mtterm 67 API calls 10702->10703 10704 4084e8 __invoke_watson 10703->10704 10719 40a38a TlsGetValue 10705->10719 10708 40a523 SetLastError 10708->10701 10713 40a502 10739 40a3f9 10713->10739 10714 40a51a 10753 409934 10714->10753 10717 40a50a GetCurrentThreadId 10717->10708 10718 40a520 10718->10708 10720 40a3b8 10719->10720 10721 40a39d 10719->10721 10720->10708 10724 4101f1 10720->10724 10722 40a313 __mtterm 65 API calls 10721->10722 10723 40a3a8 TlsSetValue 10722->10723 10723->10720 10725 4101f5 10724->10725 10727 40a4e1 10725->10727 10728 410215 Sleep 10725->10728 10766 412996 10725->10766 10727->10708 10729 40a313 TlsGetValue 10727->10729 10728->10725 10730 40a326 10729->10730 10731 40a347 GetModuleHandleA 10729->10731 10730->10731 10732 40a330 TlsGetValue 10730->10732 10733 40a358 10731->10733 10734 40a33f 10731->10734 10736 40a33b 10732->10736 10903 40a230 10733->10903 10734->10713 10734->10714 10736->10731 10736->10734 10737 40a35d 10737->10734 10738 40a361 GetProcAddress 10737->10738 10738->10734 10908 40b2d0 10739->10908 10741 40a405 GetModuleHandleA 10742 40a456 InterlockedIncrement 10741->10742 10743 40a427 10741->10743 10745 40f5c4 __lock 63 API calls 10742->10745 10744 40a230 __mtterm 63 API calls 10743->10744 10746 40a42c 10744->10746 10747 40a47d 10745->10747 10746->10742 10748 40a430 GetProcAddress GetProcAddress 10746->10748 10909 40d909 InterlockedIncrement 10747->10909 10748->10742 10750 40a49c 10921 40a4af 10750->10921 10752 40a4a9 ___BuildCatchObjectHelper 10752->10717 10754 409940 ___BuildCatchObjectHelper 10753->10754 10755 4099b9 __dosmaperr ___BuildCatchObjectHelper 10754->10755 10756 40f5c4 __lock 65 API calls 10754->10756 10765 40997f 10754->10765 10755->10718 10762 409957 ___sbh_find_block 10756->10762 10757 409994 HeapFree 10757->10755 10758 4099a6 10757->10758 10759 409e70 _memcpy_s 65 API calls 10758->10759 10760 4099ab GetLastError 10759->10760 10760->10755 10761 409971 10932 40998a 10761->10932 10762->10761 10925 40f668 10762->10925 10765->10755 10765->10757 10767 4129a2 ___BuildCatchObjectHelper 10766->10767 10768 4129ba 10767->10768 10773 4129d9 _memset 10767->10773 10769 409e70 _memcpy_s 66 API calls 10768->10769 10770 4129bf 10769->10770 10771 4084da _memcpy_s 66 API calls 10770->10771 10776 4129cf ___BuildCatchObjectHelper 10771->10776 10772 412a4b HeapAlloc 10772->10773 10773->10772 10773->10776 10779 40f5c4 10773->10779 10786 40fe11 10773->10786 10792 412a92 10773->10792 10795 40a92c 10773->10795 10776->10725 10780 40f5d7 10779->10780 10781 40f5ea EnterCriticalSection 10779->10781 10798 40f501 10780->10798 10781->10773 10783 40f5dd 10783->10781 10784 40e7ab __amsg_exit 66 API calls 10783->10784 10785 40f5e9 10784->10785 10785->10781 10789 40fe3d 10786->10789 10787 40fed6 10791 40fedf 10787->10791 10898 40fa2c 10787->10898 10789->10787 10789->10791 10891 40f97c 10789->10891 10791->10773 10902 40f4ec LeaveCriticalSection 10792->10902 10794 412a99 10794->10773 10796 40a313 __mtterm 67 API calls 10795->10796 10797 40a937 10796->10797 10797->10773 10799 40f50d ___BuildCatchObjectHelper 10798->10799 10800 40f533 10799->10800 10824 40ec67 10799->10824 10806 40f543 ___BuildCatchObjectHelper 10800->10806 10870 4101b1 10800->10870 10806->10783 10808 40f564 10812 40f5c4 __lock 67 API calls 10808->10812 10809 40f555 10811 409e70 _memcpy_s 67 API calls 10809->10811 10811->10806 10813 40f56b 10812->10813 10814 40f573 10813->10814 10815 40f59f 10813->10815 10875 4107e6 10814->10875 10817 409934 __freea 67 API calls 10815->10817 10819 40f590 10817->10819 10818 40f57e 10818->10819 10820 409934 __freea 67 API calls 10818->10820 10888 40f5bb 10819->10888 10822 40f58a 10820->10822 10823 409e70 _memcpy_s 67 API calls 10822->10823 10823->10819 10825 412840 __FF_MSGBANNER 67 API calls 10824->10825 10826 40ec6e 10825->10826 10827 412840 __FF_MSGBANNER 67 API calls 10826->10827 10830 40ec7b 10826->10830 10827->10830 10828 40eac7 _abort 67 API calls 10829 40ec93 10828->10829 10832 40eac7 _abort 67 API calls 10829->10832 10830->10828 10831 40ec9d 10830->10831 10833 40eac7 10831->10833 10832->10831 10834 40ead3 10833->10834 10835 412840 __FF_MSGBANNER 64 API calls 10834->10835 10866 40ec29 10834->10866 10836 40eaf3 10835->10836 10837 40ec2e GetStdHandle 10836->10837 10839 412840 __FF_MSGBANNER 64 API calls 10836->10839 10838 40ec3c _strlen 10837->10838 10837->10866 10842 40ec56 WriteFile 10838->10842 10838->10866 10840 40eb04 10839->10840 10840->10837 10841 40eb16 10840->10841 10843 409fae _strcpy_s 64 API calls 10841->10843 10841->10866 10842->10866 10844 40eb38 10843->10844 10845 40eb4c GetModuleFileNameA 10844->10845 10846 4083de __invoke_watson 10 API calls 10844->10846 10847 40eb6a 10845->10847 10853 40eb8d _strlen 10845->10853 10848 40eb49 10846->10848 10849 409fae _strcpy_s 64 API calls 10847->10849 10848->10845 10850 40eb7a 10849->10850 10851 4083de __invoke_watson 10 API calls 10850->10851 10850->10853 10851->10853 10852 411d11 _strcat_s 64 API calls 10854 40ebe3 10852->10854 10855 411dd6 _abort 64 API calls 10853->10855 10863 40ebd0 10853->10863 10856 40ebf4 10854->10856 10858 4083de __invoke_watson 10 API calls 10854->10858 10857 40ebbd 10855->10857 10859 411d11 _strcat_s 64 API calls 10856->10859 10861 4083de __invoke_watson 10 API calls 10857->10861 10857->10863 10858->10856 10860 40ec05 10859->10860 10862 40ec16 10860->10862 10864 4083de __invoke_watson 10 API calls 10860->10864 10861->10863 10865 412683 _abort 64 API calls 10862->10865 10863->10852 10864->10862 10865->10866 10867 40e7f5 10866->10867 10868 40e7cf ___crtCorExitProcess GetModuleHandleA GetProcAddress 10867->10868 10869 40e7fe ExitProcess 10868->10869 10872 4101b5 10870->10872 10871 40a062 _malloc 66 API calls 10871->10872 10872->10871 10873 40f54e 10872->10873 10874 4101cd Sleep 10872->10874 10873->10808 10873->10809 10874->10872 10876 4107f2 ___BuildCatchObjectHelper 10875->10876 10877 40a313 __mtterm 65 API calls 10876->10877 10878 410802 10877->10878 10879 40e854 ___crtInitCritSecAndSpinCount 65 API calls 10878->10879 10885 410856 ___BuildCatchObjectHelper 10878->10885 10880 410812 10879->10880 10881 410821 10880->10881 10882 4083de __invoke_watson 10 API calls 10880->10882 10883 41084b 10881->10883 10884 41082a GetModuleHandleA 10881->10884 10882->10881 10887 40a29c __initp_misc_cfltcvt_tab 65 API calls 10883->10887 10884->10883 10886 410839 GetProcAddress 10884->10886 10885->10818 10886->10883 10887->10885 10889 40f4ec _realloc LeaveCriticalSection 10888->10889 10890 40f5c2 10889->10890 10890->10806 10892 40f9c3 HeapAlloc 10891->10892 10893 40f98f HeapReAlloc 10891->10893 10894 40f9e6 VirtualAlloc 10892->10894 10895 40f9ad 10892->10895 10893->10895 10896 40f9b1 10893->10896 10894->10895 10897 40fa00 HeapFree 10894->10897 10895->10787 10896->10892 10897->10895 10899 40fa41 VirtualAlloc 10898->10899 10901 40fa88 10899->10901 10901->10791 10902->10794 10904 40e88b __mtterm 66 API calls 10903->10904 10905 40a24b 10904->10905 10906 40a256 GetModuleHandleA 10905->10906 10907 40a252 ___TypeMatch 10905->10907 10906->10907 10907->10737 10908->10741 10910 40d924 InterlockedIncrement 10909->10910 10911 40d927 10909->10911 10910->10911 10912 40d931 InterlockedIncrement 10911->10912 10913 40d934 10911->10913 10912->10913 10914 40d941 10913->10914 10915 40d93e InterlockedIncrement 10913->10915 10916 40d94b InterlockedIncrement 10914->10916 10917 40d94e 10914->10917 10915->10914 10916->10917 10918 40d963 InterlockedIncrement 10917->10918 10919 40d973 InterlockedIncrement 10917->10919 10920 40d97c InterlockedIncrement 10917->10920 10918->10917 10919->10917 10920->10750 10924 40f4ec LeaveCriticalSection 10921->10924 10923 40a4b6 10923->10752 10924->10923 10926 40f6a5 10925->10926 10931 40f947 10925->10931 10927 40f891 VirtualFree 10926->10927 10926->10931 10928 40f8f5 10927->10928 10929 40f904 VirtualFree HeapFree 10928->10929 10928->10931 10935 409380 10929->10935 10931->10761 10939 40f4ec LeaveCriticalSection 10932->10939 10934 409991 10934->10765 10936 409398 10935->10936 10937 4093bf __VEC_memcpy 10936->10937 10938 4093c7 10936->10938 10937->10938 10938->10931 10939->10934 10941 4081cc __VEC_memzero 10940->10941 10941->10687 10943 408045 10942->10943 10944 408047 IsDebuggerPresent 10942->10944 10943->10691 10950 40a228 10944->10950 10947 409a8d SetUnhandledExceptionFilter UnhandledExceptionFilter 10948 409ab2 GetCurrentProcess TerminateProcess 10947->10948 10949 409aaa __invoke_watson 10947->10949 10948->10691 10949->10948 10950->10947 10951->10527 10953 40d7b4 10952->10953 10954 40d7bb 10952->10954 10965 40d611 10953->10965 10954->10567 10957 409fbb 10956->10957 10959 409fc3 10956->10959 10957->10959 10963 409fea 10957->10963 10958 409e70 _memcpy_s 67 API calls 10960 409fc8 10958->10960 10959->10958 10961 4084da _memcpy_s 67 API calls 10960->10961 10962 409fd7 10961->10962 10962->10577 10963->10962 10964 409e70 _memcpy_s 67 API calls 10963->10964 10964->10960 10966 40d61d ___BuildCatchObjectHelper 10965->10966 10996 40a52f 10966->10996 10970 40d630 11017 40d3be 10970->11017 10973 4101b1 __malloc_crt 67 API calls 10974 40d651 10973->10974 10975 40d770 ___BuildCatchObjectHelper 10974->10975 11024 40d438 10974->11024 10975->10954 10978 40d681 InterlockedDecrement 10980 40d691 10978->10980 10981 40d6a2 InterlockedIncrement 10978->10981 10979 40d77d 10979->10975 10985 409934 __freea 67 API calls 10979->10985 10988 40d790 10979->10988 10980->10981 10984 409934 __freea 67 API calls 10980->10984 10981->10975 10982 40d6b8 10981->10982 10982->10975 10987 40f5c4 __lock 67 API calls 10982->10987 10983 409e70 _memcpy_s 67 API calls 10983->10975 10986 40d6a1 10984->10986 10985->10988 10986->10981 10990 40d6cc InterlockedDecrement 10987->10990 10988->10983 10991 40d748 10990->10991 10992 40d75b InterlockedIncrement 10990->10992 10991->10992 10994 409934 __freea 67 API calls 10991->10994 11034 40d772 10992->11034 10995 40d75a 10994->10995 10995->10992 10997 40a4b8 _raise 67 API calls 10996->10997 10998 40a535 10997->10998 10999 40a542 10998->10999 11000 40e7ab __amsg_exit 67 API calls 10998->11000 11001 40d31a 10999->11001 11000->10999 11002 40d326 ___BuildCatchObjectHelper 11001->11002 11003 40a52f IsInExceptionSpec 67 API calls 11002->11003 11004 40d32b 11003->11004 11005 40f5c4 __lock 67 API calls 11004->11005 11006 40d33d 11004->11006 11007 40d35b 11005->11007 11008 40d34b ___BuildCatchObjectHelper 11006->11008 11010 40e7ab __amsg_exit 67 API calls 11006->11010 11009 40d3a4 11007->11009 11012 40d372 InterlockedDecrement 11007->11012 11013 40d38c InterlockedIncrement 11007->11013 11008->10970 11037 40d3b5 11009->11037 11010->11008 11012->11013 11014 40d37d 11012->11014 11013->11009 11014->11013 11015 409934 __freea 67 API calls 11014->11015 11016 40d38b 11015->11016 11016->11013 11041 40904c 11017->11041 11020 40d3f9 11022 40d3fe GetACP 11020->11022 11023 40d3eb 11020->11023 11021 40d3db GetOEMCP 11021->11023 11022->11023 11023->10973 11023->10975 11025 40d3be getSystemCP 79 API calls 11024->11025 11027 40d456 11025->11027 11026 40d461 setSBCS 11028 40803d ___ansicp 5 API calls 11026->11028 11027->11026 11030 40d4a5 IsValidCodePage 11027->11030 11033 40d4ca _memset __setmbcp 11027->11033 11029 40d60f 11028->11029 11029->10978 11029->10979 11030->11026 11031 40d4b7 GetCPInfo 11030->11031 11031->11026 11031->11033 11232 40d190 GetCPInfo 11033->11232 11395 40f4ec LeaveCriticalSection 11034->11395 11036 40d779 11036->10975 11040 40f4ec LeaveCriticalSection 11037->11040 11039 40d3bc 11039->11006 11040->11039 11042 40905b 11041->11042 11043 4090a8 11041->11043 11044 40a52f IsInExceptionSpec 67 API calls 11042->11044 11043->11020 11043->11021 11045 409060 11044->11045 11046 409088 11045->11046 11049 40da59 11045->11049 11046->11043 11048 40d31a _LocaleUpdate::_LocaleUpdate 69 API calls 11046->11048 11048->11043 11050 40da65 ___BuildCatchObjectHelper 11049->11050 11051 40a52f IsInExceptionSpec 67 API calls 11050->11051 11052 40da6a 11051->11052 11053 40da98 11052->11053 11055 40da7c 11052->11055 11054 40f5c4 __lock 67 API calls 11053->11054 11056 40da9f 11054->11056 11057 40a52f IsInExceptionSpec 67 API calls 11055->11057 11064 40da1b 11056->11064 11059 40da81 11057->11059 11062 40da8f ___BuildCatchObjectHelper 11059->11062 11063 40e7ab __amsg_exit 67 API calls 11059->11063 11062->11046 11063->11062 11065 40da1f 11064->11065 11071 40da51 11064->11071 11066 40d909 ___addlocaleref 8 API calls 11065->11066 11065->11071 11067 40da32 11066->11067 11067->11071 11075 40d98f 11067->11075 11072 40dac3 11071->11072 11231 40f4ec LeaveCriticalSection 11072->11231 11074 40daca 11074->11059 11076 40da17 11075->11076 11077 40d998 InterlockedDecrement 11075->11077 11076->11071 11089 40d7c9 11076->11089 11078 40d9b1 11077->11078 11079 40d9ae InterlockedDecrement 11077->11079 11080 40d9bb InterlockedDecrement 11078->11080 11081 40d9be 11078->11081 11079->11078 11080->11081 11082 40d9c8 InterlockedDecrement 11081->11082 11083 40d9cb 11081->11083 11082->11083 11084 40d9d5 InterlockedDecrement 11083->11084 11086 40d9d8 11083->11086 11084->11086 11085 40d9ed InterlockedDecrement 11085->11086 11086->11085 11087 40d9fd InterlockedDecrement 11086->11087 11088 40da06 InterlockedDecrement 11086->11088 11087->11086 11088->11076 11090 40d84a 11089->11090 11092 40d7dd 11089->11092 11091 409934 __freea 67 API calls 11090->11091 11093 40d897 11090->11093 11094 40d86b 11091->11094 11092->11090 11095 40d811 11092->11095 11102 409934 __freea 67 API calls 11092->11102 11106 40d8be 11093->11106 11143 411ab8 11093->11143 11097 409934 __freea 67 API calls 11094->11097 11105 409934 __freea 67 API calls 11095->11105 11118 40d832 11095->11118 11099 40d87e 11097->11099 11104 409934 __freea 67 API calls 11099->11104 11100 409934 __freea 67 API calls 11107 40d83f 11100->11107 11101 40d8fd 11108 409934 __freea 67 API calls 11101->11108 11109 40d806 11102->11109 11103 409934 __freea 67 API calls 11103->11106 11112 40d88c 11104->11112 11113 40d827 11105->11113 11106->11101 11114 409934 67 API calls __freea 11106->11114 11115 409934 __freea 67 API calls 11107->11115 11110 40d903 11108->11110 11119 411c88 11109->11119 11110->11071 11116 409934 __freea 67 API calls 11112->11116 11135 411c48 11113->11135 11114->11106 11115->11090 11116->11093 11118->11100 11120 411c91 11119->11120 11134 411d0e 11119->11134 11121 411ca2 11120->11121 11122 409934 __freea 67 API calls 11120->11122 11123 411cb4 11121->11123 11124 409934 __freea 67 API calls 11121->11124 11122->11121 11125 411cc6 11123->11125 11126 409934 __freea 67 API calls 11123->11126 11124->11123 11127 409934 __freea 67 API calls 11125->11127 11129 411cd8 11125->11129 11126->11125 11127->11129 11128 411cea 11131 411cfc 11128->11131 11132 409934 __freea 67 API calls 11128->11132 11129->11128 11130 409934 __freea 67 API calls 11129->11130 11130->11128 11133 409934 __freea 67 API calls 11131->11133 11131->11134 11132->11131 11133->11134 11134->11095 11136 411c51 11135->11136 11142 411c85 11135->11142 11138 411c61 11136->11138 11139 409934 __freea 67 API calls 11136->11139 11137 411c73 11141 409934 __freea 67 API calls 11137->11141 11137->11142 11138->11137 11140 409934 __freea 67 API calls 11138->11140 11139->11138 11140->11137 11141->11142 11142->11118 11144 411ac5 11143->11144 11145 40d8b7 11143->11145 11146 409934 __freea 67 API calls 11144->11146 11145->11103 11147 411acd 11146->11147 11148 409934 __freea 67 API calls 11147->11148 11149 411ad5 11148->11149 11150 409934 __freea 67 API calls 11149->11150 11151 411add 11150->11151 11152 409934 __freea 67 API calls 11151->11152 11153 411ae5 11152->11153 11154 409934 __freea 67 API calls 11153->11154 11155 411aed 11154->11155 11156 409934 __freea 67 API calls 11155->11156 11157 411af5 11156->11157 11158 409934 __freea 67 API calls 11157->11158 11159 411afc 11158->11159 11160 409934 __freea 67 API calls 11159->11160 11161 411b04 11160->11161 11162 409934 __freea 67 API calls 11161->11162 11163 411b0c 11162->11163 11164 409934 __freea 67 API calls 11163->11164 11165 411b14 11164->11165 11166 409934 __freea 67 API calls 11165->11166 11167 411b1c 11166->11167 11168 409934 __freea 67 API calls 11167->11168 11169 411b24 11168->11169 11170 409934 __freea 67 API calls 11169->11170 11171 411b2c 11170->11171 11172 409934 __freea 67 API calls 11171->11172 11173 411b34 11172->11173 11174 409934 __freea 67 API calls 11173->11174 11175 411b3c 11174->11175 11176 409934 __freea 67 API calls 11175->11176 11177 411b44 11176->11177 11178 409934 __freea 67 API calls 11177->11178 11179 411b4f 11178->11179 11180 409934 __freea 67 API calls 11179->11180 11181 411b57 11180->11181 11182 409934 __freea 67 API calls 11181->11182 11183 411b5f 11182->11183 11184 409934 __freea 67 API calls 11183->11184 11185 411b67 11184->11185 11186 409934 __freea 67 API calls 11185->11186 11187 411b6f 11186->11187 11188 409934 __freea 67 API calls 11187->11188 11189 411b77 11188->11189 11190 409934 __freea 67 API calls 11189->11190 11191 411b7f 11190->11191 11192 409934 __freea 67 API calls 11191->11192 11193 411b87 11192->11193 11194 409934 __freea 67 API calls 11193->11194 11195 411b8f 11194->11195 11196 409934 __freea 67 API calls 11195->11196 11197 411b97 11196->11197 11198 409934 __freea 67 API calls 11197->11198 11199 411b9f 11198->11199 11200 409934 __freea 67 API calls 11199->11200 11201 411ba7 11200->11201 11202 409934 __freea 67 API calls 11201->11202 11203 411baf 11202->11203 11204 409934 __freea 67 API calls 11203->11204 11205 411bb7 11204->11205 11206 409934 __freea 67 API calls 11205->11206 11207 411bbf 11206->11207 11208 409934 __freea 67 API calls 11207->11208 11209 411bc7 11208->11209 11210 409934 __freea 67 API calls 11209->11210 11211 411bd5 11210->11211 11212 409934 __freea 67 API calls 11211->11212 11213 411be0 11212->11213 11214 409934 __freea 67 API calls 11213->11214 11215 411beb 11214->11215 11216 409934 __freea 67 API calls 11215->11216 11217 411bf6 11216->11217 11218 409934 __freea 67 API calls 11217->11218 11219 411c01 11218->11219 11220 409934 __freea 67 API calls 11219->11220 11221 411c0c 11220->11221 11222 409934 __freea 67 API calls 11221->11222 11223 411c17 11222->11223 11224 409934 __freea 67 API calls 11223->11224 11225 411c22 11224->11225 11226 409934 __freea 67 API calls 11225->11226 11227 411c2d 11226->11227 11228 409934 __freea 67 API calls 11227->11228 11231->11074 11233 40d1c7 _memset 11232->11233 11241 40d270 11232->11241 11242 40dd58 11233->11242 11237 40803d ___ansicp 5 API calls 11239 40d312 11237->11239 11239->11033 11240 411a75 ___crtLCMapStringA 102 API calls 11240->11241 11241->11237 11243 40904c _LocaleUpdate::_LocaleUpdate 77 API calls 11242->11243 11244 40dd69 11243->11244 11252 40dba0 11244->11252 11247 411a75 11248 40904c _LocaleUpdate::_LocaleUpdate 77 API calls 11247->11248 11249 411a86 11248->11249 11348 4116d3 11249->11348 11253 40dbea 11252->11253 11254 40dbbf GetStringTypeW 11252->11254 11255 40dbd7 11253->11255 11257 40dcd1 11253->11257 11254->11255 11256 40dbdf GetLastError 11254->11256 11258 40dc23 MultiByteToWideChar 11255->11258 11265 40dccb 11255->11265 11256->11253 11299 411fd4 GetLocaleInfoA 11257->11299 11263 40dc50 11258->11263 11258->11265 11260 40803d ___ansicp 5 API calls 11262 40d22b 11260->11262 11262->11247 11271 40dc65 _memset __alloca_probe_16 11263->11271 11276 40a062 11263->11276 11264 40dd22 GetStringTypeA 11264->11265 11266 40dd3d 11264->11266 11265->11260 11270 409934 __freea 67 API calls 11266->11270 11269 40dc9e MultiByteToWideChar 11273 40dcb4 GetStringTypeW 11269->11273 11274 40dcc5 11269->11274 11270->11265 11271->11265 11271->11269 11273->11274 11295 40db85 11274->11295 11277 40a10f 11276->11277 11283 40a070 11276->11283 11278 40a92c _malloc 66 API calls 11277->11278 11279 40a115 11278->11279 11280 409e70 _memcpy_s 66 API calls 11279->11280 11282 40a11b 11280->11282 11281 40ec67 __FF_MSGBANNER 66 API calls 11286 40a085 11281->11286 11282->11271 11283->11286 11287 40a0d3 RtlAllocateHeap 11283->11287 11289 40a0fa 11283->11289 11290 40a92c _malloc 66 API calls 11283->11290 11292 40a0f8 11283->11292 11294 40a106 11283->11294 11330 40a013 11283->11330 11285 40eac7 _abort 66 API calls 11285->11286 11286->11281 11286->11283 11286->11285 11288 40e7f5 _malloc 3 API calls 11286->11288 11287->11283 11288->11286 11291 409e70 _memcpy_s 66 API calls 11289->11291 11290->11283 11291->11292 11293 409e70 _memcpy_s 66 API calls 11292->11293 11293->11294 11294->11271 11296 40db8d 11295->11296 11297 40db9e 11295->11297 11296->11297 11298 409934 __freea 67 API calls 11296->11298 11297->11265 11298->11297 11300 412000 11299->11300 11301 412005 11299->11301 11303 40803d ___ansicp 5 API calls 11300->11303 11341 412985 11301->11341 11304 40dcf5 11303->11304 11304->11264 11304->11265 11305 41201b 11304->11305 11306 412059 GetCPInfo 11305->11306 11307 4120e3 11305->11307 11308 412070 11306->11308 11309 4120ce MultiByteToWideChar 11306->11309 11310 40803d ___ansicp 5 API calls 11307->11310 11308->11309 11311 412076 GetCPInfo 11308->11311 11309->11307 11314 412089 _strlen 11309->11314 11312 40dd16 11310->11312 11311->11309 11313 412083 11311->11313 11312->11264 11312->11265 11313->11309 11313->11314 11315 40a062 _malloc 67 API calls 11314->11315 11317 4120bb _memset __alloca_probe_16 11314->11317 11315->11317 11316 412118 MultiByteToWideChar 11318 412130 11316->11318 11319 41214f 11316->11319 11317->11307 11317->11316 11321 412154 11318->11321 11322 412137 WideCharToMultiByte 11318->11322 11320 40db85 __freea 67 API calls 11319->11320 11320->11307 11323 412173 11321->11323 11324 41215f WideCharToMultiByte 11321->11324 11322->11319 11325 4101f1 __calloc_crt 67 API calls 11323->11325 11324->11319 11324->11323 11326 41217b 11325->11326 11326->11319 11327 412184 WideCharToMultiByte 11326->11327 11327->11319 11328 412196 11327->11328 11329 409934 __freea 67 API calls 11328->11329 11329->11319 11331 40a01f ___BuildCatchObjectHelper 11330->11331 11332 40a050 ___BuildCatchObjectHelper 11331->11332 11333 40f5c4 __lock 67 API calls 11331->11333 11332->11283 11334 40a035 11333->11334 11335 40fe11 ___sbh_alloc_block 5 API calls 11334->11335 11336 40a040 11335->11336 11338 40a059 11336->11338 11339 40f4ec _realloc LeaveCriticalSection 11338->11339 11340 40a060 11339->11340 11340->11332 11344 4133a3 11341->11344 11345 4133ba 11344->11345 11346 413178 strtoxl 91 API calls 11345->11346 11347 412992 11346->11347 11347->11300 11349 4116f2 LCMapStringW 11348->11349 11352 41170d 11348->11352 11350 411715 GetLastError 11349->11350 11349->11352 11350->11352 11351 41190a 11355 411fd4 ___ansicp 91 API calls 11351->11355 11352->11351 11354 411767 11352->11354 11353 411780 MultiByteToWideChar 11356 411901 11353->11356 11363 4117ad 11353->11363 11354->11353 11354->11356 11358 411932 11355->11358 11357 40803d ___ansicp 5 API calls 11356->11357 11359 40d24b 11357->11359 11358->11356 11360 411a26 LCMapStringA 11358->11360 11361 41194b 11358->11361 11359->11240 11364 411982 11360->11364 11365 41201b ___convertcp 74 API calls 11361->11365 11362 4117fe MultiByteToWideChar 11366 411817 LCMapStringW 11362->11366 11367 4118f8 11362->11367 11369 40a062 _malloc 67 API calls 11363->11369 11376 4117c6 __alloca_probe_16 11363->11376 11368 411a4d 11364->11368 11372 409934 __freea 67 API calls 11364->11372 11370 41195d 11365->11370 11366->11367 11371 411838 11366->11371 11374 40db85 __freea 67 API calls 11367->11374 11368->11356 11377 409934 __freea 67 API calls 11368->11377 11369->11376 11370->11356 11373 411967 LCMapStringA 11370->11373 11375 411840 11371->11375 11381 411869 11371->11381 11372->11368 11373->11364 11379 411989 11373->11379 11374->11356 11375->11367 11378 411852 LCMapStringW 11375->11378 11376->11356 11376->11362 11377->11356 11378->11367 11383 41199a _memset __alloca_probe_16 11379->11383 11384 40a062 _malloc 67 API calls 11379->11384 11380 4118b8 LCMapStringW 11385 4118d0 WideCharToMultiByte 11380->11385 11386 4118f2 11380->11386 11382 40a062 _malloc 67 API calls 11381->11382 11387 411884 __alloca_probe_16 11381->11387 11382->11387 11383->11364 11389 4119d8 LCMapStringA 11383->11389 11384->11383 11385->11386 11388 40db85 __freea 67 API calls 11386->11388 11387->11367 11387->11380 11388->11367 11390 4119f4 11389->11390 11391 4119f8 11389->11391 11394 40db85 __freea 67 API calls 11390->11394 11393 41201b ___convertcp 74 API calls 11391->11393 11393->11390 11394->11364 11395->11036 11397 41244a 11396->11397 11399 412462 11397->11399 11403 40a29c TlsGetValue 11397->11403 11399->10582 11413 40a8d4 11400->11413 11402 40a919 11402->10584 11404 40a2d0 GetModuleHandleA 11403->11404 11405 40a2af 11403->11405 11406 40a2e1 11404->11406 11412 40a2c8 11404->11412 11405->11404 11407 40a2b9 TlsGetValue 11405->11407 11408 40a230 __mtterm 63 API calls 11406->11408 11410 40a2c4 11407->11410 11409 40a2e6 11408->11409 11411 40a2ea GetProcAddress 11409->11411 11409->11412 11410->11404 11410->11412 11411->11412 11412->11397 11414 40a8e0 ___BuildCatchObjectHelper 11413->11414 11421 40e80a 11414->11421 11420 40a901 ___BuildCatchObjectHelper 11420->11402 11422 40f5c4 __lock 67 API calls 11421->11422 11423 40a8e5 11422->11423 11424 40a7ec 11423->11424 11425 40a313 __mtterm 67 API calls 11424->11425 11426 40a7fc 11425->11426 11427 40a313 __mtterm 67 API calls 11426->11427 11428 40a80d 11427->11428 11437 40a890 11428->11437 11444 410284 11428->11444 11430 40a876 11431 40a29c __initp_misc_cfltcvt_tab 67 API calls 11430->11431 11432 40a885 11431->11432 11435 40a29c __initp_misc_cfltcvt_tab 67 API calls 11432->11435 11433 40a84d 11433->11437 11438 410239 __realloc_crt 73 API calls 11433->11438 11439 40a864 11433->11439 11434 40a82b 11434->11430 11434->11433 11457 410239 11434->11457 11435->11437 11441 40a90a 11437->11441 11438->11439 11439->11437 11440 40a29c __initp_misc_cfltcvt_tab 67 API calls 11439->11440 11440->11430 11506 40e813 11441->11506 11445 410290 ___BuildCatchObjectHelper 11444->11445 11446 4102a0 11445->11446 11447 4102bd 11445->11447 11448 409e70 _memcpy_s 67 API calls 11446->11448 11449 4102fe HeapSize 11447->11449 11451 40f5c4 __lock 67 API calls 11447->11451 11450 4102a5 11448->11450 11453 4102b5 ___BuildCatchObjectHelper 11449->11453 11452 4084da _memcpy_s 67 API calls 11450->11452 11454 4102cd ___sbh_find_block 11451->11454 11452->11453 11453->11434 11462 41031e 11454->11462 11458 41023d 11457->11458 11460 41027f 11458->11460 11461 410260 Sleep 11458->11461 11466 412ab4 11458->11466 11460->11433 11461->11458 11465 40f4ec LeaveCriticalSection 11462->11465 11464 4102f9 11464->11449 11464->11453 11465->11464 11467 412ac0 ___BuildCatchObjectHelper 11466->11467 11468 412ad5 11467->11468 11469 412ac7 11467->11469 11471 412ae8 11468->11471 11472 412adc 11468->11472 11470 40a062 _malloc 67 API calls 11469->11470 11488 412acf __dosmaperr ___BuildCatchObjectHelper 11470->11488 11479 412c5a 11471->11479 11501 412af5 _memcpy_s ___sbh_resize_block ___sbh_find_block 11471->11501 11473 409934 __freea 67 API calls 11472->11473 11473->11488 11474 412c8d 11477 40a92c _malloc 67 API calls 11474->11477 11475 412c5f HeapReAlloc 11475->11479 11475->11488 11476 40f5c4 __lock 67 API calls 11476->11501 11478 412c93 11477->11478 11480 409e70 _memcpy_s 67 API calls 11478->11480 11479->11474 11479->11475 11481 412cb1 11479->11481 11482 40a92c _malloc 67 API calls 11479->11482 11486 412ca7 11479->11486 11480->11488 11483 409e70 _memcpy_s 67 API calls 11481->11483 11481->11488 11482->11479 11485 412cba GetLastError 11483->11485 11485->11488 11487 409e70 _memcpy_s 67 API calls 11486->11487 11490 412c28 11487->11490 11488->11458 11489 412b80 HeapAlloc 11489->11501 11490->11488 11492 412c2d GetLastError 11490->11492 11491 412bd5 HeapReAlloc 11491->11501 11492->11488 11493 40fe11 ___sbh_alloc_block 5 API calls 11493->11501 11494 412c40 11494->11488 11496 409e70 _memcpy_s 67 API calls 11494->11496 11495 40a92c _malloc 67 API calls 11495->11501 11498 412c4d 11496->11498 11497 40f668 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 11497->11501 11498->11485 11498->11488 11499 412c23 11500 409e70 _memcpy_s 67 API calls 11499->11500 11500->11490 11501->11474 11501->11476 11501->11488 11501->11489 11501->11491 11501->11493 11501->11494 11501->11495 11501->11497 11501->11499 11502 412bf8 11501->11502 11505 40f4ec LeaveCriticalSection 11502->11505 11504 412bff 11504->11501 11505->11504 11509 40f4ec LeaveCriticalSection 11506->11509 11508 40a90f 11508->11420 11509->11508 11513 412886 11510->11513 11514 40904c _LocaleUpdate::_LocaleUpdate 77 API calls 11513->11514 11515 412897 11514->11515 11515->10588 11552 4010a8 11516->11552 11519 401033 11520 401057 11519->11520 11521 40103f ResetEvent GetLastError 11519->11521 11522 40739a 11520->11522 11521->11520 11523 4073d6 _memset 11522->11523 11541 407488 11523->11541 11556 4034af 11523->11556 11524 40803d ___ansicp 5 API calls 11527 40749e 11524->11527 11544 40100a 11527->11544 11528 407475 11693 404dd8 11528->11693 11529 407409 lstrcmpiA 11530 407426 lstrcmpiA 11529->11530 11531 40741e 11529->11531 11530->11531 11534 407438 lstrcmpiA 11530->11534 11628 403982 11531->11628 11537 407450 lstrcmpiA 11534->11537 11539 407447 11534->11539 11536 407483 11559 406f3d 11536->11559 11537->11539 11540 407463 lstrcmpiA 11537->11540 11646 4048aa 11539->11646 11540->11536 11540->11539 11541->11524 11543 407424 11543->11541 11545 401016 SetEvent GetLastError 11544->11545 11546 40102e 11544->11546 11545->11546 11547 40106b 11546->11547 11548 401077 11547->11548 11549 40109e 11547->11549 11550 401082 CloseHandle GetLastError 11548->11550 11551 40100a 2 API calls 11548->11551 11549->10601 11550->11549 11551->11550 11553 40106b 4 API calls 11552->11553 11554 4010b3 CreateEventA GetLastError 11553->11554 11555 4010d5 11554->11555 11555->11519 11557 4034cd lstrlenA 11556->11557 11558 4034e0 StrChrIA 11556->11558 11557->11558 11558->11528 11558->11529 11560 406f61 _memset __EH_prolog3 11559->11560 11703 4020fb 11560->11703 11562 406fb1 11563 406fba 11562->11563 11706 401df0 11562->11706 11952 401d64 11563->11952 11567 40803d ___ansicp 5 API calls 11568 406fde 11567->11568 11568->11541 11569 407003 _memset 11719 401f6a 11569->11719 11572 407043 CreateMutexA WaitForSingleObject 11573 407078 11572->11573 11574 407062 11572->11574 11723 401f22 11573->11723 11576 406fc0 11574->11576 11576->11567 11578 4070b2 11727 402131 11578->11727 11579 4010a8 6 API calls 11582 4070aa 11579->11582 11584 401033 2 API calls 11582->11584 11583 4070db 11585 401d64 103 API calls 11583->11585 11584->11578 11585->11576 11589 407125 _memset 11590 4071b5 11589->11590 11593 407142 GetPrivateProfileStringA 11589->11593 11784 402cab 11590->11784 11594 40717f _memset 11593->11594 11961 4014b0 11594->11961 11598 407199 MessageBoxA 11598->11590 11629 4039b7 _memset 11628->11629 11630 403a07 GetModuleHandleA GetModuleFileNameA 11629->11630 11631 403a28 11630->11631 11637 403b23 11630->11637 11634 403a40 PathRemoveFileSpecA 11631->11634 11632 40803d ___ansicp 5 API calls 11633 403b4a 11632->11633 11633->11543 11635 401df0 11 API calls 11634->11635 11636 403a5e PathAddBackslashA GetPrivateProfileStringA lstrcmpA 11635->11636 11636->11637 11638 403aa9 lstrlenA 11636->11638 11637->11632 11638->11637 11639 403aba 11638->11639 11640 4014b0 101 API calls 11639->11640 11641 403ad8 11640->11641 11642 403ae3 PathQuoteSpacesA 11641->11642 11643 403b25 SHDeleteKeyA 11641->11643 11644 403b02 11642->11644 11643->11637 13292 407552 11644->13292 11647 4048e6 _memset 11646->11647 11648 404944 GetModuleHandleA GetModuleFileNameA 11647->11648 11649 40496c 11648->11649 11655 4049a4 11648->11655 11650 404983 PathRemoveFileSpecA 11649->11650 13301 401514 11650->13301 11651 40803d ___ansicp 5 API calls 11652 404c17 11651->11652 11652->11543 11655->11651 11656 4049b9 SetCurrentDirectoryA 13315 401fb2 11656->13315 11657 404acb 11659 401df0 11 API calls 11657->11659 11661 404adf PathAddBackslashA 11659->11661 13361 403b54 11661->13361 11662 4049e5 PathAddBackslashA 13328 403fe1 11662->13328 11667 404bb7 11670 403fe1 184 API calls 11667->11670 11668 404b1d PathFindFileNameA 11671 404b38 11668->11671 11669 401b04 132 API calls 11672 404a0f 11669->11672 11673 404bc3 GetFileAttributesA 11670->11673 11676 407748 2 API calls 11671->11676 11674 404aae 11672->11674 11678 404a25 GetPrivateProfileStringA lstrcmpA 11672->11678 11673->11655 11675 404bd6 PathQuoteSpacesA 11673->11675 13358 407e13 11674->13358 11679 404bf5 11675->11679 11680 404b48 CopyFileA 11676->11680 11678->11655 11682 404a5a lstrlenA 11678->11682 11687 407eca 5 API calls 11679->11687 11683 401444 11680->11683 11682->11655 11686 404a6c PathQuoteSpacesA 11682->11686 11684 404b75 PathRemoveExtensionA 11683->11684 11688 404b94 11684->11688 11685 407e13 38 API calls 11685->11655 11689 404a8b 11686->11689 11687->11655 11690 407748 2 API calls 11688->11690 11691 407552 4 API calls 11689->11691 11692 404ba4 CopyFileA 11690->11692 11691->11655 11692->11667 11694 4081c0 _memset 11693->11694 11695 404e17 GetModuleHandleA GetModuleFileNameA PathFindFileNameA StrStrIA 11694->11695 11696 404e4f _memset 11695->11696 11702 404edf 11695->11702 11699 404e86 LoadStringA LoadStringA MessageBoxA 11696->11699 11696->11702 11697 40803d ___ansicp 5 API calls 11698 404ef7 11697->11698 11698->11536 11698->11541 11700 404ed8 11699->11700 11699->11702 11701 4048aa 309 API calls 11700->11701 11701->11702 11702->11697 11704 402104 GetModuleFileNameA PathRemoveFileSpecA GetShortPathNameA 11703->11704 11705 40212c 11703->11705 11704->11562 11705->11562 11707 401e32 _memset 11706->11707 11708 401ec7 11707->11708 11709 401e5a lstrlenA 11707->11709 11710 40803d ___ansicp 5 API calls 11708->11710 11711 401e67 11709->11711 11712 401ebe lstrlenA 11709->11712 11714 401f1a 11710->11714 11715 401e78 PathAddBackslashA 11711->11715 11712->11708 11713 401ece GetPrivateProfileStringA lstrcmpA 11712->11713 11713->11708 11714->11563 11714->11569 11965 401474 11715->11965 11717 401e97 GetFileAttributesA 11717->11712 11718 401ea9 11717->11718 11718->11712 11720 401f74 11719->11720 11722 401fa9 11719->11722 11721 401f7e GetPrivateProfileStringA lstrlenA 11720->11721 11720->11722 11721->11722 11722->11572 11722->11573 11724 401f61 11723->11724 11725 401f2c 11723->11725 11724->11578 11724->11579 11725->11724 11726 401f36 GetPrivateProfileStringA lstrlenA 11725->11726 11726->11724 11728 402176 _memset 11727->11728 11729 40219e GetPrivateProfileStringA GetPrivateProfileStringA GetPrivateProfileStringA lstrlenA 11728->11729 11730 402247 lstrlenA 11729->11730 11731 40220b 11729->11731 11733 40224e PathAddBackslashA 11730->11733 11745 402286 11730->11745 11967 4077f6 11731->11967 11735 401474 11733->11735 11738 402262 PathAddBackslashA 11735->11738 11736 402229 lstrcmpiA 11739 40223f GetTempPathA 11736->11739 11736->11745 11737 40803d ___ansicp 5 API calls 11740 4022b8 11737->11740 11741 402273 11738->11741 11739->11730 11740->11583 11746 4030e2 11740->11746 11742 402282 11741->11742 11970 407600 11741->11970 11743 40229d GetShortPathNameA 11742->11743 11742->11745 11743->11745 11745->11737 11747 403135 _memset 11746->11747 11748 4031cf 11747->11748 11749 403164 GetPrivateProfileStringA lstrcmpiA 11747->11749 11750 40803d ___ansicp 5 API calls 11748->11750 11751 4031db GetPrivateProfileStringA lstrcmpiA 11749->11751 11752 40319d GetCommandLineA 11749->11752 11753 40324e 11750->11753 11751->11748 11754 40320c 11751->11754 11755 4014b0 101 API calls 11752->11755 11753->11576 11761 406dd0 11753->11761 11756 4014b0 101 API calls 11754->11756 11757 4031c4 11755->11757 11758 40322c 11756->11758 11990 407eca 11757->11990 11760 407eca 5 API calls 11758->11760 11760->11748 11762 406df4 __EH_prolog3 11761->11762 12003 404c6c 11762->12003 11767 406f00 12012 405e00 11767->12012 11768 406f36 12070 4055ff 11768->12070 11771 406e36 _memset 11774 4014b0 101 API calls 11771->11774 11779 406eec 11771->11779 12057 4053f7 11771->12057 12061 405ba0 11771->12061 12066 404c21 11771->12066 11772 406f05 12054 405aca 11772->12054 11776 406e7e GetPrivateProfileStringA lstrcmpiA 11774->11776 11776->11771 11777 406f0f 11778 40803d ___ansicp 5 API calls 11777->11778 11781 406f2c 11778->11781 12006 40778a 11779->12006 11781->11589 11785 402cf6 _memset 11784->11785 11786 402d31 GetPrivateProfileIntA 11785->11786 11787 402e10 11786->11787 11788 402d55 11786->11788 11789 40803d ___ansicp 5 API calls 11787->11789 11788->11787 11791 4014b0 101 API calls 11788->11791 11793 4014b0 101 API calls 11788->11793 11794 402ddd PathRemoveArgsA GetFileAttributesA 11788->11794 11790 402e22 11789->11790 11790->11583 11796 401b04 11790->11796 11792 402d7a GetPrivateProfileStringA lstrcmpA 11791->11792 11792->11788 11793->11788 11795 407eca 5 API calls 11794->11795 11795->11788 11797 401b30 GetPrivateProfileIntA 11796->11797 11798 401d4c 11796->11798 11797->11798 11799 401b50 11797->11799 11800 40803d ___ansicp 5 API calls 11798->11800 11799->11798 11802 401b5c _memset 11799->11802 11801 401d5a 11800->11801 11817 4067b1 11801->11817 11803 4014b0 101 API calls 11802->11803 11816 401d4a 11802->11816 11804 401bff GetPrivateProfileStringA 11803->11804 11805 4014b0 101 API calls 11804->11805 11806 401c2e GetPrivateProfileStringA 11805->11806 11807 4014b0 101 API calls 11806->11807 11808 401c60 GetPrivateProfileStringA 11807->11808 11809 4014b0 101 API calls 11808->11809 11810 401c92 GetPrivateProfileStringA 11809->11810 11811 4014b0 101 API calls 11810->11811 11812 401cc4 GetPrivateProfileStringA 11811->11812 11813 4014b0 101 API calls 11812->11813 11814 401cf6 GetPrivateProfileIntA 11813->11814 12834 40185d 11814->12834 11816->11798 11818 406806 _memset 11817->11818 11819 406869 GetPrivateProfileIntA 11818->11819 11820 4069f3 11819->11820 11829 40688c 11819->11829 11821 40803d ___ansicp 5 API calls 11820->11821 11822 406a05 11821->11822 11822->11583 11835 406a0d 11822->11835 11823 4014b0 101 API calls 11824 4068b1 GetPrivateProfileStringA 11823->11824 11825 4014b0 101 API calls 11824->11825 11826 4068e3 GetPrivateProfileStringA 11825->11826 11827 4014b0 101 API calls 11826->11827 11828 406915 GetPrivateProfileStringA lstrcmpA 11827->11828 11828->11829 11829->11820 11829->11823 11830 4014b0 101 API calls 11829->11830 11831 4014b0 101 API calls 11829->11831 11833 4069a4 lstrcmpiA 11829->11833 12876 40652a 11829->12876 11830->11829 11832 40697d lstrcmpA 11831->11832 11832->11829 11832->11833 11833->11829 11836 406a5c _memset 11835->11836 11837 406aec GetPrivateProfileIntA 11836->11837 11838 406db6 11837->11838 11846 406b0e 11837->11846 11839 40803d ___ansicp 5 API calls 11838->11839 11840 406dc8 11839->11840 11840->11583 11863 402e2a 11840->11863 11841 4014b0 101 API calls 11842 406b36 GetPrivateProfileStringA lstrcmpA 11841->11842 11843 406b69 StrStrIA 11842->11843 11842->11846 11845 406b8b StrStrIA 11843->11845 11843->11846 11844 4014b0 101 API calls 11847 406bd2 GetPrivateProfileStringA lstrcmpA 11844->11847 11845->11846 11846->11838 11846->11841 11846->11844 11846->11845 11848 40778a 6 API calls 11846->11848 11849 4014b0 101 API calls 11846->11849 11850 4014b0 101 API calls 11846->11850 11853 4014b0 101 API calls 11846->11853 11859 40652a 265 API calls 11846->11859 11860 406d69 GetFileAttributesA 11846->11860 11847->11846 11848->11846 11849->11846 11851 406c37 GetPrivateProfileStringA 11850->11851 13187 402721 11851->13187 11854 406cae GetPrivateProfileStringA StrStrIA 11853->11854 11855 406ce5 11854->11855 11856 406d0c StrStrIA 11854->11856 11855->11846 11862 407eca 5 API calls 11855->11862 13215 40630f 11855->13215 11856->11846 11857 406d22 PathRemoveArgsA PathRemoveArgsA 11856->11857 11857->11846 11859->11846 11861 4014b0 101 API calls 11860->11861 11861->11855 11862->11855 11864 402e75 _memset 11863->11864 11865 402eb0 GetPrivateProfileIntA 11864->11865 11866 402ed4 11865->11866 11867 402f8f 11865->11867 11866->11867 11870 4014b0 101 API calls 11866->11870 11868 40803d ___ansicp 5 API calls 11867->11868 11953 4081c0 _memset 11952->11953 11954 401d92 LoadStringA 11953->11954 11955 401db5 11954->11955 11956 401dcd MessageBoxA 11954->11956 11957 4014b0 101 API calls 11955->11957 11958 40803d ___ansicp 5 API calls 11956->11958 11959 401dca 11957->11959 11960 401dee 11958->11960 11959->11956 11960->11576 11962 4014c3 11961->11962 11963 4014db 11962->11963 13273 413905 11962->13273 11963->11598 11966 401491 11965->11966 11966->11717 11983 4074f9 11967->11983 11971 40763d _memset 11970->11971 11972 407648 lstrlenA 11971->11972 11973 407726 11971->11973 11972->11973 11974 40765a lstrcpyA 11972->11974 11975 40803d ___ansicp 5 API calls 11973->11975 11977 40766a 11974->11977 11976 40773e 11975->11976 11976->11742 11978 4076cd GetFileAttributesA 11977->11978 11980 4076fa GetFileAttributesA 11977->11980 11978->11977 11979 4076e1 CreateDirectoryA 11978->11979 11979->11977 11981 40770b CreateDirectoryA Sleep 11980->11981 11982 40771c GetFileAttributesA 11980->11982 11981->11982 11982->11973 11984 407508 11983->11984 11985 402225 11983->11985 11984->11985 11986 40750d RegOpenKeyExA 11984->11986 11985->11730 11985->11736 11986->11985 11987 407527 RegQueryValueExA 11986->11987 11988 407541 11987->11988 11989 407542 RegCloseKey 11987->11989 11988->11989 11989->11985 11991 407ed2 11990->11991 11994 407e23 11991->11994 11995 407e3c _memset 11994->11995 11996 407ec3 11995->11996 11997 407e64 CreateProcessA 11995->11997 11996->11748 11997->11996 11998 407e7e CloseHandle WaitForSingleObject 11997->11998 11999 407eb0 11998->11999 12000 407e99 GetExitCodeProcess 11998->12000 12001 407eaa 11999->12001 12002 407ebe CloseHandle 11999->12002 12000->12001 12000->12002 12001->12002 12002->11996 12098 403761 12003->12098 12007 4081c0 _memset 12006->12007 12008 4077b2 GetVersionExA 12007->12008 12009 4077d5 12008->12009 12010 40803d ___ansicp 5 API calls 12009->12010 12011 406ef4 12010->12011 12011->11767 12011->11768 12013 405e24 _memset __EH_prolog3_catch 12012->12013 12135 4013a0 RegOpenKeyExA 12013->12135 12016 405e7f 12017 404c6c 75 API calls 12016->12017 12019 405e87 12017->12019 12020 4053f7 std::_String_base::_Xlen 75 API calls 12019->12020 12021 405e9e 12020->12021 12139 405cf1 12021->12139 12378 405437 12054->12378 12056 405ad2 12056->11777 12058 405408 std::_String_base::_Xlen 12057->12058 12385 4052cb 12058->12385 12062 404761 67 API calls 12061->12062 12063 405bb4 12062->12063 12064 405b46 75 API calls 12063->12064 12065 405bc4 12064->12065 12065->11771 12067 404c2b 12066->12067 12068 404c4b std::_String_base::_Xlen 12066->12068 12067->12068 12069 40130d char_traits 67 API calls 12067->12069 12068->11771 12069->12068 12071 405623 _memset __EH_prolog3_catch 12070->12071 12072 405675 GetWindowsDirectoryA PathAppendA GetShortPathNameA PathFileExistsA 12071->12072 12073 4056bf 12072->12073 12096 405837 12072->12096 12074 4053f7 std::_String_base::_Xlen 75 API calls 12073->12074 12076 4056d8 12074->12076 12075 40803d ___ansicp 5 API calls 12077 405875 12075->12077 12389 40481e 12076->12389 12077->11772 12080 404c21 std::runtime_error::runtime_error 67 API calls 12081 4056f3 12080->12081 12082 40584a 12081->12082 12084 404761 67 API calls 12081->12084 12083 40584f CoTaskMemFree 12082->12083 12082->12096 12083->12096 12091 405710 _strrchr _strlen 12084->12091 12085 404761 67 API calls 12085->12091 12087 40473d 67 API calls 12087->12091 12088 40575c PathAppendA GetShortPathNameA PathFindFileNameA StrStrIA 12088->12091 12091->12082 12091->12085 12091->12087 12091->12088 12092 405806 DeleteFileA 12091->12092 12406 403706 12091->12406 12410 409190 12091->12410 12413 4036de 12091->12413 12092->12091 12093 405814 GetLastError 12092->12093 12093->12091 12094 405821 GetLastError 12093->12094 12094->12091 12095 405828 12094->12095 12095->12096 12097 40582e CoTaskMemFree 12095->12097 12096->12075 12097->12096 12099 40377c 12098->12099 12100 40376e 12098->12100 12099->12100 12101 403788 12099->12101 12108 408527 12100->12108 12120 40824b 12101->12120 12107 4037ad 12111 40852f 12108->12111 12109 40a062 _malloc 67 API calls 12109->12111 12110 403779 GetPrivateProfileIntA 12110->11771 12110->11779 12111->12109 12111->12110 12112 40a92c _malloc 67 API calls 12111->12112 12114 40854b std::runtime_error::runtime_error 12111->12114 12112->12111 12116 40a910 __cinit 74 API calls 12114->12116 12118 408571 12114->12118 12116->12118 12117 408591 __CxxThrowException@8 KiUserExceptionDispatcher 12119 408590 12117->12119 12129 4082b1 12118->12129 12121 408260 _strlen 12120->12121 12125 403798 12120->12125 12122 40a062 _malloc 67 API calls 12121->12122 12123 40826f 12122->12123 12124 409fae _strcpy_s 67 API calls 12123->12124 12123->12125 12124->12125 12126 408591 12125->12126 12127 4085c4 KiUserExceptionDispatcher 12126->12127 12128 4085b8 12126->12128 12127->12107 12128->12127 12130 4082f3 12129->12130 12131 4082cd _strlen 12129->12131 12130->12117 12131->12130 12132 40a062 _malloc 67 API calls 12131->12132 12133 4082e0 12132->12133 12133->12130 12134 409fae _strcpy_s 67 API calls 12133->12134 12134->12130 12136 4013cb 12135->12136 12137 4013c4 12135->12137 12136->12016 12157 413760 12136->12157 12138 401389 RegCloseKey 12137->12138 12138->12136 12140 405cfd std::_String_base::_Xlen __EH_prolog3_catch_GS 12139->12140 12176 4013d5 12140->12176 12142 405d45 12143 405dd6 12142->12143 12180 404ffa 12142->12180 12145 404c21 std::runtime_error::runtime_error 67 API calls 12143->12145 12147 405de4 12145->12147 12205 40903d 12147->12205 12149 4013d5 RegQueryValueExA 12151 405d91 12149->12151 12186 404fd5 12151->12186 12158 408591 __CxxThrowException@8 KiUserExceptionDispatcher 12157->12158 12159 413792 12158->12159 12159->12016 12177 4013e4 12176->12177 12178 4013ee RegQueryValueExA 12176->12178 12177->12178 12179 4013e9 12177->12179 12178->12179 12179->12142 12181 405005 12180->12181 12182 40500f 12180->12182 12208 404c87 12181->12208 12214 404f67 12182->12214 12185 40500d 12185->12149 12187 404fdb 12186->12187 12288 4047a1 12187->12288 12190 404fb5 12191 404fbb 12190->12191 12192 4047a1 67 API calls 12191->12192 12193 404fce 12192->12193 12194 405bc9 12193->12194 12195 405bd5 __EH_prolog3 12194->12195 12295 403858 12195->12295 12197 405ceb std::runtime_error::runtime_error 12197->12143 12199 403858 67 API calls 12204 405c00 12199->12204 12200 404761 67 API calls 12200->12204 12202 4047f0 67 API calls 12202->12204 12203 404c21 std::runtime_error::runtime_error 67 API calls 12203->12204 12204->12197 12204->12199 12204->12200 12204->12202 12204->12203 12299 405233 12204->12299 12309 405b75 12204->12309 12206 40803d ___ansicp 5 API calls 12205->12206 12207 409047 12206->12207 12207->12207 12209 404c96 12208->12209 12211 404c9b 12208->12211 12220 4135dd 12209->12220 12213 404cdc std::_String_base::_Xlen 12211->12213 12230 401329 12211->12230 12213->12185 12215 404f79 12214->12215 12216 404f7e 12214->12216 12255 41359e 12215->12255 12219 404f92 std::_String_base::_Xlen 12216->12219 12271 404f09 12216->12271 12219->12185 12221 4135e9 __EH_prolog3 12220->12221 12222 4053f7 std::_String_base::_Xlen 75 API calls 12221->12222 12223 4135f6 12222->12223 12233 405395 12223->12233 12225 413606 12226 408591 __CxxThrowException@8 KiUserExceptionDispatcher 12225->12226 12227 41361b 12226->12227 12237 4054cb 12227->12237 12229 413628 12229->12211 12243 408156 12230->12243 12234 4053a1 __EH_prolog3 std::runtime_error::runtime_error 12233->12234 12235 40527b std::runtime_error::runtime_error 75 API calls 12234->12235 12236 4053c0 std::runtime_error::runtime_error 12235->12236 12236->12225 12238 4054d7 __EH_prolog3 12237->12238 12239 4082b1 std::exception::exception 67 API calls 12238->12239 12240 4054e5 12239->12240 12241 40527b std::runtime_error::runtime_error 75 API calls 12240->12241 12242 4054fb std::runtime_error::runtime_error 12241->12242 12242->12229 12244 408164 12243->12244 12245 40133d 12243->12245 12246 408169 12244->12246 12247 408189 12244->12247 12245->12213 12248 409e70 _memcpy_s 67 API calls 12246->12248 12249 40819c 12247->12249 12250 40818e 12247->12250 12251 40816e 12248->12251 12253 409380 ___BuildCatchObjectHelper __VEC_memcpy 12249->12253 12252 409e70 _memcpy_s 67 API calls 12250->12252 12254 4084da _memcpy_s 67 API calls 12251->12254 12252->12251 12253->12245 12254->12245 12256 4135aa __EH_prolog3 12255->12256 12257 4053f7 std::_String_base::_Xlen 75 API calls 12256->12257 12258 4135b7 12257->12258 12259 405395 std::runtime_error::runtime_error 75 API calls 12258->12259 12260 4135c7 12259->12260 12261 408591 __CxxThrowException@8 KiUserExceptionDispatcher 12260->12261 12262 4135dc __EH_prolog3 12261->12262 12263 4053f7 std::_String_base::_Xlen 75 API calls 12262->12263 12264 4135f6 12263->12264 12265 405395 std::runtime_error::runtime_error 75 API calls 12264->12265 12266 413606 12265->12266 12267 408591 __CxxThrowException@8 KiUserExceptionDispatcher 12266->12267 12268 41361b 12267->12268 12269 4054cb std::runtime_error::runtime_error 75 API calls 12268->12269 12270 413628 12269->12270 12270->12216 12272 404f16 12271->12272 12273 404f1b 12271->12273 12274 41359e std::_String_base::_Xlen 75 API calls 12272->12274 12275 404f20 12273->12275 12278 404f2d 12273->12278 12274->12273 12280 404cf6 12275->12280 12277 404f2b std::_String_base::_Xlen 12277->12219 12278->12277 12279 404c21 std::runtime_error::runtime_error 67 API calls 12278->12279 12279->12277 12281 404d02 __EH_prolog3_catch 12280->12281 12282 4037ae std::runtime_error::runtime_error 75 API calls 12281->12282 12283 404d4b 12282->12283 12285 40130d char_traits 67 API calls 12283->12285 12286 404d9d 12283->12286 12284 404c21 std::runtime_error::runtime_error 67 API calls 12287 404dab std::_String_base::_Xlen std::runtime_error::runtime_error 12284->12287 12285->12286 12286->12284 12287->12277 12291 4047b5 12288->12291 12290 4047e3 12290->12190 12291->12290 12292 4084fe 12291->12292 12293 4084da _memcpy_s 67 API calls 12292->12293 12294 40850a 12293->12294 12294->12290 12296 403874 12295->12296 12297 403867 12295->12297 12296->12204 12297->12296 12298 4084fe 67 API calls 12297->12298 12298->12296 12300 405247 std::_String_base::_Xlen 12299->12300 12301 403858 67 API calls 12300->12301 12302 405253 12301->12302 12303 405274 12302->12303 12314 403914 12302->12314 12303->12204 12349 405b46 12309->12349 12315 403930 12314->12315 12316 403923 12314->12316 12318 403884 12315->12318 12316->12315 12317 4084fe 67 API calls 12316->12317 12317->12315 12360 405ae1 12349->12360 12361 405aed __EH_prolog3_catch 12360->12361 12362 403761 75 API calls 12361->12362 12363 405af6 12362->12363 12364 4052e8 75 API calls 12363->12364 12379 40546b 12378->12379 12381 405451 12378->12381 12379->12056 12381->12379 12382 405210 12381->12382 12383 404c21 std::runtime_error::runtime_error 67 API calls 12382->12383 12384 40521f 12383->12384 12384->12381 12386 4052d7 _strlen 12385->12386 12387 40519e std::_String_base::_Xlen 75 API calls 12386->12387 12388 4052e4 12387->12388 12388->11771 12390 40482f 12389->12390 12419 408b70 12390->12419 12394 40485c 12436 408980 12394->12436 12396 404862 12465 4014eb CoTaskMemAlloc 12396->12465 12399 404883 12480 408877 12399->12480 12400 404876 12467 408904 12400->12467 12404 40484f 12404->12080 12405 408904 __fcloseall 106 API calls 12405->12404 12407 403714 12406->12407 12408 40371d 12407->12408 12409 4084fe 67 API calls 12407->12409 12408->12091 12409->12408 12816 4090ce 12410->12816 12414 4036e6 12413->12414 12415 4036eb 12413->12415 12416 4084fe 67 API calls 12414->12416 12417 4036fa 12415->12417 12418 4084fe 67 API calls 12415->12418 12416->12415 12417->12091 12418->12417 12420 408b97 12419->12420 12421 408b7c 12419->12421 12483 408aac 12420->12483 12422 409e70 _memcpy_s 67 API calls 12421->12422 12424 408b81 12422->12424 12426 4084da _memcpy_s 67 API calls 12424->12426 12425 408ba9 12427 404846 12425->12427 12428 409e70 _memcpy_s 67 API calls 12425->12428 12426->12427 12427->12404 12429 408a7f 12427->12429 12428->12427 12430 408aa7 12429->12430 12431 408a8a 12429->12431 12430->12394 12432 409e70 _memcpy_s 67 API calls 12431->12432 12433 408a8f 12432->12433 12434 4084da _memcpy_s 67 API calls 12433->12434 12435 408a9f 12434->12435 12435->12394 12437 40898c ___BuildCatchObjectHelper 12436->12437 12438 408994 12437->12438 12439 4089af 12437->12439 12573 409e83 12438->12573 12441 4089bd 12439->12441 12445 4089fe 12439->12445 12442 409e83 __lseeki64 67 API calls 12441->12442 12444 4089c2 12442->12444 12447 409e70 _memcpy_s 67 API calls 12444->12447 12576 40b94c 12445->12576 12446 409e70 _memcpy_s 67 API calls 12456 4089a1 ___BuildCatchObjectHelper 12446->12456 12449 4089c9 12447->12449 12451 4084da _memcpy_s 67 API calls 12449->12451 12450 408a04 12452 408a11 12450->12452 12453 408a4a 12450->12453 12451->12456 12586 40bba8 12452->12586 12454 409e70 _memcpy_s 67 API calls 12453->12454 12457 408a4f 12454->12457 12456->12396 12459 409e83 __lseeki64 67 API calls 12457->12459 12458 408a1c 12460 408a45 12458->12460 12461 40bba8 __filelength 69 API calls 12458->12461 12459->12460 12597 408a75 12460->12597 12462 408a31 12461->12462 12462->12460 12464 40bba8 __filelength 69 API calls 12462->12464 12464->12460 12466 401503 12465->12466 12466->12399 12466->12400 12468 408910 ___BuildCatchObjectHelper 12467->12468 12469 408941 12468->12469 12470 408924 12468->12470 12476 408939 ___BuildCatchObjectHelper 12469->12476 12624 40b203 12469->12624 12471 409e70 _memcpy_s 67 API calls 12470->12471 12472 408929 12471->12472 12474 4084da _memcpy_s 67 API calls 12472->12474 12474->12476 12475 408959 12630 408892 12475->12630 12476->12404 12725 4087e1 12480->12725 12482 40488e 12482->12405 12486 408ab8 ___BuildCatchObjectHelper 12483->12486 12484 408acb 12485 409e70 _memcpy_s 67 API calls 12484->12485 12487 408ad0 12485->12487 12486->12484 12488 408b00 12486->12488 12489 4084da _memcpy_s 67 API calls 12487->12489 12502 40c10e 12488->12502 12499 408ae0 @_EH4_CallFilterFunc@8 ___BuildCatchObjectHelper 12489->12499 12491 408b05 12492 408b19 12491->12492 12493 408b0c 12491->12493 12494 408b40 12492->12494 12495 408b20 12492->12495 12496 409e70 _memcpy_s 67 API calls 12493->12496 12520 40be6e 12494->12520 12497 409e70 _memcpy_s 67 API calls 12495->12497 12496->12499 12497->12499 12499->12425 12503 40c11a ___BuildCatchObjectHelper 12502->12503 12504 40f5c4 __lock 67 API calls 12503->12504 12510 40c128 12504->12510 12505 40c1a2 12506 4101b1 __malloc_crt 67 API calls 12505->12506 12508 40c1ac 12506->12508 12511 4107e6 ___crtInitCritSecAndSpinCount 67 API calls 12508->12511 12519 40c19b 12508->12519 12509 40c230 ___BuildCatchObjectHelper 12509->12491 12510->12505 12512 40f501 __mtinitlocknum 67 API calls 12510->12512 12510->12519 12545 40b23f 12510->12545 12550 40b2a3 12510->12550 12514 40c1d1 12511->12514 12512->12510 12515 40c1dc 12514->12515 12516 40c1ef EnterCriticalSection 12514->12516 12517 409934 __freea 67 API calls 12515->12517 12516->12519 12517->12519 12555 40c23b 12519->12555 12521 40be8e 12520->12521 12522 40bea2 12521->12522 12532 40bec1 12521->12532 12523 409e70 _memcpy_s 67 API calls 12522->12523 12524 40bea7 12523->12524 12525 4084da _memcpy_s 67 API calls 12524->12525 12531 408b4b 12525->12531 12526 40c0c7 12564 4110d0 12526->12564 12527 40c0ad 12528 409e70 _memcpy_s 67 API calls 12527->12528 12530 40c0b2 12528->12530 12533 4084da _memcpy_s 67 API calls 12530->12533 12542 408b66 12531->12542 12532->12527 12541 40c05d 12532->12541 12558 411484 12532->12558 12533->12531 12538 411308 __fsopen 102 API calls 12539 40c074 12538->12539 12540 411308 __fsopen 102 API calls 12539->12540 12539->12541 12540->12541 12541->12526 12541->12527 12567 40b26d 12542->12567 12544 408b6e 12544->12499 12546 40b248 12545->12546 12547 40b25e EnterCriticalSection 12545->12547 12548 40f5c4 __lock 67 API calls 12546->12548 12547->12510 12549 40b251 12548->12549 12549->12510 12551 40b2b0 12550->12551 12552 40b2c2 LeaveCriticalSection 12550->12552 12553 40f4ec _realloc LeaveCriticalSection 12551->12553 12552->12510 12554 40b2c0 12553->12554 12554->12510 12556 40f4ec _realloc LeaveCriticalSection 12555->12556 12557 40c242 12556->12557 12557->12509 12559 41131b __mbsnbcmp_l 77 API calls 12558->12559 12560 40c042 12559->12560 12560->12527 12561 411308 12560->12561 12562 4110ee __mbsicmp_l 102 API calls 12561->12562 12563 40c057 12562->12563 12563->12538 12563->12541 12565 411004 __sopen_helper 68 API calls 12564->12565 12566 4110e9 12565->12566 12566->12531 12568 40b298 LeaveCriticalSection 12567->12568 12569 40b27a 12567->12569 12568->12544 12569->12568 12570 40b281 12569->12570 12571 40f4ec _realloc LeaveCriticalSection 12570->12571 12572 40b296 12571->12572 12572->12544 12574 40a4b8 _raise 67 API calls 12573->12574 12575 408999 12574->12575 12575->12446 12577 40b958 ___BuildCatchObjectHelper 12576->12577 12578 40b9b3 12577->12578 12579 40f5c4 __lock 67 API calls 12577->12579 12580 40b9d5 ___BuildCatchObjectHelper 12578->12580 12581 40b9b8 EnterCriticalSection 12578->12581 12582 40b984 12579->12582 12580->12450 12581->12580 12583 4107e6 ___crtInitCritSecAndSpinCount 67 API calls 12582->12583 12585 40b99b 12582->12585 12583->12585 12600 40b9e3 12585->12600 12604 40b8db 12586->12604 12588 40bbb3 12589 40bbc9 SetFilePointer 12588->12589 12590 40bbb9 12588->12590 12592 40bbe2 GetLastError 12589->12592 12593 40bbea 12589->12593 12591 409e70 _memcpy_s 67 API calls 12590->12591 12594 40bbbe 12591->12594 12592->12593 12595 40bbf6 12593->12595 12618 409e96 12593->12618 12594->12458 12595->12458 12623 40b9ec LeaveCriticalSection 12597->12623 12599 408a7d 12599->12456 12603 40f4ec LeaveCriticalSection 12600->12603 12602 40b9ea 12602->12578 12603->12602 12605 40b8e4 12604->12605 12606 40b8fb 12604->12606 12607 409e83 __lseeki64 67 API calls 12605->12607 12609 409e83 __lseeki64 67 API calls 12606->12609 12612 40b948 12606->12612 12608 40b8e9 12607->12608 12611 409e70 _memcpy_s 67 API calls 12608->12611 12610 40b929 12609->12610 12613 409e70 _memcpy_s 67 API calls 12610->12613 12614 40b8f1 12611->12614 12612->12588 12615 40b930 12613->12615 12614->12588 12616 4084da _memcpy_s 67 API calls 12615->12616 12617 40b940 12616->12617 12617->12588 12619 409e83 __lseeki64 67 API calls 12618->12619 12620 409e9c __dosmaperr 12619->12620 12621 409e70 _memcpy_s 67 API calls 12620->12621 12622 409eb0 12621->12622 12622->12595 12623->12599 12625 40b211 12624->12625 12626 40b233 EnterCriticalSection 12624->12626 12625->12626 12627 40b219 12625->12627 12626->12475 12628 40f5c4 __lock 67 API calls 12627->12628 12629 40b229 12628->12629 12629->12475 12631 4088a2 12630->12631 12632 4088be 12630->12632 12633 409e70 _memcpy_s 67 API calls 12631->12633 12644 4088b7 12632->12644 12649 40b656 12632->12649 12634 4088a7 12633->12634 12636 4084da _memcpy_s 67 API calls 12634->12636 12636->12644 12640 408a7f __filbuf 67 API calls 12641 4088d8 12640->12641 12646 408978 12644->12646 12647 40b26d __fsopen 2 API calls 12646->12647 12648 40897e 12647->12648 12648->12476 12650 4088ca 12649->12650 12651 40b66b 12649->12651 12655 40b62a 12650->12655 12651->12650 12652 408a7f __filbuf 67 API calls 12651->12652 12653 40b685 12652->12653 12682 40e51a 12653->12682 12656 4088d2 12655->12656 12657 40b636 12655->12657 12656->12640 12657->12656 12658 409934 __freea 67 API calls 12657->12658 12658->12656 12683 40e526 ___BuildCatchObjectHelper 12682->12683 12684 40e549 12683->12684 12685 40e52e 12683->12685 12726 4087ed ___BuildCatchObjectHelper 12725->12726 12727 408801 _memset 12726->12727 12728 408836 12726->12728 12729 40882b ___BuildCatchObjectHelper 12726->12729 12731 409e70 _memcpy_s 67 API calls 12727->12731 12730 40b203 __fread_nolock 68 API calls 12728->12730 12729->12482 12732 40883e 12730->12732 12733 40881b 12731->12733 12738 4085db 12732->12738 12735 4084da _memcpy_s 67 API calls 12733->12735 12735->12729 12741 4085f7 _memset 12738->12741 12744 408615 12738->12744 12739 408600 12740 409e70 _memcpy_s 67 API calls 12739->12740 12752 408605 12740->12752 12741->12739 12742 408654 12741->12742 12741->12744 12742->12744 12746 40879c _memset 12742->12746 12747 408770 _memset 12742->12747 12748 408a7f __filbuf 67 API calls 12742->12748 12757 4080db 12742->12757 12766 40b02f 12742->12766 12796 40a94e 12742->12796 12743 4084da _memcpy_s 67 API calls 12743->12744 12754 40886d 12744->12754 12750 409e70 _memcpy_s 67 API calls 12746->12750 12751 409e70 _memcpy_s 67 API calls 12747->12751 12748->12742 12750->12752 12751->12752 12752->12743 12755 40b26d __fsopen 2 API calls 12754->12755 12756 408875 12755->12756 12756->12729 12760 4080e9 _memcpy_s 12757->12760 12761 4080ed _memset 12757->12761 12758 4080f2 12759 409e70 _memcpy_s 67 API calls 12758->12759 12762 4080f7 12759->12762 12760->12742 12761->12758 12761->12760 12763 40813c 12761->12763 12764 4084da _memcpy_s 67 API calls 12762->12764 12763->12760 12765 409e70 _memcpy_s 67 API calls 12763->12765 12764->12760 12765->12762 12767 40b03b ___BuildCatchObjectHelper 12766->12767 12768 40b043 12767->12768 12769 40b05e 12767->12769 12770 409e83 __lseeki64 67 API calls 12768->12770 12771 40b06c 12769->12771 12774 40b0ad 12769->12774 12772 40b048 12770->12772 12773 409e83 __lseeki64 67 API calls 12771->12773 12777 40b0ba 12774->12777 12778 40b0ce 12774->12778 12797 40a95a 12796->12797 12801 40a977 12796->12801 12798 409e70 _memcpy_s 67 API calls 12797->12798 12799 40a95f 12798->12799 12800 4084da _memcpy_s 67 API calls 12799->12800 12802 40a96f 12800->12802 12801->12802 12803 40a9ab 12801->12803 12804 410327 __getbuf 67 API calls 12801->12804 12802->12742 12805 408a7f __filbuf 67 API calls 12803->12805 12804->12803 12806 40a9bf 12805->12806 12807 40b02f __read 79 API calls 12806->12807 12817 40904c _LocaleUpdate::_LocaleUpdate 77 API calls 12816->12817 12818 4090e0 12817->12818 12819 409156 12818->12819 12820 4090eb 12818->12820 12821 40910d 12819->12821 12824 40dacf 12819->12824 12820->12821 12822 40dd58 ___crtGetStringTypeA 91 API calls 12820->12822 12821->12091 12822->12821 12825 40904c _LocaleUpdate::_LocaleUpdate 77 API calls 12824->12825 12826 40dae1 12825->12826 12830 40daee 12826->12830 12831 411f90 12826->12831 12829 40dd58 ___crtGetStringTypeA 91 API calls 12829->12830 12830->12821 12832 40904c _LocaleUpdate::_LocaleUpdate 77 API calls 12831->12832 12833 40db16 12832->12833 12833->12829 12835 4018b5 12834->12835 12836 401ae9 12834->12836 12835->12836 12839 4018d5 StrStrIA 12835->12839 12837 40803d ___ansicp 5 API calls 12836->12837 12838 401afa 12837->12838 12838->11802 12840 4018f5 StrStrIA 12839->12840 12841 4018ec 12839->12841 12840->12841 12843 40190a StrStrIA 12840->12843 12842 40191d StrStrIA 12841->12842 12843->12841 12843->12842 12899 408f87 12876->12899 12878 406536 GetFileAttributesA 12879 40654e 12878->12879 12882 406544 std::runtime_error::runtime_error 12878->12882 12898 406599 12879->12898 12900 4022c0 GetFileVersionInfoSizeA 12879->12900 12882->11829 12883 40655d 12885 4022c0 3 API calls 12883->12885 12884 4065b0 12884->12882 12886 4053f7 std::_String_base::_Xlen 75 API calls 12884->12886 12892 406569 12885->12892 12887 4065c0 12886->12887 12936 4062f3 12887->12936 12892->12884 12892->12898 12905 4033ca 12892->12905 12898->12884 12916 404342 12898->12916 12899->12878 12901 4022ee 12900->12901 12904 4022e8 12900->12904 12902 4022fc GetFileVersionInfoA 12901->12902 12901->12904 12903 40230f VerQueryValueA 12902->12903 12902->12904 12903->12904 12904->12883 12906 40340c _memset 12905->12906 12907 40343b 12906->12907 12908 40342d GetFileAttributesA 12906->12908 12909 40803d ___ansicp 5 API calls 12907->12909 12908->12907 12910 403444 GetFileAttributesA 12908->12910 12917 404393 _memset 12916->12917 12918 404468 12917->12918 12919 4043a6 GetTickCount 12917->12919 12920 40803d ___ansicp 5 API calls 12918->12920 12968 401444 12919->12968 12922 40447b 12920->12922 12922->12884 12923 4043c1 PathRemoveFileSpecA 12924 407600 13 API calls 12923->12924 12925 4043d4 12924->12925 12937 40778a 6 API calls 12936->12937 12938 4062fa 12937->12938 12939 406303 12938->12939 12940 406309 12938->12940 13025 4060c6 12939->13025 13064 405885 12940->13064 12969 401457 12968->12969 12969->12923 13065 4058a9 __EH_prolog3_catch 13064->13065 13188 4081c0 _memset 13187->13188 13189 402761 lstrcpynA lstrcmpA 13188->13189 13190 402791 StrStrIA 13189->13190 13191 4028ca 13189->13191 13192 4027c3 StrStrIA 13190->13192 13193 4027ac 13190->13193 13194 40803d ___ansicp 5 API calls 13191->13194 13196 4027d6 StrStrIA 13192->13196 13197 4027e9 13192->13197 13195 402131 26 API calls 13193->13195 13198 4028dd 13194->13198 13196->13197 13198->11846 13216 406333 _memset __EH_prolog3 13215->13216 13217 406383 GetFileAttributesA 13216->13217 13218 40639e 13217->13218 13245 406394 13217->13245 13276 413a87 13273->13276 13279 4139d6 13276->13279 13280 413a04 13279->13280 13281 4139e4 13279->13281 13283 413a13 13280->13283 13290 413a30 13280->13290 13282 409e70 _memcpy_s 67 API calls 13281->13282 13284 4139e9 13282->13284 13286 409e70 _memcpy_s 67 API calls 13283->13286 13285 4084da _memcpy_s 67 API calls 13284->13285 13287 413923 13285->13287 13288 413a18 13286->13288 13287->11963 13289 4084da _memcpy_s 67 API calls 13288->13289 13289->13287 13290->13287 13291 40dd98 __flsbuf 101 API calls 13290->13291 13291->13287 13293 4075d3 13292->13293 13294 407565 13292->13294 13293->11637 13294->13293 13295 40758e RegCreateKeyExA 13294->13295 13297 407587 13294->13297 13298 407579 lstrlenA 13294->13298 13295->13293 13296 4075af RegSetValueExA 13295->13296 13299 4075c7 13296->13299 13300 4075ca RegCloseKey 13296->13300 13297->13293 13297->13295 13298->13297 13299->13300 13300->13293 13305 40154a _memset 13301->13305 13302 4015b0 13303 40803d ___ansicp 5 API calls 13302->13303 13304 401631 13303->13304 13304->11655 13304->11656 13304->11657 13305->13302 13306 40157a GetFileAttributesA 13305->13306 13307 40158b 13306->13307 13309 4015b8 13306->13309 13308 407e23 5 API calls 13307->13308 13308->13302 13310 4015d2 GetFileAttributesA 13309->13310 13310->13302 13311 4015dd LoadLibraryA 13310->13311 13311->13302 13312 4015ef GetProcAddress 13311->13312 13313 401617 FreeLibrary 13312->13313 13314 4015ff 13312->13314 13313->13302 13314->13313 13316 401fef _memset 13315->13316 13317 4020e5 13316->13317 13319 40202a lstrlenA 13316->13319 13318 40803d ___ansicp 5 API calls 13317->13318 13320 4020f9 13318->13320 13319->13317 13321 402039 13319->13321 13320->11655 13320->11662 13322 40204a PathRemoveExtensionA 13321->13322 13323 401474 13322->13323 13324 402069 GetFileAttributesA 13323->13324 13324->13317 13325 40207b lstrlenA 13324->13325 13325->13317 13326 40208d 13325->13326 13327 4020a2 GetPrivateProfileStringA lstrcmpA 13326->13327 13327->13317 13329 404027 _memset 13328->13329 13330 4040a2 GetPrivateProfileIntA 13329->13330 13331 4040c4 13330->13331 13332 404327 13330->13332 13331->13332 13334 4040cc GetPrivateProfileStringA 13331->13334 13333 40803d ___ansicp 5 API calls 13332->13333 13335 40433a 13333->13335 13334->13332 13354 4040f8 13334->13354 13335->11669 13336 4014b0 101 API calls 13337 404110 GetPrivateProfileStringA 13336->13337 13338 404145 13337->13338 13339 4014b0 101 API calls 13338->13339 13340 40415a GetPrivateProfileStringA 13339->13340 13341 4014b0 101 API calls 13340->13341 13342 404192 GetPrivateProfileIntA 13341->13342 13343 4014b0 101 API calls 13342->13343 13344 4041c0 GetPrivateProfileStringA 13343->13344 13345 402721 44 API calls 13344->13345 13345->13354 13346 4041ff lstrcmpA 13346->13354 13347 40422d PathUnquoteSpacesA PathAddBackslashA 13347->13354 13348 40425b PathRemoveBackslashA GetFileAttributesA 13348->13354 13349 404288 lstrlenA 13352 404299 StrStrIA 13349->13352 13349->13354 13350 407748 2 API calls 13351 4042fe DeleteFileA 13350->13351 13351->13354 13352->13354 13353 407748 2 API calls 13355 4042cd RemoveDirectoryA 13353->13355 13354->13332 13354->13336 13354->13346 13354->13347 13354->13348 13354->13349 13354->13350 13354->13353 13357 4042dc GetFileAttributesA 13354->13357 13397 407d8f 13354->13397 13355->13357 13357->13354 13359 407d9f 38 API calls 13358->13359 13360 404aba 13359->13360 13360->11685 13362 403ba3 _memset 13361->13362 13363 403c37 GetPrivateProfileIntA 13362->13363 13364 403fc7 13363->13364 13372 403c5a 13363->13372 13365 40803d ___ansicp 5 API calls 13364->13365 13366 403fd9 GetTempPathA 13365->13366 13366->11667 13366->11668 13367 4014b0 101 API calls 13368 403c7d GetPrivateProfileStringA lstrcmpA 13367->13368 13369 403cb4 StrStrIA 13368->13369 13368->13372 13371 403cd6 StrStrIA 13369->13371 13369->13372 13370 4014b0 101 API calls 13373 403d1d GetPrivateProfileStringA lstrcmpA 13370->13373 13371->13372 13372->13364 13372->13367 13372->13370 13372->13371 13374 40778a 6 API calls 13372->13374 13375 4014b0 101 API calls 13372->13375 13376 4014b0 101 API calls 13372->13376 13378 403e02 lstrlenA 13372->13378 13379 4077f6 3 API calls 13372->13379 13380 4014b0 101 API calls 13372->13380 13381 403d95 PathFindFileNameA 13372->13381 13384 4014b0 101 API calls 13372->13384 13389 403f7a GetFileAttributesA 13372->13389 13394 407eca 5 API calls 13372->13394 13373->13372 13374->13372 13375->13372 13377 403dc4 GetPrivateProfileStringA lstrcmpA 13376->13377 13377->13372 13377->13378 13378->13372 13379->13372 13382 403e2c GetPrivateProfileStringA 13380->13382 13381->13372 13383 402721 44 API calls 13382->13383 13383->13372 13385 403ead GetPrivateProfileStringA StrStrIA 13384->13385 13386 403f4a StrStrIA 13385->13386 13392 403ee4 13385->13392 13386->13372 13387 403f60 PathRemoveArgsA 13386->13387 13387->13372 13388 4014b0 101 API calls 13388->13392 13391 4014b0 101 API calls 13389->13391 13390 407eca 5 API calls 13390->13392 13391->13372 13392->13388 13392->13390 13393 4014b0 101 API calls 13392->13393 13395 403f21 GetPrivateProfileIntA 13393->13395 13394->13372 13395->13372 13396 403f3b DeleteFileA 13395->13396 13396->13372 13400 407831 13397->13400 13401 407875 _memset 13400->13401 13402 4078b2 lstrlenA 13401->13402 13403 407aca 13401->13403 13402->13403 13404 4078c4 GetFileAttributesA 13402->13404 13405 40803d ___ansicp 5 API calls 13403->13405 13404->13403 13406 4078d4 lstrcpyA PathAddBackslashA lstrcatA FindFirstFileA 13404->13406 13407 407add 13405->13407 13406->13403 13408 40791e 13406->13408 13407->13354 13409 407931 lstrcmpA 13408->13409 13410 407948 lstrcmpA 13409->13410 13411 407a2b FindNextFileA 13409->13411 13410->13411 13412 40795f wsprintfA 13410->13412 13411->13409 13413 407a3c FindClose 13411->13413 13424 407982 13412->13424 13413->13403 13414 407a51 13413->13414 13414->13403 13415 407748 2 API calls 13414->13415 13418 407a70 Sleep RemoveDirectoryA 13415->13418 13416 407748 2 API calls 13419 4079d5 DeleteFileA 13416->13419 13417 407831 7 API calls 13417->13424 13420 407a83 Sleep RemoveDirectoryA 13418->13420 13421 407a8e GetTickCount Sleep 13418->13421 13419->13411 13422 4079e8 GetTickCount GetFileAttributesA 13419->13422 13420->13403 13420->13421 13421->13403 13423 407aa9 GetFileAttributesA 13421->13423 13422->13424 13423->13403 13425 407ab5 GetTickCount 13423->13425 13424->13411 13424->13416 13424->13417 13426 407a08 GetTickCount 13424->13426 13425->13403 13427 407ac4 Sleep 13425->13427 13426->13424 13428 407a12 Sleep GetFileAttributesA 13426->13428 13427->13423 13428->13424 13428->13426 13430 40e965 ___BuildCatchObjectHelper 13429->13430 13431 40f5c4 __lock 67 API calls 13430->13431 13432 40e96c 13431->13432 13433 40e9eb _abort 13432->13433 13434 40e990 13432->13434 13448 40ea26 13433->13448 13436 40a313 __mtterm 67 API calls 13434->13436 13438 40e99b 13436->13438 13440 40a313 __mtterm 67 API calls 13438->13440 13439 40ea23 ___BuildCatchObjectHelper 13439->10604 13445 40e9a9 13440->13445 13442 40ea1a 13443 40e7f5 _malloc 3 API calls 13442->13443 13443->13439 13444 40e9db _abort 13444->13433 13445->13444 13447 40a313 __mtterm 67 API calls 13445->13447 13453 40a30a 13445->13453 13447->13445 13449 40ea07 13448->13449 13450 40ea2c 13448->13450 13449->13439 13452 40f4ec LeaveCriticalSection 13449->13452 13456 40f4ec LeaveCriticalSection 13450->13456 13452->13442 13454 40a29c __initp_misc_cfltcvt_tab 67 API calls 13453->13454 13455 40a311 13454->13455 13455->13445 13456->13449 13458 40a3c6 13457->13458 13462 40a3d2 13457->13462 13459 40a313 __mtterm 67 API calls 13458->13459 13459->13462 13460 40a3f4 13463 40f4c9 13460->13463 13464 40f4b1 DeleteCriticalSection 13460->13464 13461 40a3e6 TlsFree 13461->13460 13462->13460 13462->13461 13466 40f4db DeleteCriticalSection 13463->13466 13467 40a67f 13463->13467 13465 409934 __freea 67 API calls 13464->13465 13465->13460 13466->13463 13467->10473 13469 40a30a __init_pointers 67 API calls 13468->13469 13470 40ea81 __init_pointers 13469->13470 13479 40d0a4 13470->13479 13473 40a29c __initp_misc_cfltcvt_tab 67 API calls 13474 40a731 13473->13474 13474->10625 13476 40f457 13475->13476 13477 4107e6 ___crtInitCritSecAndSpinCount 67 API calls 13476->13477 13478 40a779 13476->13478 13477->13476 13478->10635 13478->10637 13480 40a29c __initp_misc_cfltcvt_tab 67 API calls 13479->13480 13481 40d0ae 13480->13481 13481->13473 13484 40ef54 13482->13484 13483 4128d7 _parse_cmdline 77 API calls 13483->13484 13484->13483 13486 40efc1 13484->13486 13485 40f0bf 13485->10659 13485->10661 13486->13485 13487 4128d7 77 API calls _parse_cmdline 13486->13487 13487->13486

                                            Executed Functions

                                            Function 00406F3D Relevance: 38.8, APIs: 16, Strings: 6, Instructions: 337synchronizationfilewindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 62 406f3d-406fb8 call 408f87 call 4081c0 * 3 call 4020fb 73 406fe6-407001 call 401df0 62->73 74 406fba-406fc1 call 401d64 62->74 73->74 80 407003-407041 call 4081c0 call 401000 call 401f6a 73->80 79 406fc3-406fe5 call 40803d 74->79 89 407043-407060 CreateMutexA WaitForSingleObject 80->89 90 407078-407097 call 401f22 80->90 89->90 91 407062-407064 89->91 96 407099-4070b6 call 4010a8 call 401033 call 40105c 90->96 97 4070bb-4070d9 call 402131 90->97 93 407065-407073 call 4010a3 91->93 93->79 96->97 103 4070ea-407109 call 4030e2 97->103 104 4070db-4070e1 call 401d64 97->104 113 407112-407127 call 406dd0 103->113 114 40710b-40710d 103->114 112 4070e2-4070e5 104->112 112->93 117 4071b5-4071cf call 402cab 113->117 118 40712d-4071ae call 4081c0 GetPrivateProfileStringA call 4081c0 call 4014b0 MessageBoxA 113->118 114->93 117->104 123 4071d5-407204 call 401b04 call 4067b1 117->123 118->117 123->104 132 40720a-407224 call 406a0d 123->132 132->104 135 40722a-407244 call 402e2a 132->135 135->104 138 40724a-40726d call 4065fa 135->138 138->104 141 407273-407296 call 4065fa 138->141 141->104 144 40729c-4072c9 call 4045c2 call 4028df 141->144 144->104 149 4072cf-4072e9 call 402ac5 144->149 149->104 152 4072ef-40731e call 403256 call 404483 149->152 157 407330-407333 152->157 158 407320-40732b call 40100a call 40106b 152->158 160 407335-407341 ReleaseMutex CloseHandle 157->160 161 407347-407395 call 4081c0 call 401444 PathAppendA DeleteFileA 157->161 158->157 160->161 161->112
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00406F5C
                                            • _memset.LIBCMT ref: 00406F77
                                            • _memset.LIBCMT ref: 00406F8B
                                            • _memset.LIBCMT ref: 00406F9F
                                              • Part of subcall function 004020FB: GetModuleFileNameA.KERNEL32(00000104,00000000,00000104,00406FB1,?,00000104,?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000018), ref: 0040210F
                                              • Part of subcall function 004020FB: PathRemoveFileSpecA.SHLWAPI(00000104), ref: 00402116
                                              • Part of subcall function 004020FB: GetShortPathNameA.KERNEL32(00000104,00000104,?), ref: 00402122
                                            • _memset.LIBCMT ref: 00407012
                                            • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 0040704C
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00407058
                                              • Part of subcall function 00401D64: _memset.LIBCMT ref: 00401D8D
                                              • Part of subcall function 00401D64: LoadStringA.USER32(?,00000000,00000400), ref: 00401DAB
                                              • Part of subcall function 00401D64: MessageBoxA.USER32(00000000,00000000,Error executing setup.exe,00000010), ref: 00401DDD
                                              • Part of subcall function 00401F22: GetPrivateProfileStringA.KERNEL32(Global,SetupEvent,{E91CEEDA-7895-410a-92E6-9F572FF31F45},?,?,?), ref: 00401F4E
                                              • Part of subcall function 00401F22: lstrlenA.KERNEL32(?), ref: 00401F57
                                            • _memset.LIBCMT ref: 0040713D
                                            • GetPrivateProfileStringA.KERNEL32(system_requirements,programtitle,your StopSign product,?,00000080,?), ref: 00407167
                                            • _memset.LIBCMT ref: 0040717A
                                            • MessageBoxA.USER32(00000000,00000000,Reboot Required,00000010), ref: 004071A8
                                              • Part of subcall function 00402CAB: _memset.LIBCMT ref: 00402CF1
                                              • Part of subcall function 00402CAB: _memset.LIBCMT ref: 00402D05
                                              • Part of subcall function 00402CAB: _memset.LIBCMT ref: 00402D1E
                                              • Part of subcall function 00402CAB: _memset.LIBCMT ref: 00402D2C
                                              • Part of subcall function 00402CAB: GetPrivateProfileIntA.KERNEL32(preinst_tasks,num,000000FF,?), ref: 00402D43
                                              • Part of subcall function 00402CAB: GetPrivateProfileStringA.KERNEL32(preinst_tasks,?,error,?,00000104,?), ref: 00402D95
                                              • Part of subcall function 00402CAB: lstrcmpA.KERNEL32(?,error,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00402DA3
                                              • Part of subcall function 00402CAB: PathRemoveArgsA.SHLWAPI(?), ref: 00402DE1
                                              • Part of subcall function 00402CAB: GetFileAttributesA.KERNELBASE(?), ref: 00402DEB
                                              • Part of subcall function 0040106B: CloseHandle.KERNEL32(?,00000000,?,004010B3,?,?,004010F8,00000001,00000001,00000001,?,004074C0,00000001,00000000,{F074E2DD-0326-4e23-9A96-8F5468397BB2}), ref: 00401084
                                              • Part of subcall function 0040106B: GetLastError.KERNEL32(?,?,004010F8,00000001,00000001,00000001,?,004074C0,00000001,00000000,{F074E2DD-0326-4e23-9A96-8F5468397BB2}), ref: 00401092
                                            • ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00407338
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00407341
                                            • _memset.LIBCMT ref: 0040735A
                                            • PathAppendA.SHLWAPI(?,eac_install00.dat,?,?,?,?,?,?,?), ref: 00407382
                                            • DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,?), ref: 0040738F
                                            Strings
                                            • Your computer must be restarted before %s can be installed., xrefs: 00407186
                                            • programtitle, xrefs: 0040715D
                                            • Reboot Required, xrefs: 0040719E
                                            • your StopSign product, xrefs: 00407158
                                            • eac_install00.dat, xrefs: 00407376
                                            • system_requirements, xrefs: 00407162
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$FilePathPrivateProfileString$CloseHandleMessageMutexNameRemove$AppendArgsAttributesCreateDeleteErrorH_prolog3LastLoadModuleObjectReleaseShortSingleSpecWaitlstrcmplstrlen
                                            • String ID: Reboot Required$Your computer must be restarted before %s can be installed.$eac_install00.dat$programtitle$system_requirements$your StopSign product
                                            • API String ID: 2036024017-2212178825
                                            • Opcode ID: 6323f0666d5b99f8e070c54ce0402b30d549475462f82bfb9f3cd059ee4757d7
                                            • Instruction ID: d58fbe6e136624f7f19aeb796fb33efe59ba3213d92ae688c91a097a68585c15
                                            • Opcode Fuzzy Hash: 6323f0666d5b99f8e070c54ce0402b30d549475462f82bfb9f3cd059ee4757d7
                                            • Instruction Fuzzy Hash: 79C114B291414CAADB31EFA5DC45EDF37ACAF58304F10453BF909E6182EA7897088B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004067B1 Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 181stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00406801
                                            • _memset.LIBCMT ref: 00406816
                                            • _memset.LIBCMT ref: 0040682B
                                            • _memset.LIBCMT ref: 00406840
                                            • _memset.LIBCMT ref: 00406855
                                            • _memset.LIBCMT ref: 00406864
                                            • GetPrivateProfileIntA.KERNEL32(other_files,num,000000FF,?), ref: 0040687A
                                            • GetPrivateProfileStringA.KERNEL32(other_files,?,error,?,00000104,?), ref: 004068C8
                                            • GetPrivateProfileStringA.KERNEL32(other_files,?,error,?,00000104,?), ref: 004068FA
                                            • GetPrivateProfileStringA.KERNEL32(other_files,?,error,?,00000104,?), ref: 00406929
                                            • lstrcmpA.KERNEL32(?,error), ref: 00406937
                                            • lstrcmpA.KERNEL32(?,error), ref: 00406988
                                            • lstrcmpiA.KERNEL32(?,false), ref: 004069B4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$String$lstrcmp$lstrcmpi
                                            • String ID: %s\%s$checkVersion%i$clsid%i$error$false$file%i$num$other_files
                                            • API String ID: 1656457007-3183826691
                                            • Opcode ID: 116d2a796fbdbccf94b1ec9354c5459d0c1815ad8a25d5b4a8b1ac8a61329fcd
                                            • Instruction ID: f6ab1a6867c49ac498b8083f72b52e38f001808cc1705c78f3413f0ad20e7ab9
                                            • Opcode Fuzzy Hash: 116d2a796fbdbccf94b1ec9354c5459d0c1815ad8a25d5b4a8b1ac8a61329fcd
                                            • Instruction Fuzzy Hash: 21611BB190124CAEDB709FA5DC85FEF7BBCEF49308F14012AB90DE6151EA349644CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402131 Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 132stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00402171
                                            • _memset.LIBCMT ref: 00402185
                                            • _memset.LIBCMT ref: 00402199
                                            • GetPrivateProfileStringA.KERNEL32(Global,CompanyDirectory,Acceleration Software,?,00000104,?), ref: 004021BD
                                            • GetPrivateProfileStringA.KERNEL32(Global,Directory,004185A7,?,00000104,?), ref: 004021D5
                                            • GetPrivateProfileStringA.KERNEL32(Global,BaseDirDescrip,ProgramFilesDir,?,00000104,?), ref: 004021ED
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,75B07390,?), ref: 004021FC
                                            • lstrcmpiA.KERNEL32(?,TempDir), ref: 00402235
                                            • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,75B07390,?), ref: 00402241
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,75B07390,?), ref: 00402248
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,?,75B07390,?), ref: 00402255
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,?,75B07390,?), ref: 00402263
                                            • GetShortPathNameA.KERNEL32(?,?,?), ref: 004022A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Path$PrivateProfileString_memset$Backslashlstrlen$NameShortTemplstrcmpi
                                            • String ID: Acceleration Software$BaseDirDescrip$CompanyDirectory$Directory$Global$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$TempDir
                                            • API String ID: 4042338853-3231188791
                                            • Opcode ID: 2036d1cbf8bb7292540fe420aa452940fe1fc6bae3a20635bc77977d4ea6048e
                                            • Instruction ID: 4bfa455de47515c5eeecac562560e9d2e3b087f3dcb8219498b278c3ba6fc25f
                                            • Opcode Fuzzy Hash: 2036d1cbf8bb7292540fe420aa452940fe1fc6bae3a20635bc77977d4ea6048e
                                            • Instruction Fuzzy Hash: A741537150015DBFDB309BA58D85FEF7BACEF49708F14002EF908E6191DA789A458B25
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004065FA Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 133stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 333 4065fa-4066a7 call 4081c0 * 5 344 4066b0 333->344 345 4066a9-4066ae 333->345 346 4066b5-4066d7 call 401444 GetPrivateProfileIntA 344->346 345->346 349 406797-4067b0 call 40803d 346->349 350 4066dd-4066e2 346->350 350->349 351 4066e8-4066ed 350->351 353 4066f2-406734 call 4014b0 GetPrivateProfileStringA lstrcmpA 351->353 357 406736-406785 call 4014b0 * 2 call 40630f 353->357 358 406788-406791 353->358 357->358 358->349 358->353
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$Stringlstrcmp
                                            • String ID: %s\%s$com_servers$com_servers_update$error$file%i$num
                                            • API String ID: 3493304777-3464667863
                                            • Opcode ID: ce068cb686f96ba24854b99a6e646db310d424ef6e247009c30d00ccdcecb8cf
                                            • Instruction ID: 4be6ee9b2a7b250e7052269f1fb330035892a3f8d248a2564a7f9b9ae90a4d0a
                                            • Opcode Fuzzy Hash: ce068cb686f96ba24854b99a6e646db310d424ef6e247009c30d00ccdcecb8cf
                                            • Instruction Fuzzy Hash: C74100B190114CAFDF31DFA58C85EDE7BACEF49308F10442EB959E7152DA3896088B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004030E2 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 111stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 541 4030e2-40314e call 4081c0 * 2 546 403154-403156 541->546 547 40323c 541->547 546->547 548 40315c-40315e 546->548 549 40323e-403255 call 40803d 547->549 548->547 550 403164-40319b GetPrivateProfileStringA lstrcmpiA 548->550 552 4031db-40320a GetPrivateProfileStringA lstrcmpiA 550->552 553 40319d-4031cf GetCommandLineA call 4014b0 call 407eca 550->553 552->547 555 40320c-40323a call 4014b0 call 407eca 552->555 563 4031d2-4031d4 553->563 555->563 563->547 565 4031d6-4031d9 563->565 565->549
                                            APIs
                                            • _memset.LIBCMT ref: 00403130
                                            • _memset.LIBCMT ref: 00403144
                                            • GetPrivateProfileStringA.KERNEL32(Global,CustomAppEx,Error,?,00000105,?), ref: 00403187
                                            • lstrcmpiA.KERNEL32(?,Error), ref: 00403197
                                            • GetCommandLineA.KERNEL32(?,?,?,00000001,00000104,00000000), ref: 0040319D
                                            • GetPrivateProfileStringA.KERNEL32(Global,CustomApp,Error,?,00000105,?), ref: 004031FC
                                            • lstrcmpiA.KERNEL32(?,Error), ref: 00403206
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: PrivateProfileString_memsetlstrcmpi$CommandLine
                                            • String ID: %s\%s -preinstall "%s" %s$%s\%s -s "%s"$CustomApp$CustomAppEx$Error$Global
                                            • API String ID: 2560369927-1220533626
                                            • Opcode ID: 61d6d96665c64cbe37803f4a6fb2fecfe1af69726745dc563c7a1e85e58d1245
                                            • Instruction ID: 29f7b3401c5a9152ff4940780f36f69e081d4ac1b0a4a36367acfa64e2895e95
                                            • Opcode Fuzzy Hash: 61d6d96665c64cbe37803f4a6fb2fecfe1af69726745dc563c7a1e85e58d1245
                                            • Instruction Fuzzy Hash: 4941577190024CABDB30DEA5CD85FDE7BACAF09704F20012EBA18F71C2DA7496458B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403256 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 111stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 566 403256-4032c2 call 4081c0 * 2 571 4033b0 566->571 572 4032c8-4032ca 566->572 573 4033b2-4033c9 call 40803d 571->573 572->571 574 4032d0-4032d2 572->574 574->571 576 4032d8-40330f GetPrivateProfileStringA lstrcmpiA 574->576 578 403311-403343 GetCommandLineA call 4014b0 call 407eca 576->578 579 40334f-40337e GetPrivateProfileStringA lstrcmpiA 576->579 588 403346-403348 578->588 579->571 581 403380-4033ae call 4014b0 call 407eca 579->581 581->588 588->571 590 40334a-40334d 588->590 590->573
                                            APIs
                                            • _memset.LIBCMT ref: 004032A4
                                            • _memset.LIBCMT ref: 004032B8
                                            • GetPrivateProfileStringA.KERNEL32(Global,CustomAppEx,Error,?,00000105,?), ref: 004032FB
                                            • lstrcmpiA.KERNEL32(?,Error), ref: 0040330B
                                            • GetCommandLineA.KERNEL32(?,?,?,00000001,00000104,00000000), ref: 00403311
                                            • GetPrivateProfileStringA.KERNEL32(Global,CustomApp,Error,?,00000104,?), ref: 00403370
                                            • lstrcmpiA.KERNEL32(?,Error), ref: 0040337A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: PrivateProfileString_memsetlstrcmpi$CommandLine
                                            • String ID: %s\%s -f "%s"$%s\%s -postinstall "%s" %s$CustomApp$CustomAppEx$Error$Global
                                            • API String ID: 2560369927-2777481385
                                            • Opcode ID: d3656e770b3c430d0a39f41a43b7f680fa826d22a3c2f7f10c2e553725dbe218
                                            • Instruction ID: 03737d484543425b79c919b5e0c462945a5f8c758a37bac37c055f445dba04bc
                                            • Opcode Fuzzy Hash: d3656e770b3c430d0a39f41a43b7f680fa826d22a3c2f7f10c2e553725dbe218
                                            • Instruction Fuzzy Hash: 4641557190024CABEB30DFA5CD85FDF7BACAF08704F24012ABB18E71C1DA7496498B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004033CA Relevance: 13.6, APIs: 9, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00403407
                                            • _memset.LIBCMT ref: 0040341D
                                            • GetFileAttributesA.KERNELBASE(?,?,?,?,?,00000000,?), ref: 00403434
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,00000000,?), ref: 00403445
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AttributesFile_memset
                                            • String ID:
                                            • API String ID: 231178003-0
                                            • Opcode ID: c0e7395d2e96c95f51aaff800a18221fdba9b134df574a8d8c76d567a2427da7
                                            • Instruction ID: 5adc9cb5d8ddf31eac05476a829708240dfb70d672bad7369d513935ff856b9c
                                            • Opcode Fuzzy Hash: c0e7395d2e96c95f51aaff800a18221fdba9b134df574a8d8c76d567a2427da7
                                            • Instruction Fuzzy Hash: 1421677280021C9ADB21DFB49C84BDE7BACBF48328F114A3BE529E71D1DB3496098B54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040355D Relevance: 6.1, APIs: 4, Instructions: 58filetimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 004035A7
                                            • FindFirstFileA.KERNELBASE(?,?,?,00000104,?), ref: 004035B8
                                            • FindClose.KERNEL32(00000000), ref: 004035C4
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 004035DE
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: FileFindTime$CloseFirstSystem_memset
                                            • String ID:
                                            • API String ID: 3611821325-0
                                            • Opcode ID: 5af89a67121ba3023b6d4196e85ce668b87990d8021ef653b7bdf3c6bf565106
                                            • Instruction ID: c859f473064ffb80472b1b15073a8912823e57a161147d818dd00877be3ca29e
                                            • Opcode Fuzzy Hash: 5af89a67121ba3023b6d4196e85ce668b87990d8021ef653b7bdf3c6bf565106
                                            • Instruction Fuzzy Hash: D611427190061CAFDB64DFA8DD80ADEBBB8BF08305F10452EE919F7291DB3596098B15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406A0D Relevance: 58.0, APIs: 22, Strings: 11, Instructions: 278stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00406A57
                                            • _memset.LIBCMT ref: 00406A6C
                                            • _memset.LIBCMT ref: 00406A81
                                            • _memset.LIBCMT ref: 00406A96
                                            • _memset.LIBCMT ref: 00406AAB
                                            • _memset.LIBCMT ref: 00406AC0
                                            • _memset.LIBCMT ref: 00406AD8
                                            • _memset.LIBCMT ref: 00406AE7
                                            • GetPrivateProfileIntA.KERNEL32(remote_files,num,000000FF,?), ref: 00406AFC
                                            • GetPrivateProfileStringA.KERNEL32(remote_files,?,error,?,00000105,?), ref: 00406B51
                                            • lstrcmpA.KERNEL32(?,error), ref: 00406B5F
                                            • StrStrIA.SHLWAPI(?,004188A4), ref: 00406B75
                                            • StrStrIA.SHLWAPI(?,NTx), ref: 00406B97
                                            • GetPrivateProfileStringA.KERNEL32(remote_files,?,error,?,00000105,?), ref: 00406BED
                                            • lstrcmpA.KERNEL32(?,error), ref: 00406BFB
                                            • GetPrivateProfileStringA.KERNEL32(remote_files,?,error,?,00000105,?), ref: 00406C4F
                                            • GetPrivateProfileStringA.KERNEL32(remote_files,?,error,?,00000105,?), ref: 00406CC9
                                            • StrStrIA.SHLWAPI(?,DllRegister), ref: 00406CDB
                                            • StrStrIA.SHLWAPI(?,CreateProcess), ref: 00406D18
                                            • PathRemoveArgsA.SHLWAPI(?), ref: 00406D30
                                            • PathRemoveArgsA.SHLWAPI(?), ref: 00406D3D
                                            • GetFileAttributesA.KERNEL32(?), ref: 00406D70
                                              • Part of subcall function 0040778A: _memset.LIBCMT ref: 004077AD
                                              • Part of subcall function 0040778A: GetVersionExA.KERNEL32(?,?,?,75B07390), ref: 004077C6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$String$ArgsPathRemovelstrcmp$AttributesFileVersion
                                            • String ID: %s\%s$CreateProcess$DllRegister$NTx$action%i$destination%i$error$file%i$num$os%i$remote_files
                                            • API String ID: 888199263-223495115
                                            • Opcode ID: b74e7e43a492c288be969da6f19c74b2a9a86cf5f2f8c227157240ebeb3b69ca
                                            • Instruction ID: 8e39573338604777598f124ba599fe9f41fbc9ee5b640ee961a43cddf0e45280
                                            • Opcode Fuzzy Hash: b74e7e43a492c288be969da6f19c74b2a9a86cf5f2f8c227157240ebeb3b69ca
                                            • Instruction Fuzzy Hash: 41A11DB190124DAEDF30DFA5DC85FDB3BACEF49305F10412EF909E6191EA7896148B29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401B04 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 184COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetPrivateProfileIntA.KERNEL32(regkeys,num,00000000,00000001), ref: 00401B3F
                                            • _memset.LIBCMT ref: 00401B7A
                                            • _memset.LIBCMT ref: 00401B8A
                                            • _memset.LIBCMT ref: 00401BA0
                                            • _memset.LIBCMT ref: 00401BB6
                                            • _memset.LIBCMT ref: 00401BCC
                                            • _memset.LIBCMT ref: 00401BE2
                                            • GetPrivateProfileStringA.KERNEL32(regkeys,?,error,?,00000104,?), ref: 00401C17
                                            • GetPrivateProfileStringA.KERNEL32(regkeys,?,error,?,00000104,?), ref: 00401C49
                                            • GetPrivateProfileStringA.KERNEL32(regkeys,?,error,?,00000104,?), ref: 00401C7B
                                            • GetPrivateProfileStringA.KERNEL32(regkeys,?,error,?,00000104,?), ref: 00401CAD
                                            • GetPrivateProfileStringA.KERNEL32(regkeys,?,error,?,00000104,?), ref: 00401CDF
                                            • GetPrivateProfileIntA.KERNEL32(regkeys,?,00000000,?), ref: 00401D06
                                              • Part of subcall function 0040185D: StrStrIA.SHLWAPI(?,hkcr,00000104,regkeys,74DEB530), ref: 004018E6
                                              • Part of subcall function 0040185D: StrStrIA.SHLWAPI(?,null), ref: 00401924
                                              • Part of subcall function 0040185D: _memset.LIBCMT ref: 00401944
                                              • Part of subcall function 0040185D: StrStrIA.SHLWAPI(?,null), ref: 00401960
                                              • Part of subcall function 0040185D: _memset.LIBCMT ref: 0040197A
                                              • Part of subcall function 0040185D: StrStrIA.SHLWAPI(?,reg_sz), ref: 00401A2D
                                              • Part of subcall function 0040185D: lstrlenA.KERNEL32(?), ref: 00401A8D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$String$lstrlen
                                            • String ID: base%i$data%i$error$key%i$mode%i$num$regkeys$type%i$value%i
                                            • API String ID: 3172573921-864418624
                                            • Opcode ID: bff0bedd704a438b715fdf8e2327548aa7cde8f387fd3d37dfc6e82f10b87f9e
                                            • Instruction ID: a9944693d9ba9e8d466915959f587edecc2414b99e21bf2c875ec90971837066
                                            • Opcode Fuzzy Hash: bff0bedd704a438b715fdf8e2327548aa7cde8f387fd3d37dfc6e82f10b87f9e
                                            • Instruction Fuzzy Hash: 3A61037150014DAEDF31DBA5CD45FEF7BBCEF45708F10001AB909A6153EA7896058B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004028DF Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 145stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00402925
                                            • _memset.LIBCMT ref: 0040293B
                                            • _memset.LIBCMT ref: 00402950
                                            • _memset.LIBCMT ref: 00402966
                                            • GetPrivateProfileIntA.KERNEL32(run_wait,num,000000FF,?), ref: 0040297C
                                            • GetPrivateProfileStringA.KERNEL32(run_wait,?,error,?,00000104,?), ref: 004029CA
                                            • lstrcmpA.KERNEL32(?,error,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004029DC
                                            • GetPrivateProfileIntA.KERNEL32(run_wait,?,00000000,?), ref: 00402A2B
                                            • GetCommandLineA.KERNEL32 ref: 00402A34
                                            • lstrcpynA.KERNEL32(?,?,000003FF), ref: 00402A64
                                            • lstrlenA.KERNEL32(?), ref: 00402A71
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$CommandLineStringlstrcmplstrcpynlstrlen
                                            • String ID: %s\%s$IncludeCmdLine%i$error$file%i$num$run_wait
                                            • API String ID: 1233448414-563436435
                                            • Opcode ID: e1dba69746632f609cbbb281977cd0836c920dccebaeab431e7086c50018cd6b
                                            • Instruction ID: b1d3101d741610b672d4ad6a0133fa4135e85ca76d650805762bc1e19e54ffd4
                                            • Opcode Fuzzy Hash: e1dba69746632f609cbbb281977cd0836c920dccebaeab431e7086c50018cd6b
                                            • Instruction Fuzzy Hash: CF513D7190024DAFEF20DFA5DD85FDE7BACAF09314F14442AB90CEA191DB7896448B68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402AC5 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 145stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00402B0B
                                            • _memset.LIBCMT ref: 00402B21
                                            • _memset.LIBCMT ref: 00402B36
                                            • _memset.LIBCMT ref: 00402B4C
                                            • GetPrivateProfileIntA.KERNEL32(run,num,000000FF,?), ref: 00402B62
                                            • GetPrivateProfileStringA.KERNEL32(run,?,error,?,00000104,?), ref: 00402BB0
                                            • lstrcmpA.KERNEL32(?,error,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00402BC2
                                            • GetPrivateProfileIntA.KERNEL32(run,?,00000000,?), ref: 00402C11
                                            • GetCommandLineA.KERNEL32 ref: 00402C1A
                                            • lstrcpynA.KERNEL32(?,?,000003FF), ref: 00402C4A
                                            • lstrlenA.KERNEL32(?), ref: 00402C57
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$CommandLineStringlstrcmplstrcpynlstrlen
                                            • String ID: %s\%s$IncludeCmdLine%i$error$file%i$num$run
                                            • API String ID: 1233448414-177849020
                                            • Opcode ID: 02ca5f38e51b3460aa11ed2267ab71d58e5f882a3d90daa9f8d00e93f02c2ef2
                                            • Instruction ID: e86552c9d09420653a8ee1e9cc922149108c5856256ae56057d0359dea2a18b7
                                            • Opcode Fuzzy Hash: 02ca5f38e51b3460aa11ed2267ab71d58e5f882a3d90daa9f8d00e93f02c2ef2
                                            • Instruction Fuzzy Hash: D8514C7190424CABEF20DFA5DD85FDE7BBCAF09304F14402AB90DEA191DB789644CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402CAB Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 116stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00402CF1
                                            • _memset.LIBCMT ref: 00402D05
                                            • _memset.LIBCMT ref: 00402D1E
                                            • _memset.LIBCMT ref: 00402D2C
                                            • GetPrivateProfileIntA.KERNEL32(preinst_tasks,num,000000FF,?), ref: 00402D43
                                            • GetPrivateProfileStringA.KERNEL32(preinst_tasks,?,error,?,00000104,?), ref: 00402D95
                                            • lstrcmpA.KERNEL32(?,error,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00402DA3
                                            • PathRemoveArgsA.SHLWAPI(?), ref: 00402DE1
                                            • GetFileAttributesA.KERNELBASE(?), ref: 00402DEB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$ArgsAttributesFilePathRemoveStringlstrcmp
                                            • String ID: %s\%s$error$file%i$num$preinst_tasks
                                            • API String ID: 786112777-2462962558
                                            • Opcode ID: ce9413375351fb179d5a24d113947045ab3d267af13739f0742246be9b7af97e
                                            • Instruction ID: f89492fa2119b9035848637cfa1d8e53a4fa3bd0ee1a4002ad841697a30487b1
                                            • Opcode Fuzzy Hash: ce9413375351fb179d5a24d113947045ab3d267af13739f0742246be9b7af97e
                                            • Instruction Fuzzy Hash: D4413FB194014CAEDF30DFA5DC85EDE7BACEB09304F14012EF958E7192EA3496488F69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402E2A Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 116stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00402E70
                                            • _memset.LIBCMT ref: 00402E84
                                            • _memset.LIBCMT ref: 00402E9D
                                            • _memset.LIBCMT ref: 00402EAB
                                            • GetPrivateProfileIntA.KERNEL32(other_tasks,num,000000FF,?), ref: 00402EC2
                                            • GetPrivateProfileStringA.KERNEL32(other_tasks,?,error,?,00000104,?), ref: 00402F14
                                            • lstrcmpA.KERNEL32(?,error,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00402F22
                                            • PathRemoveArgsA.SHLWAPI(?), ref: 00402F60
                                            • GetFileAttributesA.KERNEL32(?), ref: 00402F6A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$ArgsAttributesFilePathRemoveStringlstrcmp
                                            • String ID: %s\%s$error$file%i$num$other_tasks
                                            • API String ID: 786112777-1261519855
                                            • Opcode ID: 799f4b109d951957c3c4d3882ab0c0270f2739c9a9bfd70af7cf9da38cb35fd3
                                            • Instruction ID: 9713faefaef541fd63ddbd56f564e4d5602da5ebea7fddc4dfe1351272cdb19e
                                            • Opcode Fuzzy Hash: 799f4b109d951957c3c4d3882ab0c0270f2739c9a9bfd70af7cf9da38cb35fd3
                                            • Instruction Fuzzy Hash: 28410DB194014DAEDF30DFA59C85EDE7BBCEB09314F14012EB958E7192EA3496488B29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405E00 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 226fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 415 405e00-405e6a call 408fba call 4081c0 call 4013a0 422 405e6c 415->422 423 405e7f-405eab call 404c6c call 4053f7 call 405cf1 415->423 424 405e78-405e7a call 413760 422->424 425 405e6e-405e73 422->425 432 405eb0-405eb5 423->432 424->423 425->424 433 405eb7-405eb8 call 413710 432->433 434 405ebd-405ede call 404c21 call 404761 432->434 433->434 440 405ee3-405f00 call 404761 call 403706 434->440 445 405f06-405f11 call 40473d 440->445 446 406089-406099 call 405aca call 401389 440->446 452 405f17-405f26 call 404761 445->452 453 40607c-406084 call 4036de 445->453 459 40609b-4060bd call 40803d 446->459 457 405f2b-405f45 call 404761 call 403706 452->457 453->440 457->453 466 405f4b-405f64 call 401444 call 40473d 457->466 471 405f66-405f69 466->471 472 405f6b 466->472 473 405f6e-405f9d PathAppendA GetShortPathNameA PathFindFileNameA call 40473d 471->473 472->473 476 405fa4 473->476 477 405f9f-405fa2 473->477 478 405fa7-405fb3 call 40473d 476->478 477->478 481 405fb5-405fb8 478->481 482 405fba 478->482 483 405fbd-405fc9 StrStrIA 481->483 482->483 484 405fcb-405fd7 call 40473d 483->484 485 405ffe-40601d call 40473d call 405419 483->485 491 405fd9-405fdc 484->491 492 405fde 484->492 495 406024 485->495 496 40601f-406022 485->496 494 405fe1-405fe7 StrStrIA 491->494 492->494 494->485 497 405fe9-405ff9 call 4036de 494->497 498 406027-406030 DeleteFileA 495->498 496->498 497->457 500 406032-40603d GetLastError 498->500 501 40604a 498->501 500->501 503 40603f-406044 GetLastError 500->503 504 40604c-406050 501->504 503->501 505 406046-406048 503->505 506 406062-406064 504->506 507 406052-40605d call 404c21 504->507 505->504 508 406066-406078 call 405aca call 401389 506->508 509 40607a 506->509 507->506 508->459 509->453
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 00405E1F
                                            • _memset.LIBCMT ref: 00405E42
                                              • Part of subcall function 004013A0: RegOpenKeyExA.KERNELBASE(?,?,00000000,?,00000000), ref: 004013BA
                                            • _com_raise_error.COMSUPP ref: 00405E7A
                                            • PathAppendA.SHLWAPI(-00000004,-00000004,?,?,?,?,?,?,004074D8,?,?,004074D8,?,8BF44D8D,?,00000001), ref: 00405F73
                                            • GetShortPathNameA.KERNEL32(00000000,00000000,00000104), ref: 00405F7F
                                            • PathFindFileNameA.SHLWAPI(00000000,?,?,PendingFileRenameOperations,?,?,0000005C), ref: 00405F89
                                            • StrStrIA.SHLWAPI(-00000004,00000004,?,?,PendingFileRenameOperations,?,?,0000005C), ref: 00405FC5
                                            • StrStrIA.SHLWAPI(-00000004,00000000,?,?,PendingFileRenameOperations,?,?,0000005C), ref: 00405FE3
                                            • DeleteFileA.KERNEL32(-00000004,?,?,PendingFileRenameOperations,?,?,0000005C), ref: 00406028
                                            • GetLastError.KERNEL32(?,?,PendingFileRenameOperations,?,?,0000005C), ref: 00406038
                                            • GetLastError.KERNEL32(?,?,PendingFileRenameOperations,?,?,0000005C), ref: 0040603F
                                              • Part of subcall function 00401389: RegCloseKey.KERNELBASE(?,?,004013CB), ref: 00401395
                                            Strings
                                            • PendingFileRenameOperations, xrefs: 00405E8D
                                            • System\CurrentControlSet\Control\Session Manager, xrefs: 00405E52
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Path$ErrorFileLastName$AppendCloseDeleteFindH_prolog3_catchOpenShort_com_raise_error_memset
                                            • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
                                            • API String ID: 2733218388-3057196482
                                            • Opcode ID: 518cf3eb921a9cf11537c50aae49d63a78843726c30af8cc5b24f6eb93a5bc1f
                                            • Instruction ID: 541df7062a4722b2009cabc7505d3f0bb3c0da3a8bca69bee946da573d2a7fd3
                                            • Opcode Fuzzy Hash: 518cf3eb921a9cf11537c50aae49d63a78843726c30af8cc5b24f6eb93a5bc1f
                                            • Instruction Fuzzy Hash: 8D8150B19002099FDF14EFA0C995AEE7BB8EF15308F14403EE506B71E1DB78AA45CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004045C2 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 113fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 00404608
                                            • _memset.LIBCMT ref: 0040461C
                                            • _memset.LIBCMT ref: 00404630
                                            • _memset.LIBCMT ref: 00404642
                                            • GetPrivateProfileIntA.KERNEL32(Global,SetInstData,00000001,?), ref: 00404661
                                            • GetCommandLineA.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000104,00000000), ref: 0040466F
                                              • Part of subcall function 004034AF: lstrlenA.KERNEL32(?), ref: 004034CE
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004046B3
                                            • GetTempFileNameA.KERNELBASE(?,EAC,00000000,?), ref: 004046C7
                                              • Part of subcall function 0040355D: _memset.LIBCMT ref: 004035A7
                                              • Part of subcall function 0040355D: FindFirstFileA.KERNELBASE(?,?,?,00000104,?), ref: 004035B8
                                              • Part of subcall function 0040355D: FindClose.KERNEL32(00000000), ref: 004035C4
                                              • Part of subcall function 0040355D: FileTimeToSystemTime.KERNEL32(?,?), ref: 004035DE
                                            • DeleteFileA.KERNELBASE(?,?,?), ref: 004046E4
                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004046F3
                                              • Part of subcall function 004022C0: GetFileVersionInfoSizeA.VERSION(?,?), ref: 004022DC
                                              • Part of subcall function 004044C7: _memset.LIBCMT ref: 0040450A
                                              • Part of subcall function 004044C7: PathAddBackslashA.SHLWAPI(?,?,00000104,00000000), ref: 00404534
                                              • Part of subcall function 004044C7: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00404558
                                              • Part of subcall function 004044C7: WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 0040457A
                                              • Part of subcall function 004044C7: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404595
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$_memset$Find$BackslashCloseNamePathTime$ChangeCommandCreateDeleteFirstInfoLineModuleNotificationPrivateProfileSizeSystemTempVersionWritelstrlen
                                            • String ID: EAC$Global$SetInstData
                                            • API String ID: 3470766306-1382955484
                                            • Opcode ID: a0a19306845901dfd7a87287177c0561167909c16a1817a47e693691527d69c2
                                            • Instruction ID: 5253d19efa978a67b3244e43acda6de85e9c3638359169b940b3b9b7825d0871
                                            • Opcode Fuzzy Hash: a0a19306845901dfd7a87287177c0561167909c16a1817a47e693691527d69c2
                                            • Instruction Fuzzy Hash: 4B41FCB290114CAFDB20DFA5DC85FEE7BACAF49304F14412FBA09E7151DA749A48CB24
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040739A Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 101stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 591 40739a-4073db call 4081c0 594 4073e1-407407 call 4034af StrChrIA 591->594 595 40748b-4074a5 call 40803d 591->595 600 407475-407481 call 404dd8 594->600 601 407409-40741c lstrcmpiA 594->601 600->595 610 407483 call 406f3d 600->610 602 407426-407433 lstrcmpiA 601->602 603 40741e 601->603 607 407435-407436 602->607 608 407438-407445 lstrcmpiA 602->608 605 40741f-407424 call 403982 603->605 605->595 607->605 611 407450-40745d lstrcmpiA 608->611 612 407447-407448 608->612 619 407488 610->619 616 407463-407470 lstrcmpiA 611->616 617 40745f 611->617 615 407449-40744e call 4048aa 612->615 615->619 616->610 618 407472-407473 616->618 621 407460-407461 617->621 618->621 619->595 621->615
                                            APIs
                                            • _memset.LIBCMT ref: 004073D1
                                              • Part of subcall function 004034AF: lstrlenA.KERNEL32(?), ref: 004034CE
                                            • StrChrIA.KERNELBASE(-/+,?), ref: 004073FF
                                            • lstrcmpiA.KERNEL32(?,RegServer), ref: 00407418
                                            • lstrcmpiA.KERNEL32(?,UnregServer), ref: 0040742F
                                            • lstrcmpiA.KERNEL32(?,Uninstall), ref: 00407441
                                            • lstrcmpiA.KERNEL32(?,Delete), ref: 00407459
                                            • lstrcmpiA.KERNEL32(?,StartupDelete), ref: 0040746C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: lstrcmpi$_memsetlstrlen
                                            • String ID: -/+$Delete$RegServer$StartupDelete$Uninstall$UnregServer
                                            • API String ID: 157887750-1614405345
                                            • Opcode ID: e42950b3690a6b57c86ac8cf330fe3fe775f673735963d64cba484b3ecfb3050
                                            • Instruction ID: b8fa5700889af715ff7c4fdf848f0634b92f936ddd4a4910f1a1b889c3f706f4
                                            • Opcode Fuzzy Hash: e42950b3690a6b57c86ac8cf330fe3fe775f673735963d64cba484b3ecfb3050
                                            • Instruction Fuzzy Hash: DB31BBB1D0411C9ADB60EBB59C81EEF7BAC9F45748F10403FB905F3181EA7C95458A7A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401DF0 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 92stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00401E2D
                                            • _memset.LIBCMT ref: 00401E41
                                            • lstrlenA.KERNEL32(00000001,?,?,?,00000105,00000104,00000000), ref: 00401E61
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,00000105,00000104,00000000), ref: 00401E7F
                                            • GetFileAttributesA.KERNELBASE(?,?,?,?,00000105,00000104,00000000), ref: 00401E9E
                                            • lstrlenA.KERNEL32(?,?,?,?,00000105,00000104,00000000), ref: 00401EC1
                                            • GetPrivateProfileStringA.KERNEL32(Global,Signature,error,?,00000104,?), ref: 00401EE5
                                            • lstrcmpA.KERNEL32(?,EAC,?,?,?,00000105,00000104,00000000), ref: 00401EF4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memsetlstrlen$AttributesBackslashFilePathPrivateProfileStringlstrcmp
                                            • String ID: EAC$Global$Signature$error$setup.ini
                                            • API String ID: 3175421070-1642418633
                                            • Opcode ID: 50d1119ef5395ad0ae3795819c97baf7c2ed6a573f4af6f75b0cd4c7188aa345
                                            • Instruction ID: 72becf6a6dae4f713af5162fd632714079c3993bce36423d1bbdaea87a124568
                                            • Opcode Fuzzy Hash: 50d1119ef5395ad0ae3795819c97baf7c2ed6a573f4af6f75b0cd4c7188aa345
                                            • Instruction Fuzzy Hash: B331527290014DABDF309FA8DC85EDE3BBCAF09304F10453AF955E7191DE3896098B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406DD0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 111stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00406DEF
                                            • GetPrivateProfileIntA.KERNEL32(other_files,num,00000000,?), ref: 00406E25
                                            • _memset.LIBCMT ref: 00406E51
                                            • _memset.LIBCMT ref: 00406E67
                                            • GetPrivateProfileStringA.KERNEL32(other_files,00000000,error,00000000,00000104,004074D8), ref: 00406E96
                                            • lstrcmpiA.KERNEL32(00000000,error), ref: 00406EA4
                                              • Part of subcall function 00404C21: char_traits.LIBCPMT ref: 00404C46
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: PrivateProfile_memset$H_prolog3Stringchar_traitslstrcmpi
                                            • String ID: error$file%i$num$other_files
                                            • API String ID: 1983172434-2663624584
                                            • Opcode ID: ad259a1e00fd6f2362cf4260de2bce9e617b60553b731b4a649c64f21d214fe6
                                            • Instruction ID: e48b559b596b2d1a47e8825eeb34ea3a7ecd507eb4b95c8ba95485ef16e7fc5f
                                            • Opcode Fuzzy Hash: ad259a1e00fd6f2362cf4260de2bce9e617b60553b731b4a649c64f21d214fe6
                                            • Instruction Fuzzy Hash: B5417CB190024DABDB10EFA5CD85BEE7BB8EF58304F14402FE945B7281DA786644CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004060C6 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 179COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 004060E5
                                              • Part of subcall function 004013A0: RegOpenKeyExA.KERNELBASE(?,?,00000000,?,00000000), ref: 004013BA
                                            • _com_raise_error.COMSUPP ref: 00406125
                                            • PathFindFileNameA.SHLWAPI(?,00000001,00000000,?,PendingFileRenameOperations,00000058), ref: 0040618D
                                            • GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 004061A4
                                            • PathFindFileNameA.SHLWAPI(00000000,?,PendingFileRenameOperations,00000058), ref: 004061AE
                                            • StrStrIA.SHLWAPI(-00000004,?,?,?,004074D8,?,?,004074D8,?,004074D8,?,PendingFileRenameOperations,00000058), ref: 00406217
                                            • StrStrIA.SHLWAPI(-00000004,00000000,?,PendingFileRenameOperations,00000058), ref: 00406235
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: NamePath$FileFind$H_prolog3_catchOpenShort_com_raise_error
                                            • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
                                            • API String ID: 650926484-3057196482
                                            • Opcode ID: 75d017e867f698f03705e6d0fd1b77a89353b7c7e399366f7e4277404dbebcf2
                                            • Instruction ID: 0310a91c823cfa0ead537e02b612be5d91299666c02167cb51a1a5d702aae3c6
                                            • Opcode Fuzzy Hash: 75d017e867f698f03705e6d0fd1b77a89353b7c7e399366f7e4277404dbebcf2
                                            • Instruction Fuzzy Hash: 296191719001099FDF04EFA1C945AEEBBB8EF18304F15406FE506B71D2DB78AA55CBA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404342 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 110filesleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0040438E
                                            • GetTickCount.KERNEL32 ref: 004043AD
                                            • PathRemoveFileSpecA.SHLWAPI(?), ref: 004043C5
                                              • Part of subcall function 00407600: _memset.LIBCMT ref: 00407638
                                              • Part of subcall function 00407600: lstrlenA.KERNEL32(?,?,?,?), ref: 00407649
                                              • Part of subcall function 00407600: lstrcpyA.KERNEL32(?,?,?,75B05CE0,?,?,?), ref: 00407661
                                              • Part of subcall function 00407600: GetFileAttributesA.KERNELBASE(?,?,0000005C,?,?,?), ref: 004076D6
                                              • Part of subcall function 00407600: CreateDirectoryA.KERNELBASE(?,00000000,?,?,?), ref: 004076E7
                                              • Part of subcall function 00407600: GetFileAttributesA.KERNELBASE(?,00000001,0000002F,00000001,0000005C,?,?,?), ref: 00407704
                                              • Part of subcall function 00407600: CreateDirectoryA.KERNELBASE(?,00000000,?,?,?), ref: 0040770E
                                              • Part of subcall function 00407600: Sleep.KERNELBASE(00000014,?,?,?), ref: 00407716
                                              • Part of subcall function 00407600: GetFileAttributesA.KERNELBASE(?,?,?,?), ref: 0040771D
                                              • Part of subcall function 00407748: GetFileAttributesA.KERNELBASE(004042FE,00000105,00000104,004042FE,?,00000000), ref: 00407756
                                              • Part of subcall function 00407748: SetFileAttributesA.KERNEL32(?,00000000), ref: 0040776B
                                            • CopyFileA.KERNEL32(?,?,?), ref: 004043EE
                                            • SetFileAttributesA.KERNELBASE(?,?), ref: 00404462
                                              • Part of subcall function 00402357: _memset.LIBCMT ref: 004023AD
                                              • Part of subcall function 00402357: _memset.LIBCMT ref: 004023C1
                                              • Part of subcall function 00402357: _memset.LIBCMT ref: 004023D3
                                              • Part of subcall function 00402357: _memset.LIBCMT ref: 004023E7
                                              • Part of subcall function 00402357: PathRemoveFileSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,00000104,74DE8B60), ref: 0040240D
                                              • Part of subcall function 00402357: PathFindFileNameA.SHLWAPI(?,error,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00402425
                                              • Part of subcall function 00402357: GetPrivateProfileStringA.KERNEL32(copy_fail_routine,00000000), ref: 00402431
                                              • Part of subcall function 00402357: lstrcmpiA.KERNEL32(?,MOVE_ON_REBOOT), ref: 00402443
                                              • Part of subcall function 00402357: PathRemoveFileSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,00000104,74DE8B60), ref: 00402464
                                              • Part of subcall function 00402357: PathFindFileNameA.SHLWAPI(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000104,74DE8B60), ref: 00402472
                                              • Part of subcall function 00402357: GetTempFileNameA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,00000104,74DE8B60), ref: 00402480
                                              • Part of subcall function 00402357: CopyFileA.KERNEL32(?,?,00000000), ref: 0040248E
                                            • CopyFileA.KERNEL32(?,?,?), ref: 00404429
                                            • GetTickCount.KERNEL32 ref: 00404434
                                            • Sleep.KERNEL32(000003E8), ref: 0040444E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$Attributes_memset$Path$CopyNameRemoveSpec$CountCreateDirectoryFindSleepTick$PrivateProfileStringTemplstrcmpilstrcpylstrlen
                                            • String ID: error
                                            • API String ID: 4089529705-1574812785
                                            • Opcode ID: 8a8e30bb3738027fc6d867e581205c5f0284681b077eea0a5474d8ca40a08a32
                                            • Instruction ID: e057219981e62fd9b5755e4f0968f4b5d220651ed5b0d27a8d9a641c8a520c11
                                            • Opcode Fuzzy Hash: 8a8e30bb3738027fc6d867e581205c5f0284681b077eea0a5474d8ca40a08a32
                                            • Instruction Fuzzy Hash: A33140B19002589BDB309FB5DC44BDF7BB8AB88314F10413EAA09E7292DB3595058F65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407600 Relevance: 13.6, APIs: 9, Instructions: 107stringsleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00407638
                                            • lstrlenA.KERNEL32(?,?,?,?), ref: 00407649
                                            • lstrcpyA.KERNEL32(?,?,?,75B05CE0,?,?,?), ref: 00407661
                                            • GetFileAttributesA.KERNELBASE(?,?,0000005C,?,?,?), ref: 004076D6
                                            • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?), ref: 004076E7
                                            • GetFileAttributesA.KERNELBASE(?,00000001,0000002F,00000001,0000005C,?,?,?), ref: 00407704
                                            • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?), ref: 0040770E
                                            • Sleep.KERNELBASE(00000014,?,?,?), ref: 00407716
                                            • GetFileAttributesA.KERNELBASE(?,?,?,?), ref: 0040771D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AttributesFile$CreateDirectory$Sleep_memsetlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 839522043-0
                                            • Opcode ID: 9e665ad7fe686e0260cc6be7466a0bd73cf90f61b579ebe3226898ac7a3cf250
                                            • Instruction ID: aa700739f71c53e7b30c3c46a85ef11de0fb450f541971495505a0bf62a8720b
                                            • Opcode Fuzzy Hash: 9e665ad7fe686e0260cc6be7466a0bd73cf90f61b579ebe3226898ac7a3cf250
                                            • Instruction Fuzzy Hash: 0831C771D089494AD7309B788C84BDE7BA8AB05314F104D3AD562F72C2CB39B4458F29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004044C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0040450A
                                            • PathAddBackslashA.SHLWAPI(?,?,00000104,00000000), ref: 00404534
                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00404558
                                            • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 0040457A
                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404595
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$BackslashChangeCloseCreateFindNotificationPathWrite_memset
                                            • String ID: eac_install00.dat
                                            • API String ID: 685102618-714774003
                                            • Opcode ID: c4bc360be81878ba6a175fe7dbe8ea83c47cbd897b6fef779e52c1b62e74c5a1
                                            • Instruction ID: 85c67574ba9122a3f0a21e76837206d2ce26979bcf3c3bb5a17c5eddc3d7d9c4
                                            • Opcode Fuzzy Hash: c4bc360be81878ba6a175fe7dbe8ea83c47cbd897b6fef779e52c1b62e74c5a1
                                            • Instruction Fuzzy Hash: FD211EB290111CAFDB20DFB5DC84EEE77BCAB49314F14413EB615E3282DA3899098F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407E23 Relevance: 9.1, APIs: 6, Instructions: 67processsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00407E37
                                            • CreateProcessA.KERNELBASE(00000000,000000FF,00000000,00000000,00000001,00000000,00000000,00000000,004015B0,?,?,74DF3310,00000105), ref: 00407E74
                                            • CloseHandle.KERNEL32(004015B0,?,74DF3310,00000105), ref: 00407E87
                                            • WaitForSingleObject.KERNEL32(?,?,?,74DF3310,00000105), ref: 00407E8F
                                            • GetExitCodeProcess.KERNELBASE(?,000000FF), ref: 00407EA0
                                            • CloseHandle.KERNEL32(?,?,74DF3310,00000105), ref: 00407EC1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWait_memset
                                            • String ID:
                                            • API String ID: 3666309416-0
                                            • Opcode ID: 4c491774c3dab2b46cb9e0510a14fb91f0c3accabafb9551020b79e4b1b1f75a
                                            • Instruction ID: 2c48cea2d46787073327d2815dd7b80d938208d644d4c476bd198355be9983d2
                                            • Opcode Fuzzy Hash: 4c491774c3dab2b46cb9e0510a14fb91f0c3accabafb9551020b79e4b1b1f75a
                                            • Instruction Fuzzy Hash: 4F115630902229BACF21CBA5CC499EFBF79EF04360F204165E914B61E0C734AE05CAA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401F22 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 27stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPrivateProfileStringA.KERNEL32(Global,SetupEvent,{E91CEEDA-7895-410a-92E6-9F572FF31F45},?,?,?), ref: 00401F4E
                                            • lstrlenA.KERNEL32(?), ref: 00401F57
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: PrivateProfileStringlstrlen
                                            • String ID: Global$SetupEvent${E91CEEDA-7895-410a-92E6-9F572FF31F45}
                                            • API String ID: 481098906-4214732706
                                            • Opcode ID: 8fffce9d427cfcf6b84b183ceb45382b920288bc9618efa146961812ac420bb3
                                            • Instruction ID: 93dbdfa6c63f65ee8beab8973d46be1f396f67181b9b8569f6b7ace18cd8c5c1
                                            • Opcode Fuzzy Hash: 8fffce9d427cfcf6b84b183ceb45382b920288bc9618efa146961812ac420bb3
                                            • Instruction Fuzzy Hash: 36E0ED3154430EBBCF105EB09C049AB3B65EB08761718C53BB918D41A0EB79C690DB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401F6A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPrivateProfileStringA.KERNEL32(Global,SetupMutex,004185A7,?,?,?), ref: 00401F96
                                            • lstrlenA.KERNEL32(?), ref: 00401F9F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: PrivateProfileStringlstrlen
                                            • String ID: Global$SetupMutex
                                            • API String ID: 481098906-2847169281
                                            • Opcode ID: 0115a586423788c578ce63bd6849bec155fb695c3f9709ba096542cee7134cbb
                                            • Instruction ID: e3b4ab7092c77050de3ab1e1f13ea2d8880fb36cf200b73c493ccae10ed0875a
                                            • Opcode Fuzzy Hash: 0115a586423788c578ce63bd6849bec155fb695c3f9709ba096542cee7134cbb
                                            • Instruction Fuzzy Hash: 17E0ED31A5020EBFCF105FA0DC04AAB3B65EB04751B58843BB91DD51A1EB7DC6A0DB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404483 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPrivateProfileIntA.KERNEL32(Global,Reboot,00000000,?), ref: 00404493
                                            • DialogBoxParamA.USER32(00000096,00000000,Function_00002FA9,?), ref: 004044B4
                                              • Part of subcall function 0040305A: GetCurrentProcess.KERNEL32(00000028,?), ref: 00403086
                                              • Part of subcall function 0040305A: OpenProcessToken.ADVAPI32(00000000), ref: 0040308D
                                              • Part of subcall function 0040305A: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004030A1
                                              • Part of subcall function 0040305A: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004030BC
                                              • Part of subcall function 0040305A: GetLastError.KERNEL32 ref: 004030C2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: ProcessToken$AdjustCurrentDialogErrorLastLookupOpenParamPrivatePrivilegePrivilegesProfileValue
                                            • String ID: Global$Reboot
                                            • API String ID: 1174996808-1954503630
                                            • Opcode ID: 05127cd962aa38f67b64b8db5f9edcbf40eff94162dc83a307bd23f554f0d76c
                                            • Instruction ID: 176c68b7b21ff1f6369a79e7b1ddf9839b0b0aec7d532f6ff31cde73fedd856b
                                            • Opcode Fuzzy Hash: 05127cd962aa38f67b64b8db5f9edcbf40eff94162dc83a307bd23f554f0d76c
                                            • Instruction Fuzzy Hash: 07D05E746913017ADB612B618E06F4A3A62EB45B02F208A3EF208F10E1CEB9C8506A1D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040652A Relevance: 4.6, APIs: 3, Instructions: 75stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00406531
                                            • GetFileAttributesA.KERNELBASE(?,0000001C,004069E1,?,?,?,?,?), ref: 00406539
                                            • lstrlenA.KERNEL32(?,00000001,00000000,?), ref: 004065DD
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AttributesFileH_prolog3lstrlen
                                            • String ID:
                                            • API String ID: 3696322227-0
                                            • Opcode ID: f68aedd37fd377391395fd114091883ae876c10788514d40234116f7e3269a42
                                            • Instruction ID: 6a2481bad1be399b732868541dd0c37a05a11369c2f4b7ca009fba253182cf54
                                            • Opcode Fuzzy Hash: f68aedd37fd377391395fd114091883ae876c10788514d40234116f7e3269a42
                                            • Instruction Fuzzy Hash: 752123B1500204BADF206F20ED42B9F3628DF54328F22403BF902B12D5DE7CDE60962C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004022C0 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileVersionInfoSizeA.VERSION(?,?), ref: 004022DC
                                            • GetFileVersionInfoA.VERSION(?,?,?,00000000,?,?), ref: 00402306
                                            • VerQueryValueA.VERSION(?,004185B8,?,?,?,?,?,00000000,?,?), ref: 0040231F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: FileInfoVersion$QuerySizeValue
                                            • String ID:
                                            • API String ID: 2179348866-0
                                            • Opcode ID: b57c4a706694668cf8fb3fe0a9d7a5e3919bb8a44a2d7311965ec12cd19641f3
                                            • Instruction ID: 43bb413d85b82f3296277d979c963863b3848cfdeb7ab52dce6d6efc95f838b5
                                            • Opcode Fuzzy Hash: b57c4a706694668cf8fb3fe0a9d7a5e3919bb8a44a2d7311965ec12cd19641f3
                                            • Instruction Fuzzy Hash: 19119472D00119BACF109FA5DD418DFBBBEEF44750B24407BF904F2190DA799E418BA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004074F9 Relevance: 4.5, APIs: 3, Instructions: 35registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(?,00000001,00000000,00020019,?,00000000,?,?,00407819,?,00000001,?,?,80000002,004027FF,75B07390), ref: 0040751D
                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,80000002,004027FF,?,?,00407819,?,00000001,?,?,80000002,004027FF,75B07390), ref: 00407537
                                            • RegCloseKey.ADVAPI32(?,?,?,00407819,?,00000001,?,?,80000002,004027FF,75B07390,?,?,004027FF,80000002,Software\Microsoft\Windows\CurrentVersion), ref: 00407545
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID:
                                            • API String ID: 3677997916-0
                                            • Opcode ID: dfce0983bf69d03c9ee70c24b499764e543c126dcd8fe070122fab8588fa6b55
                                            • Instruction ID: dfe1fd81fc64b9225ad0528603363718575f35f9b4f72094f050525069bd459b
                                            • Opcode Fuzzy Hash: dfce0983bf69d03c9ee70c24b499764e543c126dcd8fe070122fab8588fa6b55
                                            • Instruction Fuzzy Hash: 6EF0F47190012CFBCF228F91DC059DFBF69EF08B94B00802AB905A0160D735DA20EBE5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004020FB Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameA.KERNEL32(00000104,00000000,00000104,00406FB1,?,00000104,?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000018), ref: 0040210F
                                            • PathRemoveFileSpecA.SHLWAPI(00000104), ref: 00402116
                                            • GetShortPathNameA.KERNEL32(00000104,00000104,?), ref: 00402122
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: FileNamePath$ModuleRemoveShortSpec
                                            • String ID:
                                            • API String ID: 3744419984-0
                                            • Opcode ID: a248c7a7c764adff5f02f8e797e91808bafce579de92b05c39ca4da3fa1bbcd8
                                            • Instruction ID: 0a6d889d949ff274121ec58bf0418162d9dace52b9dc1b29447643951b688c10
                                            • Opcode Fuzzy Hash: a248c7a7c764adff5f02f8e797e91808bafce579de92b05c39ca4da3fa1bbcd8
                                            • Instruction Fuzzy Hash: 4BE0123241A530BFC7121B65BC089CF7F65EF4E330706C669F618961B0CB7588559BE9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040F360 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00409820,00000001), ref: 0040F371
                                            • HeapDestroy.KERNEL32 ref: 0040F3A7
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Heap$CreateDestroy
                                            • String ID:
                                            • API String ID: 3296620671-0
                                            • Opcode ID: dabe01270766959a9875afda75543a2f033b41b5561142c5b40beb7039268b1c
                                            • Instruction ID: 41d718c34a0203af0eeef80d4dc23c157943311e3ea41a8c4827b485e5432545
                                            • Opcode Fuzzy Hash: dabe01270766959a9875afda75543a2f033b41b5561142c5b40beb7039268b1c
                                            • Instruction Fuzzy Hash: 25E09276A55301ABDB709F329E0A3A67994F7087A6F00883BFC01E55E1FF788409960E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407748 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNELBASE(004042FE,00000105,00000104,004042FE,?,00000000), ref: 00407756
                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 0040776B
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 2f5ba36c30286cd759162d97d3a6f4bdf27c0d4f4ce82bba737da3e2065091c4
                                            • Instruction ID: eb31cfb99d04d79db5003e883e4a2df6572e430cc6ab3f01c51cf63b3459d31c
                                            • Opcode Fuzzy Hash: 2f5ba36c30286cd759162d97d3a6f4bdf27c0d4f4ce82bba737da3e2065091c4
                                            • Instruction Fuzzy Hash: 98E09B319082319BC3214E38EC0481BB695ABC57A17164739FC71E32E0DB34AC1587D5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E7F5 Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___crtCorExitProcess.LIBCMT ref: 0040E7F9
                                              • Part of subcall function 0040E7CF: GetModuleHandleA.KERNEL32(mscoree.dll,0040E7FE,00000214,0040A09B,000000FF,0000001E,00000001,00000000,00000000,?,004101BE,0040A4E1,00000001,00000001,0040F54E,00000018), ref: 0040E7D4
                                              • Part of subcall function 0040E7CF: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7E4
                                            • ExitProcess.KERNEL32 ref: 0040E803
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                            • String ID:
                                            • API String ID: 2427264223-0
                                            • Opcode ID: c0841f575cf44d1cf5f975cc9f39ca7cb0f7daefaf5e20e7751a11b4a8a9f290
                                            • Instruction ID: aa71ba019415cc69d5d8f7090601f59af8be81d84f1e4ee3ec2994eb32d53244
                                            • Opcode Fuzzy Hash: c0841f575cf44d1cf5f975cc9f39ca7cb0f7daefaf5e20e7751a11b4a8a9f290
                                            • Instruction Fuzzy Hash: 27B00231154100BFD6452B12DE4B45D7BF7EF84B15F10983DF08555071DF755C61BA05
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405CF1 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 00405CF8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: H_prolog3_catch_
                                            • String ID:
                                            • API String ID: 1329019490-0
                                            • Opcode ID: 8a78b23f6ba3e07bebbf306c8b25c8172d9413d56562bcc03063d82390e25d84
                                            • Instruction ID: 9913942a0330cafda671697920440429c2bcd7ac6bbc5b233bcc31bcc9bb6c2c
                                            • Opcode Fuzzy Hash: 8a78b23f6ba3e07bebbf306c8b25c8172d9413d56562bcc03063d82390e25d84
                                            • Instruction Fuzzy Hash: B13149B1900509AFDB10EF95D8859EEB7B8EF04308F10443FF505B7292DB38AA44CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004013D5 Relevance: 1.5, APIs: 1, Instructions: 49registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 00401406
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: d9060a8ba1589279c315c27fb32bd9790813b2f189b6024b7f3706cd277b8bdb
                                            • Instruction ID: 71a9e5d034ff823006c1005208e1f7c59ffcc4bb74324f889273768b90d34472
                                            • Opcode Fuzzy Hash: d9060a8ba1589279c315c27fb32bd9790813b2f189b6024b7f3706cd277b8bdb
                                            • Instruction Fuzzy Hash: D7015632204209AFDB308E54C844BABB7E9AF51314F25443FE955E76B0D375D544CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004013A0 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,?,00000000), ref: 004013BA
                                              • Part of subcall function 00401389: RegCloseKey.KERNELBASE(?,?,004013CB), ref: 00401395
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: CloseOpen
                                            • String ID:
                                            • API String ID: 47109696-0
                                            • Opcode ID: 55e43c27b05840d8b83f8f0ce14ea6e116f010b6d3367cb15696e5998da25824
                                            • Instruction ID: 857d4e8cde5cc53a5cccd5d04fbd6a46cf784f9f079722afee081473e41aa118
                                            • Opcode Fuzzy Hash: 55e43c27b05840d8b83f8f0ce14ea6e116f010b6d3367cb15696e5998da25824
                                            • Instruction Fuzzy Hash: 1DE01A72100208FBEB149F41DC02FAE7BA9EB54754F104029FC01A6290D7B5AF10AB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401389 Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.KERNELBASE(?,?,004013CB), ref: 00401395
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: a16417724fe0a533c04f58b40b58099c17f43b95c2bf949b0fc2c80cc8966b2e
                                            • Instruction ID: a145e068183f21441c3cc94e16fb1c7db788afcc6032d7caddb246e00cbb4812
                                            • Opcode Fuzzy Hash: a16417724fe0a533c04f58b40b58099c17f43b95c2bf949b0fc2c80cc8966b2e
                                            • Instruction Fuzzy Hash: 32C08C3222221287EB384F28B8107A233D45F08322F12087EA481D2540CB74C8408658
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00403B54 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00403B9E
                                            • _memset.LIBCMT ref: 00403BB3
                                            • _memset.LIBCMT ref: 00403BC8
                                            • _memset.LIBCMT ref: 00403BDD
                                            • _memset.LIBCMT ref: 00403BF2
                                            • _memset.LIBCMT ref: 00403C07
                                            • _memset.LIBCMT ref: 00403C1F
                                            • _memset.LIBCMT ref: 00403C32
                                            • GetPrivateProfileIntA.KERNEL32(uninstall_tasks,num,000000FF,00000001), ref: 00403C48
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_tasks,?,all,?,00000104,?), ref: 00403C98
                                            • lstrcmpA.KERNEL32(?,all), ref: 00403CAA
                                            • StrStrIA.SHLWAPI(?,004188A4), ref: 00403CC0
                                            • StrStrIA.SHLWAPI(?,NTx), ref: 00403CE2
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_tasks,?,error,?,00000104,?), ref: 00403D38
                                            • lstrcmpA.KERNEL32(?,error), ref: 00403D4A
                                            • PathFindFileNameA.SHLWAPI(?,80000000,?,004185A7,00000001,?,00000207), ref: 00403D99
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_tasks,?,error,?,00000104,?), ref: 00403DDF
                                            • lstrcmpA.KERNEL32(?,error), ref: 00403DF1
                                            • lstrlenA.KERNEL32(?), ref: 00403E09
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_tasks,?,error,?,00000104,?), ref: 00403E4E
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_tasks,?,error,?,00000104,?), ref: 00403EC8
                                            • StrStrIA.SHLWAPI(?,DllUnregister), ref: 00403EDA
                                            • GetPrivateProfileIntA.KERNEL32(uninstall_tasks,?,00000000,?), ref: 00403F31
                                            • DeleteFileA.KERNEL32(?), ref: 00403F42
                                              • Part of subcall function 0040778A: _memset.LIBCMT ref: 004077AD
                                              • Part of subcall function 0040778A: GetVersionExA.KERNEL32(?,?,?,75B07390), ref: 004077C6
                                            • StrStrIA.SHLWAPI(?,CreateProcess), ref: 00403F56
                                            • PathRemoveArgsA.SHLWAPI(?), ref: 00403F6E
                                            • GetFileAttributesA.KERNEL32(?), ref: 00403F81
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$String$Filelstrcmp$Path$ArgsAttributesDeleteFindNameRemoveVersionlstrlen
                                            • String ID: %s\%s$%s\regsvr32.exe /u /s "%s"$CLSID\%s\InProcServer32$CreateProcess$DllUnregister$NTx$action%i$all$clsid%i$error$file%i$location%i$num$os%i$remove%i$uninstall_tasks
                                            • API String ID: 1948402102-3016758009
                                            • Opcode ID: 5132f5187592bfc9477f7433bd02156eb586ce552dc22041af5c108c5cd4bb4c
                                            • Instruction ID: 632e6cd0343eac6843a79ff753bb11642b91f8c8e7a29dbc8769313a6cf4f429
                                            • Opcode Fuzzy Hash: 5132f5187592bfc9477f7433bd02156eb586ce552dc22041af5c108c5cd4bb4c
                                            • Instruction Fuzzy Hash: 64C1207194428DAAEF30DFA1CC45FDB3BACEF55705F50402EF948E6091EB78A2058B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403FE1 Relevance: 56.3, APIs: 23, Strings: 9, Instructions: 254stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00404022
                                            • _memset.LIBCMT ref: 00404037
                                            • _memset.LIBCMT ref: 00404046
                                            • _memset.LIBCMT ref: 0040405B
                                            • _memset.LIBCMT ref: 00404070
                                            • _memset.LIBCMT ref: 00404085
                                            • _memset.LIBCMT ref: 0040409D
                                            • GetPrivateProfileIntA.KERNEL32(uninstall_objects,num,00000000,00000001), ref: 004040B2
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_info,IdString,error,?,00000104,?), ref: 004040E6
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_objects,?,error,?,00000104,?), ref: 0040412B
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_objects,?,?,?,00000104,?), ref: 00404177
                                            • GetPrivateProfileIntA.KERNEL32(uninstall_objects,?,00000000,?), ref: 004041A2
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_objects,?,error,?,00000104,?), ref: 004041D8
                                              • Part of subcall function 00402721: _memset.LIBCMT ref: 0040275C
                                              • Part of subcall function 00402721: lstrcpynA.KERNEL32(00000000,?,00000105), ref: 00402771
                                              • Part of subcall function 00402721: lstrcmpA.KERNEL32(00000000,error), ref: 00402783
                                              • Part of subcall function 00402721: StrStrIA.SHLWAPI(00000000,InstallDir), ref: 004027A6
                                              • Part of subcall function 00402721: lstrlenA.KERNEL32(?,80000002,Software\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000001,?,?), ref: 004028B2
                                              • Part of subcall function 00402721: PathRemoveBackslashA.SHLWAPI(?), ref: 004028BD
                                            • lstrcmpA.KERNEL32(?,error), ref: 0040420B
                                            • PathUnquoteSpacesA.SHLWAPI(?), ref: 00404234
                                            • PathAddBackslashA.SHLWAPI(?), ref: 00404241
                                            • PathRemoveBackslashA.SHLWAPI(?), ref: 00404262
                                            • GetFileAttributesA.KERNEL32(?), ref: 0040426F
                                            • lstrlenA.KERNEL32(?), ref: 0040428F
                                            • StrStrIA.SHLWAPI(?,?), ref: 004042A7
                                            • RemoveDirectoryA.KERNEL32(?), ref: 004042D6
                                            • GetFileAttributesA.KERNEL32(?), ref: 004042E3
                                            • DeleteFileA.KERNEL32(?), ref: 00404307
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PrivateProfile$PathString$BackslashFileRemove$Attributeslstrcmplstrlen$DeleteDirectorySpacesUnquotelstrcpyn
                                            • String ID: IdString$IdString%i$error$force%i$location%i$num$object%i$uninstall_info$uninstall_objects
                                            • API String ID: 633846315-2227877767
                                            • Opcode ID: 72c3a7ea08f8b4fae695ebd71b0f4e4279f5d4696f7a5cd464e4fccf0793361e
                                            • Instruction ID: 9b6380e2e78d5dfbfea50ec01d12be03cefead50ce7976942412b4355cce7ec0
                                            • Opcode Fuzzy Hash: 72c3a7ea08f8b4fae695ebd71b0f4e4279f5d4696f7a5cd464e4fccf0793361e
                                            • Instruction Fuzzy Hash: 6091F0B190024CAEDB309FA5DD85FDB3B6CEB45305F10442EB909E6192DB3896088F69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407831 Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 204sleepstringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00407870
                                            • _memset.LIBCMT ref: 0040788D
                                            • _memset.LIBCMT ref: 004078A2
                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 004078B3
                                            • GetFileAttributesA.KERNEL32(00000001,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 004078C5
                                            • lstrcpyA.KERNEL32(?,00000001,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 004078DC
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 004078E9
                                            • lstrcatA.KERNEL32(?,*.*,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 004078FB
                                            • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 0040790C
                                            • lstrcmpA.KERNEL32(?,00418AE8,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 0040793A
                                            • lstrcmpA.KERNEL32(?,00418AE4,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407951
                                            • wsprintfA.USER32 ref: 00407970
                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 004079DE
                                            • GetTickCount.KERNEL32 ref: 004079E8
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 004079F7
                                            • GetTickCount.KERNEL32 ref: 00407A08
                                            • Sleep.KERNEL32(00000005,?,?,?,?,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A14
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A1D
                                            • FindNextFileA.KERNEL32(?,?,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A32
                                            • FindClose.KERNEL32(?,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A3F
                                            • Sleep.KERNEL32(00000064,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A74
                                            • RemoveDirectoryA.KERNEL32(00000001,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A7D
                                            • Sleep.KERNEL32(00000014,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A85
                                            • RemoveDirectoryA.KERNEL32(00000001,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A88
                                            • GetTickCount.KERNEL32 ref: 00407A94
                                            • Sleep.KERNEL32(00000064,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407A9B
                                            • GetFileAttributesA.KERNEL32(00000001,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407AAA
                                            • GetTickCount.KERNEL32 ref: 00407AB5
                                            • Sleep.KERNEL32(00000005,?,?,?,?,?,?,00000105,00000104,uninstall_objects), ref: 00407AC6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$Sleep$AttributesCountTick$Find_memset$DirectoryRemovelstrcmp$BackslashCloseDeleteFirstNextPathlstrcatlstrcpylstrlenwsprintf
                                            • String ID: %s\%s$*.*$uninstall_objects
                                            • API String ID: 586935804-4247370819
                                            • Opcode ID: 1b5b7523c15325b38e477a3ce06f23cee7a70eb0e6e88a7789872a0789c886a0
                                            • Instruction ID: 6fb713f622c32b170d7d08f1660c9ce9e833be40a1d6381df9715c09bd14196f
                                            • Opcode Fuzzy Hash: 1b5b7523c15325b38e477a3ce06f23cee7a70eb0e6e88a7789872a0789c886a0
                                            • Instruction Fuzzy Hash: 6A715271E0424DABDB309FA4DC88BDE3B6CAF08314F24452BE509F61D1DB38A6458F29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004048AA Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 262stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 004048E1
                                            • _memset.LIBCMT ref: 004048F5
                                            • _memset.LIBCMT ref: 00404909
                                            • _memset.LIBCMT ref: 0040491D
                                            • _memset.LIBCMT ref: 00404931
                                            • _memset.LIBCMT ref: 0040493F
                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00404957
                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040495E
                                            • PathRemoveFileSpecA.SHLWAPI(?), ref: 0040498A
                                              • Part of subcall function 00401514: _memset.LIBCMT ref: 00401545
                                              • Part of subcall function 00401514: GetFileAttributesA.KERNEL32(?,00000105,00000104,?,?,00000000), ref: 00401584
                                            • SetCurrentDirectoryA.KERNEL32(?), ref: 004049C0
                                            • PathAddBackslashA.SHLWAPI(?), ref: 004049EC
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_info,IdString,error,?,00000104,?), ref: 00404A41
                                            • lstrcmpA.KERNEL32(?,error), ref: 00404A4C
                                            • lstrlenA.KERNEL32(?), ref: 00404A5E
                                            • PathQuoteSpacesA.SHLWAPI(?), ref: 00404A73
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$FilePath$Module$AttributesBackslashCurrentDirectoryHandleNamePrivateProfileQuoteRemoveSpacesSpecStringlstrcmplstrlen
                                            • String ID: /Delete$ /StartupDelete$.ini$IdString$Software\Microsoft\Windows\CurrentVersion\RunOnce$error$uninstall_info
                                            • API String ID: 1724738521-1155037004
                                            • Opcode ID: 3a995515af7f4965cec5e47ba863202ebc38de962caaa6d3d954681940399247
                                            • Instruction ID: 0eba11f71629f177b1fc985a17c148c49d295e2e75b9ca8296bf7a2b88e60c46
                                            • Opcode Fuzzy Hash: 3a995515af7f4965cec5e47ba863202ebc38de962caaa6d3d954681940399247
                                            • Instruction Fuzzy Hash: A0910EB250424CAEDB70DFA4DC85EDB37ACAF49305F14042EBA49D6091DF38A748CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040185D Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 212stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrStrIA.SHLWAPI(?,hkcr,00000104,regkeys,74DEB530), ref: 004018E6
                                            • StrStrIA.SHLWAPI(?,hkcu), ref: 004018FB
                                            • StrStrIA.SHLWAPI(?,null), ref: 00401924
                                            • _memset.LIBCMT ref: 00401944
                                            • StrStrIA.SHLWAPI(?,null), ref: 00401960
                                            • _memset.LIBCMT ref: 0040197A
                                            • StrStrIA.SHLWAPI(?,%InstallDir%), ref: 0040198F
                                            • _memset.LIBCMT ref: 004019AA
                                              • Part of subcall function 004016E1: _memset.LIBCMT ref: 00401746
                                              • Part of subcall function 004016E1: _memset.LIBCMT ref: 0040175A
                                              • Part of subcall function 004016E1: _memset.LIBCMT ref: 00401768
                                              • Part of subcall function 004016E1: GetPrivateProfileStringA.KERNEL32(Global,CompanyDirectory,Acceleration Software,?,00000105,00000001), ref: 00401792
                                              • Part of subcall function 004016E1: GetPrivateProfileStringA.KERNEL32(Global,Directory,Acceleration Software,?,00000105,?), ref: 004017AA
                                              • Part of subcall function 004016E1: GetPrivateProfileStringA.KERNEL32(Global,BaseDirDescrip,ProgramFilesDir,?,00000105,?), ref: 004017BF
                                              • Part of subcall function 004016E1: SHGetValueA.SHLWAPI(80000002,Software\Microsoft\Windows\CurrentVersion,?,?,?,?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 004017E9
                                              • Part of subcall function 004016E1: lstrlenA.KERNEL32(?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 004017FA
                                              • Part of subcall function 004016E1: PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 0040180D
                                              • Part of subcall function 004016E1: PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 00401822
                                            • _memset.LIBCMT ref: 004019D5
                                            • lstrlenA.KERNEL32(?,?,00000105,?,?,00000105), ref: 004019EE
                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 004019FB
                                            • StrStrIA.SHLWAPI(?,reg_sz), ref: 00401A2D
                                            • StrStrIA.SHLWAPI(?,reg_dword), ref: 00401A3E
                                            • lstrlenA.KERNEL32(?), ref: 00401A4E
                                            • StrToIntA.SHLWAPI(?), ref: 00401A5B
                                            • lstrlenA.KERNEL32(?), ref: 00401A8D
                                            • SHSetValueA.SHLWAPI(?,?,?,00000000,?,00000000), ref: 00401AAE
                                            • SHDeleteValueA.SHLWAPI(?,?,?), ref: 00401AD5
                                            • SHDeleteKeyA.SHLWAPI(?,?), ref: 00401AE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$lstrlen$PrivateProfileStringValue$BackslashDeletePath
                                            • String ID: %InstallDir%$hkcr$hkcu$hklm$null$reg_dword$reg_sz$regkeys
                                            • API String ID: 2492713935-1866392985
                                            • Opcode ID: fb8c9e1b33eebfc21c5d6d012ac898edaac1a8a70725e1e315b3b5622fc825e8
                                            • Instruction ID: bae5313fc427c34ad4bc5552907f6af5b8e951d6f1375d6c848e9136071ca48d
                                            • Opcode Fuzzy Hash: fb8c9e1b33eebfc21c5d6d012ac898edaac1a8a70725e1e315b3b5622fc825e8
                                            • Instruction Fuzzy Hash: F8712E71A01349AAEF319BA58D84BEF7ABCAF45304F14403BE909B61A1DB789941CF19
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403982 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 137stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 004039B2
                                            • _memset.LIBCMT ref: 004039C6
                                            • _memset.LIBCMT ref: 004039DA
                                            • _memset.LIBCMT ref: 004039EE
                                            • _memset.LIBCMT ref: 00403A02
                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00403A13
                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,74DEE800,00000000), ref: 00403A1A
                                            • PathRemoveFileSpecA.SHLWAPI(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,74DEE800), ref: 00403A47
                                              • Part of subcall function 00401DF0: _memset.LIBCMT ref: 00401E2D
                                              • Part of subcall function 00401DF0: _memset.LIBCMT ref: 00401E41
                                              • Part of subcall function 00401DF0: lstrlenA.KERNEL32(00000001,?,?,?,00000105,00000104,00000000), ref: 00401E61
                                              • Part of subcall function 00401DF0: PathAddBackslashA.SHLWAPI(?,?,?,?,00000105,00000104,00000000), ref: 00401E7F
                                              • Part of subcall function 00401DF0: GetFileAttributesA.KERNELBASE(?,?,?,?,00000105,00000104,00000000), ref: 00401E9E
                                              • Part of subcall function 00401DF0: lstrlenA.KERNEL32(?,?,?,?,00000105,00000104,00000000), ref: 00401EC1
                                            • PathAddBackslashA.SHLWAPI(?), ref: 00403A6B
                                            • GetPrivateProfileStringA.KERNEL32(uninstall_info,IdString,error,?,00000104,?), ref: 00403A8D
                                            • lstrcmpA.KERNEL32(?,error), ref: 00403A9B
                                            • lstrlenA.KERNEL32(?), ref: 00403AB0
                                            • PathQuoteSpacesA.SHLWAPI(?), ref: 00403AEA
                                              • Part of subcall function 00407552: lstrlenA.KERNEL32(80000002,error,00000105,?,?,?,00404AA9,80000002), ref: 0040757C
                                              • Part of subcall function 00407552: RegCreateKeyExA.ADVAPI32(?,00000001,00000000,00000000,00000000,00020006,00000000,000000FF,?,error,00000105,?,?,?,00404AA9,80000002), ref: 004075A5
                                              • Part of subcall function 00407552: RegSetValueExA.ADVAPI32(000000FF,?,00000000,?,80000002,00000004,?,?,?,00404AA9,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,?,00000001,?,000000FF), ref: 004075BD
                                              • Part of subcall function 00407552: RegCloseKey.ADVAPI32(000000FF,?,?,?,00404AA9,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,?,00000001,?,000000FF), ref: 004075CD
                                            • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00403B31
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$Pathlstrlen$File$BackslashModule$AttributesCloseCreateDeleteHandleNamePrivateProfileQuoteRemoveSpacesSpecStringValuelstrcmp
                                            • String ID: /Uninstall$%s\%s$IdString$QuietUninstallString$Software\Microsoft\Windows\CurrentVersion\Uninstall$error$uninstall_info
                                            • API String ID: 2490439034-4171124760
                                            • Opcode ID: 7e8024ad0ae766794cafc980c0f0af2568d49ff5cc8efa20553f99c0c24b0c84
                                            • Instruction ID: 9f9584e6e529447698f635314d340ce8cc71084e229dba350f9e7d7607c627e3
                                            • Opcode Fuzzy Hash: 7e8024ad0ae766794cafc980c0f0af2568d49ff5cc8efa20553f99c0c24b0c84
                                            • Instruction Fuzzy Hash: 07411EB250119CAFDB30DFA49C85FDB3BACAF49304F14402EBA59D6091DA789708CB79
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004016E1 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 118stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00401746
                                            • _memset.LIBCMT ref: 0040175A
                                            • _memset.LIBCMT ref: 00401768
                                            • GetPrivateProfileStringA.KERNEL32(Global,CompanyDirectory,Acceleration Software,?,00000105,00000001), ref: 00401792
                                            • GetPrivateProfileStringA.KERNEL32(Global,Directory,Acceleration Software,?,00000105,?), ref: 004017AA
                                            • GetPrivateProfileStringA.KERNEL32(Global,BaseDirDescrip,ProgramFilesDir,?,00000105,?), ref: 004017BF
                                            • SHGetValueA.SHLWAPI(80000002,Software\Microsoft\Windows\CurrentVersion,?,?,?,?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 004017E9
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 004017FA
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 0040180D
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 00401822
                                            • PathRemoveBackslashA.SHLWAPI(?,?,?,?,?,?,?,75B07390,00000104,74DF0440), ref: 00401837
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: BackslashPathPrivateProfileString_memset$RemoveValuelstrlen
                                            • String ID: Acceleration Software$BaseDirDescrip$CompanyDirectory$Directory$Global$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                            • API String ID: 257741862-3401246660
                                            • Opcode ID: 50e4f7c3efd5a3e18de428b296a4c9590caae8b55b73d3d0cf52d9d67a607cee
                                            • Instruction ID: dd3ca55fe86ec437056e996f2a9141ac13f46e476412f9575a0050ca0d0a54e5
                                            • Opcode Fuzzy Hash: 50e4f7c3efd5a3e18de428b296a4c9590caae8b55b73d3d0cf52d9d67a607cee
                                            • Instruction Fuzzy Hash: F3411C7290115DAFEB20DFA5CC84EEE7BBCEF49308F10402EB949A7152DA745A458F24
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404DD8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 90windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00404E12
                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000001,00000104,00000000), ref: 00404E20
                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00404E27
                                            • PathFindFileNameA.SHLWAPI(?), ref: 00404E31
                                            • StrStrIA.SHLWAPI(00000000,uninst), ref: 00404E40
                                            • _memset.LIBCMT ref: 00404E6D
                                            • _memset.LIBCMT ref: 00404E81
                                            • LoadStringA.USER32(00001388,?,00000104), ref: 00404EA2
                                            • LoadStringA.USER32(00001389,?,00000104), ref: 00404EB7
                                            • MessageBoxA.USER32(00000000,?,?,00040104), ref: 00404ECD
                                              • Part of subcall function 004048AA: _memset.LIBCMT ref: 004048E1
                                              • Part of subcall function 004048AA: _memset.LIBCMT ref: 004048F5
                                              • Part of subcall function 004048AA: _memset.LIBCMT ref: 00404909
                                              • Part of subcall function 004048AA: _memset.LIBCMT ref: 0040491D
                                              • Part of subcall function 004048AA: _memset.LIBCMT ref: 00404931
                                              • Part of subcall function 004048AA: _memset.LIBCMT ref: 0040493F
                                              • Part of subcall function 004048AA: GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00404957
                                              • Part of subcall function 004048AA: GetModuleFileNameA.KERNEL32(00000000), ref: 0040495E
                                              • Part of subcall function 004048AA: PathRemoveFileSpecA.SHLWAPI(?), ref: 0040498A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$FileModule$Name$HandleLoadPathString$FindMessageRemoveSpec
                                            • String ID: uninst
                                            • API String ID: 2007739985-2603758926
                                            • Opcode ID: f0ec2b5791b575a256e8dce8f08b1734d663f00ca91e0a3b7ed22e51201da61a
                                            • Instruction ID: 2c06ef2af2c7db6362f4f80dd6fa03da7d16874bbe9e57231d65b119abfbd477
                                            • Opcode Fuzzy Hash: f0ec2b5791b575a256e8dce8f08b1734d663f00ca91e0a3b7ed22e51201da61a
                                            • Instruction Fuzzy Hash: B33121B150114CAFDB21EF65DC84EDE7BACEF49308F10042AFA49E7152DA749A04CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040305A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58shutdownCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040778A: _memset.LIBCMT ref: 004077AD
                                              • Part of subcall function 0040778A: GetVersionExA.KERNEL32(?,?,?,75B07390), ref: 004077C6
                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403086
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0040308D
                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004030A1
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004030BC
                                            • GetLastError.KERNEL32 ref: 004030C2
                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004030D2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueVersionWindows_memset
                                            • String ID: SeShutdownPrivilege
                                            • API String ID: 712148179-3733053543
                                            • Opcode ID: 5506d6d50005395b1ef902503cbdfc0e6a70092605645d44820f8b388595b75b
                                            • Instruction ID: 486e1485c657e091e3e5a8f91abbe3481fd44a06be7d793cca3c7adb799eb2b5
                                            • Opcode Fuzzy Hash: 5506d6d50005395b1ef902503cbdfc0e6a70092605645d44820f8b388595b75b
                                            • Instruction Fuzzy Hash: 0C018071A01119BEDB109FA9DD09AEF7FBCEF49741F11443AF905E1090DB749A0486B6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040803D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • IsDebuggerPresent.KERNEL32 ref: 00409A7B
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00409A90
                                            • UnhandledExceptionFilter.KERNEL32(A), ref: 00409A9B
                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00409AB7
                                            • TerminateProcess.KERNEL32(00000000), ref: 00409ABE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                            • String ID: A
                                            • API String ID: 2579439406-2078354741
                                            • Opcode ID: 8812cc9efefe90e0f7d44d7ffa662c0fb7deba7cc69d764d3869c0048ddcb45d
                                            • Instruction ID: c8a28ce5ea06bba423c8da8662dfd8159ed9a86ed6a9a8dcc78e4623088adffb
                                            • Opcode Fuzzy Hash: 8812cc9efefe90e0f7d44d7ffa662c0fb7deba7cc69d764d3869c0048ddcb45d
                                            • Instruction Fuzzy Hash: B421A0B8900214AFD704DF96FD446C47BA6BB18308F90D43AE808972A1EBB499818F0D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407AE7 Relevance: 63.2, APIs: 32, Strings: 4, Instructions: 202stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00407B2F
                                            • _memset.LIBCMT ref: 00407B43
                                            • _memset.LIBCMT ref: 00407B57
                                            • _memset.LIBCMT ref: 00407B6B
                                            • _memset.LIBCMT ref: 00407B7D
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00407B9A
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00407BAC
                                              • Part of subcall function 0040778A: _memset.LIBCMT ref: 004077AD
                                              • Part of subcall function 0040778A: GetVersionExA.KERNEL32(?,?,?,75B07390), ref: 004077C6
                                            • SetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407BDA
                                            • GetWindowsDirectoryA.KERNEL32(?,00000103,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407BE8
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00407BF5
                                            • lstrcatA.KERNEL32(?,WinInit.ini,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C07
                                            • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 00407C24
                                            • GetLastError.KERNEL32(74DF3310,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00407C37
                                            • lstrcpyA.KERNEL32(?,[rename],?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C56
                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 00407C64
                                            • WriteFile.KERNEL32(?,?,00000000), ref: 00407C75
                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00407C82
                                            • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C92
                                            • GetShortPathNameA.KERNEL32(?,?,00000103), ref: 00407C9F
                                            • lstrcmpiA.KERNEL32(?,NUL), ref: 00407CAD
                                            • GetShortPathNameA.KERNEL32(?,?,00000103), ref: 00407CC2
                                            • PathFindFileNameA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00407CCF
                                            • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407CE2
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00407CEB
                                            • GetShortPathNameA.KERNEL32(?,?,00000103), ref: 00407CFA
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00407D07
                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407D17
                                            • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407D23
                                            • wsprintfA.USER32 ref: 00407D3C
                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 00407D4E
                                            • WriteFile.KERNEL32(?,?,00000000), ref: 00407D5C
                                            • CloseHandle.KERNEL32(?), ref: 00407D6D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$Path$_memset$Namelstrcpy$AttributesShort$BackslashWritelstrcatlstrlen$CloseCreateDirectoryErrorFindHandleLastPointerRemoveSpecVersionWindowslstrcmpiwsprintf
                                            • String ID: %s=%s$NUL$WinInit.ini$[rename]
                                            • API String ID: 2020514884-395712714
                                            • Opcode ID: de21f0206bb2e260b3ae76a67c69d2e885d2640b3505a6672d6b15bab2a59477
                                            • Instruction ID: 592fea8a6683acdd30d39a3f98a99f3f6c041717311628e79383353775d94506
                                            • Opcode Fuzzy Hash: de21f0206bb2e260b3ae76a67c69d2e885d2640b3505a6672d6b15bab2a59477
                                            • Instruction Fuzzy Hash: AA71E9B290014CAFDF319FA4DC88EEE7BBCAF09305F10462EB555E6151DA349A48CF29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402721 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 141stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0040275C
                                            • lstrcpynA.KERNEL32(00000000,?,00000105), ref: 00402771
                                            • lstrcmpA.KERNEL32(00000000,error), ref: 00402783
                                            • StrStrIA.SHLWAPI(00000000,InstallDir), ref: 004027A6
                                            • StrStrIA.SHLWAPI(00000000,ProgramFilesDir), ref: 004027D0
                                            • StrStrIA.SHLWAPI(00000000,CommonFilesDir), ref: 004027E3
                                            • lstrlenA.KERNEL32(?,80000002,Software\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000001,?,?), ref: 004028B2
                                            • PathRemoveBackslashA.SHLWAPI(?), ref: 004028BD
                                              • Part of subcall function 00402131: _memset.LIBCMT ref: 00402171
                                              • Part of subcall function 00402131: _memset.LIBCMT ref: 00402185
                                              • Part of subcall function 00402131: _memset.LIBCMT ref: 00402199
                                              • Part of subcall function 00402131: GetPrivateProfileStringA.KERNEL32(Global,CompanyDirectory,Acceleration Software,?,00000104,?), ref: 004021BD
                                              • Part of subcall function 00402131: GetPrivateProfileStringA.KERNEL32(Global,Directory,004185A7,?,00000104,?), ref: 004021D5
                                              • Part of subcall function 00402131: GetPrivateProfileStringA.KERNEL32(Global,BaseDirDescrip,ProgramFilesDir,?,00000104,?), ref: 004021ED
                                              • Part of subcall function 00402131: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,75B07390,?), ref: 004021FC
                                              • Part of subcall function 00402131: lstrcmpiA.KERNEL32(?,TempDir), ref: 00402235
                                              • Part of subcall function 00402131: GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,75B07390,?), ref: 00402241
                                              • Part of subcall function 00402131: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,75B07390,?), ref: 00402248
                                              • Part of subcall function 00402131: PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,?,75B07390,?), ref: 00402255
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$PathPrivateProfileStringlstrlen$Backslash$RemoveTemplstrcmplstrcmpilstrcpyn
                                            • String ID: CommonFilesDir$CommonWindowsDir$DRIVERS$DriversDir$InstallDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$SystemDir$TempDir$WindowsDir$error
                                            • API String ID: 1166477259-2217540647
                                            • Opcode ID: 86acc3a8c492475bd222960c8198d568144bb3369dd2c24f3d8f4c0393dded31
                                            • Instruction ID: d1cceb889c847425d640cb99ea6b5d83bbfb77d9daccd85a9f001cd17d10562e
                                            • Opcode Fuzzy Hash: 86acc3a8c492475bd222960c8198d568144bb3369dd2c24f3d8f4c0393dded31
                                            • Instruction Fuzzy Hash: 7541863690021DA6DB11AFA09D89FDB3B6CAF19740F14417ABA04B21C0DBB8D9858F79
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402357 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 218stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 004023AD
                                            • _memset.LIBCMT ref: 004023C1
                                            • _memset.LIBCMT ref: 004023D3
                                            • _memset.LIBCMT ref: 004023E7
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,00000104,74DE8B60), ref: 0040240D
                                            • PathFindFileNameA.SHLWAPI(?,error,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00402425
                                            • GetPrivateProfileStringA.KERNEL32(copy_fail_routine,00000000), ref: 00402431
                                            • lstrcmpiA.KERNEL32(?,MOVE_ON_REBOOT), ref: 00402443
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,00000104,74DE8B60), ref: 00402464
                                            • PathFindFileNameA.SHLWAPI(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000104,74DE8B60), ref: 00402472
                                            • GetTempFileNameA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,00000104,74DE8B60), ref: 00402480
                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 0040248E
                                              • Part of subcall function 00407D9F: GetFileAttributesA.KERNEL32(?,00000105,00000104,00000000,00407E1E,?,00000000,00404ABA,?,?,00000000), ref: 00407DB3
                                              • Part of subcall function 00407D9F: GetFileAttributesA.KERNEL32(?), ref: 00407DC7
                                              • Part of subcall function 00407D9F: SetFileAttributesA.KERNEL32(?,00000000), ref: 00407DD2
                                              • Part of subcall function 00407D9F: SetLastError.KERNEL32(00000000), ref: 00407DDA
                                              • Part of subcall function 00407D9F: MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407DE7
                                            • lstrcmpiA.KERNEL32(?,error), ref: 004024C2
                                            • PathRemoveArgsA.SHLWAPI(?), ref: 004025D8
                                            • GetFileAttributesA.KERNEL32(?), ref: 004025E5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$Path$Attributes_memset$NameRemove$FindSpeclstrcmpi$ArgsCopyErrorLastMovePrivateProfileStringTemp
                                            • String ID: %s\%s$%s\%s %s %s$MOVE_ON_REBOOT$copy_fail_routine$error$new_copy_fail_routine
                                            • API String ID: 13488158-311005632
                                            • Opcode ID: 5af06584e12ee7f037fa4b175abac99445e7d61af56ba9ebe4ba8d51bab24b54
                                            • Instruction ID: 71d78d68eb3d805e7c531391e5e35d601bdc911b9ab653730ca923715d6e310f
                                            • Opcode Fuzzy Hash: 5af06584e12ee7f037fa4b175abac99445e7d61af56ba9ebe4ba8d51bab24b54
                                            • Instruction Fuzzy Hash: 3B810DB290114CAEDF319FA4DC48EDF3BACEF49304F14052EB909E7191EA79A6448B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004116D3 Relevance: 36.3, APIs: 24, Instructions: 339COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LCMapStringW.KERNEL32(00000000,00000100,00418CA4,00000001,00000000,00000000,00000200,00000000,0040C058,?,?,?,?,00000000,00004000,00000000), ref: 00411703
                                            • GetLastError.KERNEL32 ref: 00411715
                                            • MultiByteToWideChar.KERNEL32(00000200,00000000,?,?,00000000,00000000,00000200,00000000,0040C058,?,?,?,?,00000000,00004000,00000000), ref: 004117A1
                                            • __alloca_probe_16.LIBCMT ref: 004117C6
                                            • _malloc.LIBCMT ref: 004117DA
                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041180D
                                            • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 00411829
                                            • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00411862
                                            • __alloca_probe_16.LIBCMT ref: 00411884
                                            • _malloc.LIBCMT ref: 0041189B
                                            • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 004118C6
                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 004118E9
                                            • __freea.LIBCMT ref: 004118F3
                                            • __freea.LIBCMT ref: 004118FC
                                            • ___ansicp.LIBCMT ref: 0041192D
                                            • ___convertcp.LIBCMT ref: 00411958
                                            • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,00000200,00000000,0040C058,?,?,?,?), ref: 00411979
                                            • __alloca_probe_16.LIBCMT ref: 0041199A
                                            • _malloc.LIBCMT ref: 004119B1
                                            • _memset.LIBCMT ref: 004119D3
                                            • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000200,00000000,0040C058,?), ref: 004119EB
                                            • ___convertcp.LIBCMT ref: 00411A09
                                            • __freea.LIBCMT ref: 00411A1E
                                            • LCMapStringA.KERNEL32(?,?,?,?,0040C058,00000000,00000200,00000000,0040C058,?,?,?,?,00000000,00004000,00000000), ref: 00411A38
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: String$ByteCharMultiWide__alloca_probe_16__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                            • String ID:
                                            • API String ID: 3885745999-0
                                            • Opcode ID: 488368a6c02fd98fc6bdd519a99843341bff53b579870a27d1a223721ad3496f
                                            • Instruction ID: 182deec1c878fd9e30f3e61397350762e96980551259e0f27de7edfaec0da747
                                            • Opcode Fuzzy Hash: 488368a6c02fd98fc6bdd519a99843341bff53b579870a27d1a223721ad3496f
                                            • Instruction Fuzzy Hash: 7DB19F7290010AAFDF119FA5CC808EF7BB5EF08354B14852BFA15A6270D7398DA1DB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004055FF Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 208fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 0040561E
                                            • _memset.LIBCMT ref: 0040564C
                                            • _memset.LIBCMT ref: 0040565B
                                            • _memset.LIBCMT ref: 00405670
                                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00405681
                                            • PathAppendA.SHLWAPI(00000000,wininit.ini), ref: 00405699
                                            • GetShortPathNameA.KERNEL32(00000000,00000000,00000104), ref: 004056A4
                                            • PathFileExistsA.SHLWAPI(00000000), ref: 004056B1
                                              • Part of subcall function 0040481E: _fopen_s.LIBCMT ref: 00404841
                                              • Part of subcall function 00404C21: char_traits.LIBCPMT ref: 00404C46
                                            • PathAppendA.SHLWAPI(00000000,-00000004,?,?,?,?,?,00000001,00000000,00000000), ref: 00405764
                                            • GetShortPathNameA.KERNEL32(00000000,00000000,00000104), ref: 0040576F
                                            • PathFindFileNameA.SHLWAPI(00000000), ref: 0040577C
                                            • StrStrIA.SHLWAPI(00000010,00000000), ref: 00405786
                                            • _strrchr.LIBCMT ref: 004057AD
                                            • _strlen.LIBCMT ref: 004057E0
                                            • DeleteFileA.KERNEL32(00000000), ref: 0040580A
                                            • GetLastError.KERNEL32 ref: 0040581A
                                            • GetLastError.KERNEL32 ref: 00405821
                                            • CoTaskMemFree.OLE32(00000000), ref: 00405831
                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000,00000000), ref: 00405852
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Path$FileName_memset$AppendErrorFreeLastShortTask$DeleteDirectoryExistsFindH_prolog3_catchWindows_fopen_s_strlen_strrchrchar_traits
                                            • String ID: wininit.ini
                                            • API String ID: 3622504745-4206010578
                                            • Opcode ID: 1beccf05b5cb289884a7f5738c9fa800bf42b612a60073fe88903df82f991d5e
                                            • Instruction ID: 910a86dd387f8bf9bed6d2bdf2689655b37d143bc00ebe11d9deb3283c5e3f60
                                            • Opcode Fuzzy Hash: 1beccf05b5cb289884a7f5738c9fa800bf42b612a60073fe88903df82f991d5e
                                            • Instruction Fuzzy Hash: 507170B68006499FDB21EFA1DC45AEF7BBCEF58304F10403AE905E7191DB389A45CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EAC7 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _strcpy_s.LIBCMT ref: 0040EB33
                                            • __invoke_watson.LIBCMT ref: 0040EB44
                                            • GetModuleFileNameA.KERNEL32(00000000,0041E8D9,00000104,0040A4E1,00000001,00000214), ref: 0040EB60
                                            • _strcpy_s.LIBCMT ref: 0040EB75
                                            • __invoke_watson.LIBCMT ref: 0040EB88
                                            • _strlen.LIBCMT ref: 0040EB91
                                            • _strlen.LIBCMT ref: 0040EB9E
                                            • __invoke_watson.LIBCMT ref: 0040EBCB
                                            • _strcat_s.LIBCMT ref: 0040EBDE
                                            • __invoke_watson.LIBCMT ref: 0040EBEF
                                            • _strcat_s.LIBCMT ref: 0040EC00
                                            • __invoke_watson.LIBCMT ref: 0040EC11
                                            • GetStdHandle.KERNEL32(000000F4,00000001,00000001,00000000,76ED5E70,00000003,0040EC93,000000FC,0040A08A,00000001,00000000,00000000,?,004101BE,0040A4E1,00000001), ref: 0040EC30
                                            • _strlen.LIBCMT ref: 0040EC51
                                            • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004101BE,0040A4E1,00000001,00000001,0040F54E,00000018,0041B2D8,0000000C,0040F5DD,00000001), ref: 0040EC5B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                            • API String ID: 1879448924-4022980321
                                            • Opcode ID: c07c0b5ba19df05372c46f0d074077a16c4eb62362fa1418fbca7a686564ddf0
                                            • Instruction ID: 43719f9e4b42ccbdb597916856cd92998b65fb0b716b0f9736634d8efabb26ac
                                            • Opcode Fuzzy Hash: c07c0b5ba19df05372c46f0d074077a16c4eb62362fa1418fbca7a686564ddf0
                                            • Instruction Fuzzy Hash: 603115B2A052106AF51172335D46FAB360C9B01764F14093BFD4AF12D3FA7EE96181BE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A668 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00409832), ref: 0040A66E
                                            • __mtterm.LIBCMT ref: 0040A67A
                                              • Part of subcall function 0040A3BC: TlsFree.KERNEL32(0000001A,0040A7E7), ref: 0040A3E7
                                              • Part of subcall function 0040A3BC: DeleteCriticalSection.KERNEL32(00000000,00000000,74DEDFB0,00000001,0040A7E7), ref: 0040F4B2
                                              • Part of subcall function 0040A3BC: DeleteCriticalSection.KERNEL32(0000001A,74DEDFB0,00000001,0040A7E7), ref: 0040F4DC
                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040A690
                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0040A69D
                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0040A6AA
                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0040A6B7
                                            • TlsAlloc.KERNEL32 ref: 0040A707
                                            • TlsSetValue.KERNEL32(00000000), ref: 0040A722
                                            • __init_pointers.LIBCMT ref: 0040A72C
                                            • __calloc_crt.LIBCMT ref: 0040A7A1
                                            • GetCurrentThreadId.KERNEL32 ref: 0040A7D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                            • API String ID: 2125014093-3819984048
                                            • Opcode ID: 5ecf7fe211a93d448f17c057955e36a9716e00322efe89b86634a252e643a81f
                                            • Instruction ID: e496a361883a3bf22cb8b088dd6fb05429f7024f7e86a80e7998336d478100e2
                                            • Opcode Fuzzy Hash: 5ecf7fe211a93d448f17c057955e36a9716e00322efe89b86634a252e643a81f
                                            • Instruction Fuzzy Hash: 28317075900301AEDB25BB76AC05A967BF5EB04714714C53FEC10A32E1DB3AD452CA9E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040630F Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 161filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 0040632E
                                            • _memset.LIBCMT ref: 00406358
                                            • _memset.LIBCMT ref: 0040636E
                                            • _memset.LIBCMT ref: 0040637E
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,0000002C), ref: 0040638D
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,0000002C), ref: 004063A8
                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00406417
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0000002C), ref: 00406421
                                            • PathFindFileNameA.SHLWAPI(?,?,?,?,?,?,?,?,?,0000002C), ref: 00406428
                                            • PathFindExtensionA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00406443
                                            • PathRemoveExtensionA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,0000002C), ref: 0040645B
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,0000002C), ref: 00406462
                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,0000002C), ref: 0040646F
                                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004064BA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$Path$_memset$AttributesCopyExtensionFindRemove$ErrorH_prolog3LastNameSpeclstrlen
                                            • String ID: %s\%s%i%s
                                            • API String ID: 494358623-4039350186
                                            • Opcode ID: edf8e2f09263cf71b892c6e21377fdb90fc70abe32fedcc920691cc45fd119f2
                                            • Instruction ID: 1329c8937898e67c026f1d0821e9613a61c43cf6fc008b438b5c5dc9893093c0
                                            • Opcode Fuzzy Hash: edf8e2f09263cf71b892c6e21377fdb90fc70abe32fedcc920691cc45fd119f2
                                            • Instruction Fuzzy Hash: 2E518E7190024DABDB21EFA0DC85BEF77B8EF18318F10003AE905E61D1DBB896458B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405885 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 161COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 004058A4
                                            • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004058D9
                                            • PathFindFileNameA.SHLWAPI(00000000,?,00000104), ref: 004058DF
                                            • _memset.LIBCMT ref: 004058FB
                                            • GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000104), ref: 0040590B
                                            • PathAppendA.SHLWAPI(?,wininit.ini,?,?,00000104), ref: 0040591D
                                            • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 0040592C
                                            • PathFileExistsA.SHLWAPI(?,?,?,00000104), ref: 00405935
                                            • StrStrIA.SHLWAPI(00000001,?,00000001,00000000,?,?,?,00000104), ref: 00405989
                                            • _strrchr.LIBCMT ref: 004059B6
                                            • _fopen_s.LIBCMT ref: 00405A0E
                                            • _com_raise_error.COMSUPP ref: 00405A21
                                              • Part of subcall function 00413760: __CxxThrowException@8.LIBCMT ref: 0041378D
                                            • CoTaskMemFree.OLE32(00000001,00000001,00000000,?,?,?,00000104), ref: 00405A44
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Path$Name$FileShort$AppendDirectoryException@8ExistsFindFreeH_prolog3_catchTaskThrowWindows_com_raise_error_fopen_s_memset_strrchr
                                            • String ID: wininit.ini
                                            • API String ID: 3200052725-4206010578
                                            • Opcode ID: e4abdf8a16b90ab0a877c905a49498c48efaaa405b5ea8ce51622a5eb00ceacb
                                            • Instruction ID: 447b318fc112ae76cfd38430c6b5876de9d9a5a21f61dff737945034490c3ed8
                                            • Opcode Fuzzy Hash: e4abdf8a16b90ab0a877c905a49498c48efaaa405b5ea8ce51622a5eb00ceacb
                                            • Instruction Fuzzy Hash: 265183B2D006099FDB21DFA4CD85BEF7BB8EB18304F01403AEA45B7281DA785A45CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401FB2 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 93stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00401FEA
                                            • _memset.LIBCMT ref: 00402000
                                            • lstrlenA.KERNEL32(?), ref: 0040202B
                                            • PathRemoveExtensionA.SHLWAPI(00000000), ref: 00402051
                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00402070
                                            • lstrlenA.KERNEL32(00000000), ref: 00402082
                                            • GetPrivateProfileStringA.KERNEL32(Global,Signature,error,00000000,00000104,00000000), ref: 004020BF
                                            • lstrcmpA.KERNEL32(00000000,EAC), ref: 004020D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memsetlstrlen$AttributesExtensionFilePathPrivateProfileRemoveStringlstrcmp
                                            • String ID: .ini$EAC$Global$Signature$error
                                            • API String ID: 536128887-3455070842
                                            • Opcode ID: 45db012ff754dd5442e3a369264dc8a3c3448a142db05e63f29c13b4a43c86c1
                                            • Instruction ID: b94f9a7fbd9fd4ceda1d503e9943b9d3f60cdebf717cfd29fd12720c3884b179
                                            • Opcode Fuzzy Hash: 45db012ff754dd5442e3a369264dc8a3c3448a142db05e63f29c13b4a43c86c1
                                            • Instruction Fuzzy Hash: EC31687194021CABCB10DB94CD88FCA777CAB19304F1446BBB559E21D1DBB89AC4CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00412683 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0041E8C0,0040EC29,0041E8C0,Microsoft Visual C++ Runtime Library,00012010), ref: 004126B0
                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004126CC
                                              • Part of subcall function 0040A29C: TlsGetValue.KERNEL32(00000000,0040A311,00000000,00412691,00000000,00000000,00000314,?,?,?,0041E8C0,0040EC29,0041E8C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040A2A9
                                              • Part of subcall function 0040A29C: TlsGetValue.KERNEL32(00000005,?,?,?,0041E8C0,0040EC29,0041E8C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040A2C0
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004126E9
                                              • Part of subcall function 0040A29C: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0041E8C0,0040EC29,0041E8C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040A2D5
                                              • Part of subcall function 0040A29C: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040A2F0
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004126FE
                                            • __invoke_watson.LIBCMT ref: 0041271F
                                              • Part of subcall function 004083DE: _memset.LIBCMT ref: 0040846A
                                              • Part of subcall function 004083DE: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 00408488
                                              • Part of subcall function 004083DE: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00408492
                                              • Part of subcall function 004083DE: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0040849C
                                              • Part of subcall function 004083DE: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004084B7
                                              • Part of subcall function 004083DE: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 004084BE
                                              • Part of subcall function 0040A313: TlsGetValue.KERNEL32(00000000,0040A3A8), ref: 0040A320
                                              • Part of subcall function 0040A313: TlsGetValue.KERNEL32(00000005), ref: 0040A337
                                              • Part of subcall function 0040A313: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040A34C
                                              • Part of subcall function 0040A313: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040A367
                                            • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00412733
                                            • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0041274B
                                            • __invoke_watson.LIBCMT ref: 004127BE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                            • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                            • API String ID: 2940365033-1046234306
                                            • Opcode ID: d9244de9cf34267d0df379dcf31c2154dee2df4ed5782503646984c4ed512c0d
                                            • Instruction ID: 22d90bf5493df3253d67b0cf17947b0a81f38214f0ff13d5cba237c94c16c8fc
                                            • Opcode Fuzzy Hash: d9244de9cf34267d0df379dcf31c2154dee2df4ed5782503646984c4ed512c0d
                                            • Instruction Fuzzy Hash: CD419A75900305AEDF10AFA29E859EF7BA4AB44314B14493FE810F32D1DBBC89E0875E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004010FE Relevance: 21.1, APIs: 14, Instructions: 142COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32(?,00000000), ref: 0040112A
                                            • GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 0040114F
                                            • SetLastError.KERNEL32(0000006F), ref: 00401165
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileFullLastNamePath
                                            • String ID:
                                            • API String ID: 1971955501-0
                                            • Opcode ID: c6231f958270849b4dc1453fbaec9d58d29898888b8098c5fde754d608c6fc29
                                            • Instruction ID: 114256e63ef0d79dcb39e90fcb1ea2e4887ef202fcc383eaa26cf4988d3306e7
                                            • Opcode Fuzzy Hash: c6231f958270849b4dc1453fbaec9d58d29898888b8098c5fde754d608c6fc29
                                            • Instruction Fuzzy Hash: 26416571600208AFDB209FB4DC88AEE77BDAF49354F21453EF616F72A0DB3499058B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401514 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 101libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00401545
                                            • GetFileAttributesA.KERNEL32(?,00000105,00000104,?,?,00000000), ref: 00401584
                                            • GetFileAttributesA.KERNEL32(?,?,?,00000000), ref: 004015D6
                                            • LoadLibraryA.KERNEL32(?,?,?,00000000), ref: 004015E1
                                            • GetProcAddress.KERNEL32(00000000,CheckSysAndDisplayErrors), ref: 004015F5
                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00401618
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AttributesFileLibrary$AddressFreeLoadProc_memset
                                            • String ID: -u$CheckSysAndDisplayErrors$\syscheck.dll$\syscheck.exe
                                            • API String ID: 968391183-3645879304
                                            • Opcode ID: cd0d2f3266fd4d39373f63535cd7d8228ce28575db809797c88bb60ea7c70eb9
                                            • Instruction ID: ca257de36adcaeb071cdd4f765b8e62db20e5af2e806eff4fd15db5992698f89
                                            • Opcode Fuzzy Hash: cd0d2f3266fd4d39373f63535cd7d8228ce28575db809797c88bb60ea7c70eb9
                                            • Instruction Fuzzy Hash: 78319071D0011CABDB309BB4DC85FDE776CAB48718F14453AF525F31D2DA3995088B68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040262B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 88registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0040266B
                                            • RegCreateKeyExA.ADVAPI32(80000000,?,00000000,00000000,00000000,00020019,00000000,?,00000000,?,?,?,?,error,00000104,?), ref: 004026A3
                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,error,00000104,?), ref: 004026AC
                                            • RegCreateKeyExA.ADVAPI32(80000000,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 004026DE
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,error,00000104,?), ref: 004026E7
                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,error,00000104), ref: 004026F8
                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,error,00000104,?), ref: 00402701
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: CloseCreate$Value_memsetlstrlen
                                            • String ID: CLSID\%s$CLSID\%s\LocalServer32$error
                                            • API String ID: 2289204366-3900801136
                                            • Opcode ID: 126062e6e69ce6619aa6ba0149622cb8353148bc03b39b5186be2a4d05635a6b
                                            • Instruction ID: 7ea7720183efbb15209ab7b0568211a348788790ea7c344b4c9c1abe908b65e8
                                            • Opcode Fuzzy Hash: 126062e6e69ce6619aa6ba0149622cb8353148bc03b39b5186be2a4d05635a6b
                                            • Instruction Fuzzy Hash: 4F21CEB290410CAFEB209BA5DC85EEFBBBCEB08348F20042EB515A3152DA755D158F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A3F9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,0041AF60,0000000C,0040A50A,00000000,00000000), ref: 0040A40A
                                            • GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040A43E
                                            • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040A44E
                                            • InterlockedIncrement.KERNEL32(0041D660), ref: 0040A470
                                            • __lock.LIBCMT ref: 0040A478
                                            • ___addlocaleref.LIBCMT ref: 0040A497
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                            • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                            • API String ID: 1036688887-2843748187
                                            • Opcode ID: 5ce547c789cfba4459e8a47a4ca6e45dd638cc0b8ffa7f151a1c9473c06df5bc
                                            • Instruction ID: 3d327c772a2526bfd2f1c4a4a3fba7a223094fc3448ece9e190a434e42e09a98
                                            • Opcode Fuzzy Hash: 5ce547c789cfba4459e8a47a4ca6e45dd638cc0b8ffa7f151a1c9473c06df5bc
                                            • Instruction Fuzzy Hash: 97119DB0800705AED7209F76D845B9ABBE0AF04314F10893FE999A23D1DBBCA941CB5D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402FA9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00402FDA
                                            • GetPrivateProfileStringA.KERNEL32(system_requirements,programtitle,Restart Now?,?,00000105,?), ref: 0040301A
                                            • SetWindowTextA.USER32(?,?), ref: 00403028
                                            • EndDialog.USER32(?,00000007), ref: 00403033
                                            • EndDialog.USER32(?,00000007), ref: 0040303E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Dialog$PrivateProfileStringTextWindow_memset
                                            • String ID: Restart Now?$programtitle$system_requirements
                                            • API String ID: 3102295792-1235489334
                                            • Opcode ID: 86b4296f6ddadc66fb25274eda88209af2af2101e3143ae3156fb9486f5fefa6
                                            • Instruction ID: e7dc56e06e670c3ae425be76ffbd31cfd6a495ae3605ea221ddcf3f91fc3751c
                                            • Opcode Fuzzy Hash: 86b4296f6ddadc66fb25274eda88209af2af2101e3143ae3156fb9486f5fefa6
                                            • Instruction Fuzzy Hash: F311E0B160111DABD710DF688C45EFB7BACEB09745F00407AB585F21C1CABC9F498AA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040BE6E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 220COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: __sopen_s
                                            • String ID: $UNICODE$UTF-16LE$UTF-8$ccs=
                                            • API String ID: 2693426323-1656882147
                                            • Opcode ID: 3098de25213858f61d89852cabbb810effcacceaad2fe3c9af0fc0f2b064e524
                                            • Instruction ID: 82c9882a4f108a7ed661ee9071987d073fdce30155fc6736a33904c652f69ca8
                                            • Opcode Fuzzy Hash: 3098de25213858f61d89852cabbb810effcacceaad2fe3c9af0fc0f2b064e524
                                            • Instruction Fuzzy Hash: 3071B271804309EAEB158F95C4857AABBA0EF01354F14C27FE956B62D1D37C8A41EF4D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D438 Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • getSystemCP.LIBCMT ref: 0040D451
                                              • Part of subcall function 0040D3BE: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040D3CB
                                              • Part of subcall function 0040D3BE: GetOEMCP.KERNEL32(00000000), ref: 0040D3E5
                                            • setSBCS.LIBCMT ref: 0040D463
                                              • Part of subcall function 0040D13B: _memset.LIBCMT ref: 0040D14E
                                            • IsValidCodePage.KERNEL32(-00000030), ref: 0040D4A9
                                            • GetCPInfo.KERNEL32(00000000,?), ref: 0040D4BC
                                            • _memset.LIBCMT ref: 0040D4D4
                                            • setSBUpLow.LIBCMT ref: 0040D5A7
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                                            • String ID:
                                            • API String ID: 2658552758-0
                                            • Opcode ID: d3dac748261b81d5cc829bac021bae1838eec8cf28d33c633e904264d30f993f
                                            • Instruction ID: 32e1c9fbf9d190a9bf3b41834b8d9133b561a4494d52343bddde8681748a92f4
                                            • Opcode Fuzzy Hash: d3dac748261b81d5cc829bac021bae1838eec8cf28d33c633e904264d30f993f
                                            • Instruction Fuzzy Hash: 6751E171D04215ABDB15DFA5CC806BEBBB4AF05308F14807BDC85AF282D63CC84ACB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A7EC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040A313: TlsGetValue.KERNEL32(00000000,0040A3A8), ref: 0040A320
                                              • Part of subcall function 0040A313: TlsGetValue.KERNEL32(00000005), ref: 0040A337
                                              • Part of subcall function 0040A313: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040A34C
                                              • Part of subcall function 0040A313: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040A367
                                            • __msize.LIBCMT ref: 0040A826
                                            • __realloc_crt.LIBCMT ref: 0040A848
                                            • __realloc_crt.LIBCMT ref: 0040A85F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Value__realloc_crt$AddressHandleModuleProc__msize
                                            • String ID: +zA$y7@$y7@
                                            • API String ID: 1847301476-827565936
                                            • Opcode ID: 6ee2597d59d07163e26022c10bb77e56f27ef9114165c9f5577fa9be82ac660e
                                            • Instruction ID: 455e9570c1e0365fa404cd36dc300bea8899b20742e0690cf2e6578c0a7adcb4
                                            • Opcode Fuzzy Hash: 6ee2597d59d07163e26022c10bb77e56f27ef9114165c9f5577fa9be82ac660e
                                            • Instruction Fuzzy Hash: A21122732083115ED616BF26FC418AFB795DB41765720883FF801E72E0EB398C62868E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407D9F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32(?,00000105,00000104,00000000,00407E1E,?,00000000,00404ABA,?,?,00000000), ref: 00407DB3
                                              • Part of subcall function 0040778A: _memset.LIBCMT ref: 004077AD
                                              • Part of subcall function 0040778A: GetVersionExA.KERNEL32(?,?,?,75B07390), ref: 004077C6
                                            • GetFileAttributesA.KERNEL32(?), ref: 00407DC7
                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00407DD2
                                            • SetLastError.KERNEL32(00000000), ref: 00407DDA
                                            • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407DE7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$Attributes$ErrorLastMoveVersion_memset
                                            • String ID: NUL
                                            • API String ID: 3555061316-1038343538
                                            • Opcode ID: cd2b4c32397bcdad8df24a854f3956974c8c37834b6344702fa854bc3bf8d392
                                            • Instruction ID: 7fff0c4342747d83e065abe607ef179a370e902dc7c70a8f89f0f733304b4142
                                            • Opcode Fuzzy Hash: cd2b4c32397bcdad8df24a854f3956974c8c37834b6344702fa854bc3bf8d392
                                            • Instruction Fuzzy Hash: 1EF02873A0822167C61196B8DC84E6B764C9F547A5B11463AF511F22D1CA38EC4147EA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A29C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(00000000,0040A311,00000000,00412691,00000000,00000000,00000314,?,?,?,0041E8C0,0040EC29,0041E8C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040A2A9
                                            • TlsGetValue.KERNEL32(00000005,?,?,?,0041E8C0,0040EC29,0041E8C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040A2C0
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0041E8C0,0040EC29,0041E8C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040A2D5
                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040A2F0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Value$AddressHandleModuleProc
                                            • String ID: EncodePointer$KERNEL32.DLL
                                            • API String ID: 1929421221-3682587211
                                            • Opcode ID: 68caf0784781a2d92f8bbf607245baab7bf26e52fdcf56494a3ad05e973079db
                                            • Instruction ID: 937306296e3a3a45d41662d2fd375d0921ef838aa67f5d84d6536a8ae3d72492
                                            • Opcode Fuzzy Hash: 68caf0784781a2d92f8bbf607245baab7bf26e52fdcf56494a3ad05e973079db
                                            • Instruction Fuzzy Hash: DEF096705043179BC7215B34ED00ADB3A94AF00360B0542BAF814E23F0DF39DC52965E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A313 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(00000000,0040A3A8), ref: 0040A320
                                            • TlsGetValue.KERNEL32(00000005), ref: 0040A337
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040A34C
                                            • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040A367
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Value$AddressHandleModuleProc
                                            • String ID: DecodePointer$KERNEL32.DLL
                                            • API String ID: 1929421221-629428536
                                            • Opcode ID: 458b75ad00c7384b47e106bd97f34fd8d7afb3c6a2135db285a872b6a269005d
                                            • Instruction ID: 9bfe35f1d14dcf25ac4db06068f197da604cb1f4ec9eb706e5ccd7b19be80616
                                            • Opcode Fuzzy Hash: 458b75ad00c7384b47e106bd97f34fd8d7afb3c6a2135db285a872b6a269005d
                                            • Instruction Fuzzy Hash: 17F03070504716ABCB215B74ED44EAF7AA4AF04350705827AFC55F22F0DF38DC628A5E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004085DB Relevance: 9.2, APIs: 6, Instructions: 188COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: _memset$__filbuf__read_memcpy_s
                                            • String ID:
                                            • API String ID: 1366226143-0
                                            • Opcode ID: 955b6ff391f2dafd0d67e4315f1ab33c3d1e5015ac61608fd027af64946e0858
                                            • Instruction ID: 4442b24bc4e175047e6f89e5764aad64458c6b501d38d384e5c9409590621708
                                            • Opcode Fuzzy Hash: 955b6ff391f2dafd0d67e4315f1ab33c3d1e5015ac61608fd027af64946e0858
                                            • Instruction Fuzzy Hash: 0651C430900605EBCF209F698E4499FBBB5AF50320F25863FE4A5732D1DB399D51CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403608 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00403640
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,00000000,?), ref: 0040366B
                                            • PathAddBackslashA.SHLWAPI(?,?,00000000,?), ref: 00403675
                                              • Part of subcall function 0040355D: _memset.LIBCMT ref: 004035A7
                                              • Part of subcall function 0040355D: FindFirstFileA.KERNELBASE(?,?,?,00000104,?), ref: 004035B8
                                              • Part of subcall function 0040355D: FindClose.KERNEL32(00000000), ref: 004035C4
                                              • Part of subcall function 0040355D: FileTimeToSystemTime.KERNEL32(?,?), ref: 004035DE
                                            • CompareFileTime.KERNEL32(?,?,?,?,?,?,?,00000000,?), ref: 004036B4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: File$Time$FindPath_memset$BackslashCloseCompareFirstRemoveSpecSystem
                                            • String ID: eac_install00.dat
                                            • API String ID: 1616114747-714774003
                                            • Opcode ID: f96a73dd1e6ee7a2fa48b4aacf916cf041b15fa8677c835632e38135ae90c523
                                            • Instruction ID: d1cebf3e9aa2a93bd3d7d5ba6975c620b894d82176cb1098a438983f6aeaac2b
                                            • Opcode Fuzzy Hash: f96a73dd1e6ee7a2fa48b4aacf916cf041b15fa8677c835632e38135ae90c523
                                            • Instruction Fuzzy Hash: F5215E72D1021CABDB20DFE5DC85EEFBBBCEF49305F10442AE519E7152DA3896088B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407552 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(80000002,error,00000105,?,?,?,00404AA9,80000002), ref: 0040757C
                                            • RegCreateKeyExA.ADVAPI32(?,00000001,00000000,00000000,00000000,00020006,00000000,000000FF,?,error,00000105,?,?,?,00404AA9,80000002), ref: 004075A5
                                            • RegSetValueExA.ADVAPI32(000000FF,?,00000000,?,80000002,00000004,?,?,?,00404AA9,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,?,00000001,?,000000FF), ref: 004075BD
                                            • RegCloseKey.ADVAPI32(000000FF,?,?,?,00404AA9,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,?,00000001,?,000000FF), ref: 004075CD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: CloseCreateValuelstrlen
                                            • String ID: error
                                            • API String ID: 1356686001-1574812785
                                            • Opcode ID: b3163a875de753ae435fa86d50863f45bc4299530e1d4a142e5517da184f241b
                                            • Instruction ID: bbe38ebfc4e9c58ef7efcf9aa3ac2f7124019c6751d911e0b9a7f8db00982c1c
                                            • Opcode Fuzzy Hash: b3163a875de753ae435fa86d50863f45bc4299530e1d4a142e5517da184f241b
                                            • Instruction Fuzzy Hash: 96115A32900158FBCF218F46DC09DDFBFB9EB85750B10803AF901A2560D7359E51DBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401D64 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00401D8D
                                            • LoadStringA.USER32(?,00000000,00000400), ref: 00401DAB
                                            • MessageBoxA.USER32(00000000,00000000,Error executing setup.exe,00000010), ref: 00401DDD
                                            Strings
                                            • Error executing setup.exe, xrefs: 00401DCF
                                            • Unknown error number %i, xrefs: 00401DBE
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: LoadMessageString_memset
                                            • String ID: Error executing setup.exe$Unknown error number %i
                                            • API String ID: 1494501270-1253222029
                                            • Opcode ID: 87d9551b9cababf7ea0e1b0f821e533abf17ef98206d47e0e88869dafaf7ad64
                                            • Instruction ID: e8c1bb99a6acc748fe39b589b70071da6042f25d9ce1806d880232be770058f1
                                            • Opcode Fuzzy Hash: 87d9551b9cababf7ea0e1b0f821e533abf17ef98206d47e0e88869dafaf7ad64
                                            • Instruction Fuzzy Hash: 96018FF5A40118BBDB109B51DD46FDA7BACDF44348F0000B9FB08B6192EA749A458A5C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004012A5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32), ref: 004012AF
                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 004012BB
                                            • GetLastError.KERNEL32 ref: 004012D8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AddressErrorHandleLastModuleProc
                                            • String ID: GetLongPathNameA$KERNEL32
                                            • API String ID: 4275029093-371381169
                                            • Opcode ID: 42d26a5cd04093a8dd397d4c89fa65c99e330619a41ebcc7c32d86aa67920ad2
                                            • Instruction ID: 6f98594ff8ff7039c320272474dbdf829f4dae7705e71ab99ed66e4efdbcbd1d
                                            • Opcode Fuzzy Hash: 42d26a5cd04093a8dd397d4c89fa65c99e330619a41ebcc7c32d86aa67920ad2
                                            • Instruction Fuzzy Hash: 38F06232500258BBCB125F959C0898A7F65EB447A1716803EFD14E2670CB7684509B58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004135DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004135E4
                                            • std::runtime_error::runtime_error.LIBCPMT ref: 00413601
                                              • Part of subcall function 00405395: __EH_prolog3.LIBCMT ref: 0040539C
                                            • __CxxThrowException@8.LIBCMT ref: 00413616
                                              • Part of subcall function 00408591: KiUserExceptionDispatcher.NTDLL(?,?,00408590,?,?,?,?,y7@,00408590,?,0041A8A8,0041E4C8,?,00403779,?), ref: 004085D1
                                            • std::runtime_error::runtime_error.LIBCPMT ref: 00413623
                                              • Part of subcall function 004054CB: __EH_prolog3.LIBCMT ref: 004054D2
                                              • Part of subcall function 004054CB: std::exception::exception.LIBCMT ref: 004054E0
                                            Strings
                                            • invalid string position, xrefs: 004135E9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: H_prolog3$std::runtime_error::runtime_error$DispatcherExceptionException@8ThrowUserstd::exception::exception
                                            • String ID: invalid string position
                                            • API String ID: 2298805047-1799206989
                                            • Opcode ID: ae970cdf2ac7517425dd6275ed360f0c3a00b98781204b9ed3eeab36e1971e99
                                            • Instruction ID: 279048dfc4cc150354e13ec762c7a49dc30c7e74bd90bbb2652002b24ee50ee8
                                            • Opcode Fuzzy Hash: ae970cdf2ac7517425dd6275ed360f0c3a00b98781204b9ed3eeab36e1971e99
                                            • Instruction Fuzzy Hash: 97E0307165061C96C700EBD1CC41BCEB778EF04364F14442FFA84B6185DBBC9A948B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407EE5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(00000000,00000104,00406504,00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00407EEA
                                            • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00407F04
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0000002C), ref: 00407F0E
                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00407F17
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Library$AddressErrorFreeLastLoadProc
                                            • String ID: DllRegisterServer
                                            • API String ID: 2540614322-1663957109
                                            • Opcode ID: 0940d2d99b9d8f3d66ff56074ea85c9424eb34b2f1528f4e60402ac9d1cf6f4a
                                            • Instruction ID: a0d6930694ef00655e4d5e9b9bce9dbff4e8e55e949e8addd81606fa60cb4a16
                                            • Opcode Fuzzy Hash: 0940d2d99b9d8f3d66ff56074ea85c9424eb34b2f1528f4e60402ac9d1cf6f4a
                                            • Instruction Fuzzy Hash: BFE04836605515DB82111735BC089DB3E25ABC83D1303813AFC41D2210DF34484646AD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040C10E Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 0040C123
                                              • Part of subcall function 0040F5C4: __mtinitlocknum.LIBCMT ref: 0040F5D8
                                              • Part of subcall function 0040F5C4: __amsg_exit.LIBCMT ref: 0040F5E4
                                              • Part of subcall function 0040F5C4: EnterCriticalSection.KERNEL32(?,?,?,00412A17,00000004,0041B418,0000000C,00410204,00000000,00000000,00000000,00000000,00000000,0040A4E1,00000001,00000214), ref: 0040F5EC
                                            • __mtinitlocknum.LIBCMT ref: 0040C163
                                            • __malloc_crt.LIBCMT ref: 0040C1A7
                                            • ___crtInitCritSecAndSpinCount.LIBCMT ref: 0040C1CC
                                            • EnterCriticalSection.KERNEL32(?,0041B098,00000010,00408B05,0041AE98,0000000C,00408BA9,00000010,00000010,00000080,?,?,00404846,00000000,?,0041890C), ref: 0040C1F6
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: CriticalEnterSection__mtinitlocknum$CountCritInitSpin___crt__amsg_exit__lock__malloc_crt
                                            • String ID:
                                            • API String ID: 1486408876-0
                                            • Opcode ID: 7760e9b40378590f3b7a5dc80c198cc702badf3f9fc2a12348bd27aa9592018a
                                            • Instruction ID: 5a21c710c175c4b070aeb5bb8cebd3b8cebdcf64ff81a8bbfbd04fb58df932eb
                                            • Opcode Fuzzy Hash: 7760e9b40378590f3b7a5dc80c198cc702badf3f9fc2a12348bd27aa9592018a
                                            • Instruction Fuzzy Hash: AC317071A00701DFD721DF99D8C1A5AB7E4FF09314B50827FE456AB6E2CB38A8429F48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409934 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 00409952
                                              • Part of subcall function 0040F5C4: __mtinitlocknum.LIBCMT ref: 0040F5D8
                                              • Part of subcall function 0040F5C4: __amsg_exit.LIBCMT ref: 0040F5E4
                                              • Part of subcall function 0040F5C4: EnterCriticalSection.KERNEL32(?,?,?,00412A17,00000004,0041B418,0000000C,00410204,00000000,00000000,00000000,00000000,00000000,0040A4E1,00000001,00000214), ref: 0040F5EC
                                            • ___sbh_find_block.LIBCMT ref: 0040995D
                                            • ___sbh_free_block.LIBCMT ref: 0040996C
                                            • HeapFree.KERNEL32(00000000,00000001,0041AF00,0000000C,0040F5A5,00000000,0041B2D8,0000000C,0040F5DD,00000001,?,?,00412A17,00000004,0041B418,0000000C), ref: 0040999C
                                            • GetLastError.KERNEL32(?,00412A17,00000004,0041B418,0000000C,00410204,00000000,00000000,00000000,00000000,00000000,0040A4E1,00000001,00000214), ref: 004099AD
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                            • String ID:
                                            • API String ID: 2714421763-0
                                            • Opcode ID: 3122bda78c15c39a183310ba0b8db3344087ff55eed2a64cc8024c397b904cfb
                                            • Instruction ID: 9e52b3607a5da962c8f78a22fbd93ca6b30c73409ecef2159d95cc2e7c24749a
                                            • Opcode Fuzzy Hash: 3122bda78c15c39a183310ba0b8db3344087ff55eed2a64cc8024c397b904cfb
                                            • Instruction Fuzzy Hash: 15014F71901215AADB206FB69D0AB9F7A64AF00769F14403FF804B62D2DF7C8D418A9D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040CA71 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___BuildCatchObject.LIBCMT ref: 0040CA82
                                              • Part of subcall function 0040C9E0: ___BuildCatchObjectHelper.LIBCMT ref: 0040CA16
                                              • Part of subcall function 0040C9E0: ___AdjustPointer.LIBCMT ref: 0040CA2D
                                            • _UnwindNestedFrames.LIBCMT ref: 0040CA99
                                            • ___FrameUnwindToState.LIBCMT ref: 0040CAA7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: BuildCatchObjectUnwind$AdjustFrameFramesHelperNestedPointerState
                                            • String ID: csm
                                            • API String ID: 11809540-1018135373
                                            • Opcode ID: 8933ba6695949f6c87b844ca8cfe2331bd121e12e385681c0e0282bdde5f46b8
                                            • Instruction ID: 58c7b117dc29f888173f2ccae00dae6ccb0054f2a4affe2e84e72d9f642cc3ef
                                            • Opcode Fuzzy Hash: 8933ba6695949f6c87b844ca8cfe2331bd121e12e385681c0e0282bdde5f46b8
                                            • Instruction Fuzzy Hash: 4A01EC71100109FBDF129F51CC85EAB7B65EF14344F00412ABD59241A2DB7A9961EBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408527 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _malloc.LIBCMT ref: 0040853F
                                              • Part of subcall function 0040A062: __FF_MSGBANNER.LIBCMT ref: 0040A085
                                              • Part of subcall function 0040A062: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,004101BE,0040A4E1,00000001,00000001,0040F54E,00000018,0041B2D8,0000000C,0040F5DD,00000001), ref: 0040A0DA
                                            • std::exception::exception.LIBCMT ref: 00408576
                                            • __CxxThrowException@8.LIBCMT ref: 0040858B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
                                            • String ID: y7@
                                            • API String ID: 1264268182-1119513449
                                            • Opcode ID: eb78d8c31acbd08c157fee09ca41378daa376b5266a99a177a14b2b2258ba7d3
                                            • Instruction ID: ebce3a37dedbe9d142c831e02147b4a8276b672d9aaa3b0ca766608de66ebff6
                                            • Opcode Fuzzy Hash: eb78d8c31acbd08c157fee09ca41378daa376b5266a99a177a14b2b2258ba7d3
                                            • Instruction Fuzzy Hash: 57F0823490520876EB04BB62AE07ADE3B689F4031CF10847FEC81711D2DF7D9A55475E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040546F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00405476
                                            • std::runtime_error::runtime_error.LIBCPMT ref: 004054A4
                                              • Part of subcall function 00405395: __EH_prolog3.LIBCMT ref: 0040539C
                                            • __CxxThrowException@8.LIBCMT ref: 004054B9
                                              • Part of subcall function 00408591: KiUserExceptionDispatcher.NTDLL(?,?,00408590,?,?,?,?,y7@,00408590,?,0041A8A8,0041E4C8,?,00403779,?), ref: 004085D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: H_prolog3$DispatcherExceptionException@8ThrowUserstd::runtime_error::runtime_error
                                            • String ID: list<T> too long
                                            • API String ID: 3996501275-4027344264
                                            • Opcode ID: b506f3e36382b9a45d459042f0fa9abaa6195ff565a6ba796c0cb02818c38843
                                            • Instruction ID: ef321b9cc42f9340dfa98f9a3e6dc61f581d61e9261166b5ef163ee75b9c4433
                                            • Opcode Fuzzy Hash: b506f3e36382b9a45d459042f0fa9abaa6195ff565a6ba796c0cb02818c38843
                                            • Instruction Fuzzy Hash: 7DF082B695011C9ACB04EBA4C942ADEB374AF14318F18803EE548BB1C2EB7C9984CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004145B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32,004139C2), ref: 004145BA
                                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004145CA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: IsProcessorFeaturePresent$KERNEL32
                                            • API String ID: 1646373207-3105848591
                                            • Opcode ID: 9979e7087a2d512d2ff48ed78927adb86c83d10f66feea0ee526e1f8654dc37c
                                            • Instruction ID: 57bb63b54ccf9810f5f4fd288898ff22e42868f3011fe68302446bb342f85664
                                            • Opcode Fuzzy Hash: 9979e7087a2d512d2ff48ed78927adb86c83d10f66feea0ee526e1f8654dc37c
                                            • Instruction Fuzzy Hash: 83C08C34380308B3EA202BB02C0DBDA396A6F98F03F25802BB60AD00C0CF9DC191803E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041231C Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041234C
                                            • __isleadbyte_l.LIBCMT ref: 00412380
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,?,?,00000000,?,?,?), ref: 004123B1
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000,?,?,?), ref: 0041241F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                            • String ID:
                                            • API String ID: 3058430110-0
                                            • Opcode ID: 619c428a12a21999ff43307bd1f41c9be509b9e7cfc08cdbdba3ad0ff2c37777
                                            • Instruction ID: ff457a6b9e9c071a1c3d374e3e3a72a0eecf3a16cb91ff06052b682cb45d77b6
                                            • Opcode Fuzzy Hash: 619c428a12a21999ff43307bd1f41c9be509b9e7cfc08cdbdba3ad0ff2c37777
                                            • Instruction Fuzzy Hash: 7731D531600249EFDB10DFB4C9809EE7BA5BF01311F1485AAE861DB2A1D378DDA0DB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004144A9 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                            • String ID:
                                            • API String ID: 3016257755-0
                                            • Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                            • Instruction ID: cb0c097dc64245355347171ac825de2652e6f5867446efda59e87f78b7ab2036
                                            • Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                            • Instruction Fuzzy Hash: 6C014B7200014EBBCF125E85CC01CEE3F62BB98355B598416FA2958131D33ACAB2AB96
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D31A Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040A52F: __amsg_exit.LIBCMT ref: 0040A53D
                                            • __amsg_exit.LIBCMT ref: 0040D346
                                            • __lock.LIBCMT ref: 0040D356
                                            • InterlockedDecrement.KERNEL32(?), ref: 0040D373
                                            • InterlockedIncrement.KERNEL32(021816B8), ref: 0040D39E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                            • String ID:
                                            • API String ID: 4129207761-0
                                            • Opcode ID: a55632511abfa5115b5f6fbb15323e764d8e8b771bc6db6dc93b8adf908f1a6b
                                            • Instruction ID: b692573e4dc0a6ee843a3cb0b16eea976d728e27632a0d22f7e2a0fe09701948
                                            • Opcode Fuzzy Hash: a55632511abfa5115b5f6fbb15323e764d8e8b771bc6db6dc93b8adf908f1a6b
                                            • Instruction Fuzzy Hash: 00016D32D01711ABDB21ABA9A80579E7760AF40725F15413BEC04772D1CB3C6989CBDE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A4B8 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,00409E75,004080F7), ref: 0040A4BA
                                              • Part of subcall function 0040A38A: TlsGetValue.KERNEL32(?,0040A4CD), ref: 0040A391
                                              • Part of subcall function 0040A38A: TlsSetValue.KERNEL32(00000000), ref: 0040A3B2
                                            • __calloc_crt.LIBCMT ref: 0040A4DC
                                              • Part of subcall function 004101F1: __calloc_impl.LIBCMT ref: 004101FF
                                              • Part of subcall function 004101F1: Sleep.KERNEL32(00000000,0040A4E1,00000001,00000214), ref: 00410216
                                              • Part of subcall function 0040A313: TlsGetValue.KERNEL32(00000000,0040A3A8), ref: 0040A320
                                              • Part of subcall function 0040A313: TlsGetValue.KERNEL32(00000005), ref: 0040A337
                                              • Part of subcall function 0040A3F9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,0041AF60,0000000C,0040A50A,00000000,00000000), ref: 0040A40A
                                              • Part of subcall function 0040A3F9: GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040A43E
                                              • Part of subcall function 0040A3F9: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040A44E
                                              • Part of subcall function 0040A3F9: InterlockedIncrement.KERNEL32(0041D660), ref: 0040A470
                                              • Part of subcall function 0040A3F9: __lock.LIBCMT ref: 0040A478
                                              • Part of subcall function 0040A3F9: ___addlocaleref.LIBCMT ref: 0040A497
                                            • GetCurrentThreadId.KERNEL32 ref: 0040A50C
                                            • SetLastError.KERNEL32(00000000), ref: 0040A524
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1635925866.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000001.00000002.1635911123.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1635982957.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000001.00000002.1636000382.0000000000421000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                            Similarity
                                            • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                            • String ID:
                                            • API String ID: 1081334783-0
                                            • Opcode ID: c7d445ccb471eccbc93c2b99542b10a3c41593d117e5698293ca4a84227c71f6
                                            • Instruction ID: 432d7031c98cdffc4a6c23630e2ed13ef88448b2c2c7ee7ac733a34a9ff0029f
                                            • Opcode Fuzzy Hash: c7d445ccb471eccbc93c2b99542b10a3c41593d117e5698293ca4a84227c71f6
                                            • Instruction Fuzzy Hash: A4F0A4335017216AC7363B75BC0969A2B50EF457B4711813EF950BA1E1CF3DC951469E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:0.6%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:4.7%
                                            Total number of Nodes:507
                                            Total number of Limit Nodes:38
                                            execution_graph 65087 10003980 65088 100039b0 _memset 65087->65088 65089 100039c6 GetModuleFileNameA 65088->65089 65090 100039f2 ___DllMainCRTStartup 65089->65090 65091 10003a14 PathStripPathA lstrcmpiA 65090->65091 65092 10003a36 lstrcmpiA 65091->65092 65093 10003a9e 65091->65093 65092->65093 65095 10003a46 GetVersion 65092->65095 65130 100a2de2 5 API calls __woutput_l 65093->65130 65097 10003a76 65095->65097 65098 10003a56 lstrcmpiA 65095->65098 65096 10003ab2 65104 10003710 CreateFileA 65097->65104 65098->65093 65100 10003a66 lstrcmpiA 65098->65100 65100->65093 65100->65097 65103 10003a97 65105 10003793 ImageEnumerateCertificates 65104->65105 65106 1000377d GetLastError 65104->65106 65108 100037ac GetLastError 65105->65108 65109 100037b2 _com_util::ConvertStringToBSTR 65105->65109 65107 10003783 _com_util::ConvertStringToBSTR 65106->65107 65107->65105 65108->65109 65110 100037d2 ImageGetCertificateHeader 65109->65110 65111 100037ef GetLastError 65110->65111 65113 100037f5 _com_util::ConvertStringToBSTR 65110->65113 65111->65113 65112 10003826 ImageGetCertificateData 65114 10003841 GetLastError 65112->65114 65115 1000385b CryptVerifyMessageSignature 65112->65115 65113->65112 65118 1000384b _com_util::ConvertStringToBSTR 65114->65118 65116 100038a2 GetLastError 65115->65116 65117 100038bc CertGetNameStringA 65115->65117 65119 100038ac _com_util::ConvertStringToBSTR 65116->65119 65120 100038d9 _memset _com_util::ConvertStringToBSTR 65117->65120 65118->65115 65119->65117 65121 100038f5 CertGetNameStringA lstrcmpA 65120->65121 65122 10003915 _com_util::ConvertStringToBSTR 65121->65122 65123 10003934 65122->65123 65124 10003926 CertFreeCertificateContext 65122->65124 65125 10003943 65123->65125 65126 1000393c CloseHandle 65123->65126 65124->65123 65131 100a2de2 5 API calls __woutput_l 65125->65131 65126->65125 65128 10003961 65129 100a2de2 5 API calls __woutput_l 65128->65129 65129->65103 65130->65096 65131->65128 65132 41046c 65176 4106dc 65132->65176 65134 410478 GetStartupInfoA GetProcessHeap HeapAlloc 65135 4104b7 GetVersionExA 65134->65135 65136 4104aa 65134->65136 65138 4104d5 GetProcessHeap HeapFree 65135->65138 65139 4104c7 GetProcessHeap HeapFree 65135->65139 65430 410407 63 API calls 2 library calls 65136->65430 65141 410501 65138->65141 65140 4104b1 ___FrameUnwindToState 65139->65140 65177 412ace HeapCreate 65141->65177 65143 410542 65146 41054e 65143->65146 65431 410407 63 API calls 2 library calls 65143->65431 65187 413e70 GetModuleHandleA 65146->65187 65147 410554 65148 41055f __RTC_Initialize 65147->65148 65432 410407 63 API calls 2 library calls 65147->65432 65220 41472f 65148->65220 65151 41056d 65152 410579 GetCommandLineA 65151->65152 65433 4110cd 60 API calls 3 library calls 65151->65433 65237 4145fa 65152->65237 65155 410578 65155->65152 65159 41059e 65276 4142ce 65159->65276 65163 4105af 65291 4111e9 65163->65291 65166 4105b6 65167 4105c1 65166->65167 65436 4110cd 60 API calls 3 library calls 65166->65436 65297 414271 65167->65297 65172 4105e3 65173 4105f2 65172->65173 65427 41135d 65172->65427 65437 41137f 63 API calls _abort 65173->65437 65176->65134 65178 412af1 65177->65178 65179 412aee 65177->65179 65438 412a73 60 API calls 3 library calls 65178->65438 65179->65143 65181 412af6 65182 412b00 65181->65182 65183 412b24 65181->65183 65439 412b28 HeapAlloc 65182->65439 65183->65143 65185 412b0a 65185->65183 65186 412b0f HeapDestroy 65185->65186 65186->65179 65188 413e82 65187->65188 65189 413e8b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 65187->65189 65440 413bc4 61 API calls ___crtInitCritSecAndSpinCount 65188->65440 65191 413ed5 TlsAlloc 65189->65191 65194 413f23 TlsSetValue 65191->65194 65195 413fef 65191->65195 65194->65195 65196 413f34 65194->65196 65195->65147 65441 41139d 60 API calls __init_pointers 65196->65441 65198 413f39 65442 413aa4 TlsGetValue 65198->65442 65201 413aa4 __init_pointers 60 API calls 65202 413f54 65201->65202 65203 413aa4 __init_pointers 60 API calls 65202->65203 65204 413f64 65203->65204 65205 413aa4 __init_pointers 60 API calls 65204->65205 65206 413f74 65205->65206 65452 4128a0 62 API calls ___crtInitCritSecAndSpinCount 65206->65452 65208 413f81 65209 413fea 65208->65209 65453 413b1b 60 API calls __init_pointers 65208->65453 65462 413bc4 61 API calls ___crtInitCritSecAndSpinCount 65209->65462 65212 413f95 65212->65209 65454 414034 65212->65454 65216 413fc8 65216->65209 65217 413fcf 65216->65217 65461 413c01 60 API calls 5 library calls 65217->65461 65219 413fd7 GetCurrentThreadId 65219->65195 65483 4106dc 65220->65483 65222 41473b GetStartupInfoA 65223 414034 __calloc_crt 60 API calls 65222->65223 65225 41475c 65223->65225 65224 4148c1 65227 4148f7 GetStdHandle 65224->65227 65229 41495c SetHandleCount 65224->65229 65230 414909 GetFileType 65224->65230 65236 414920 65224->65236 65225->65224 65226 41497a ___FrameUnwindToState 65225->65226 65228 414034 __calloc_crt 60 API calls 65225->65228 65231 414844 65225->65231 65226->65151 65227->65224 65228->65225 65229->65226 65230->65224 65231->65224 65232 414878 65231->65232 65233 41486d GetFileType 65231->65233 65232->65226 65232->65231 65484 41685c 62 API calls 4 library calls 65232->65484 65233->65231 65233->65232 65236->65224 65236->65226 65485 41685c 62 API calls 4 library calls 65236->65485 65238 414616 GetEnvironmentStringsW 65237->65238 65241 414635 65237->65241 65239 41462a GetLastError 65238->65239 65240 41461e 65238->65240 65239->65241 65244 414650 GetEnvironmentStringsW 65240->65244 65245 41465f WideCharToMultiByte 65240->65245 65241->65240 65242 4146d0 65241->65242 65243 4146d8 GetEnvironmentStrings 65242->65243 65246 410589 65242->65246 65243->65246 65247 4146e8 65243->65247 65244->65245 65244->65246 65249 414693 65245->65249 65250 4146c5 FreeEnvironmentStringsW 65245->65250 65263 414541 65246->65263 65488 413ff4 65 API calls _malloc 65247->65488 65486 413ff4 65 API calls _malloc 65249->65486 65250->65246 65254 414701 65256 414714 _realloc 65254->65256 65257 414708 FreeEnvironmentStringsA 65254->65257 65255 414699 65255->65250 65258 4146a2 WideCharToMultiByte 65255->65258 65261 41471c FreeEnvironmentStringsA 65256->65261 65257->65246 65259 4146bc 65258->65259 65260 4146b3 65258->65260 65259->65250 65487 4100c4 60 API calls 7 library calls 65260->65487 65261->65246 65264 414554 65263->65264 65265 414559 GetModuleFileNameA 65263->65265 65495 417c34 109 API calls __setmbcp 65264->65495 65266 414580 65265->65266 65489 4143a9 65266->65489 65270 410593 65270->65159 65434 4110cd 60 API calls 3 library calls 65270->65434 65271 4145bc 65496 413ff4 65 API calls _malloc 65271->65496 65273 4145c2 65273->65270 65274 4143a9 _parse_cmdline 70 API calls 65273->65274 65275 4145dc 65274->65275 65275->65270 65277 4142db 65276->65277 65279 4142e0 __setenvp 65276->65279 65498 417c34 109 API calls __setmbcp 65277->65498 65280 414034 __calloc_crt 60 API calls 65279->65280 65283 4105a4 65279->65283 65286 414313 __setenvp 65280->65286 65281 41436e 65501 4100c4 60 API calls 7 library calls 65281->65501 65283->65163 65435 4110cd 60 API calls 3 library calls 65283->65435 65284 414034 __calloc_crt 60 API calls 65284->65286 65285 414393 65502 4100c4 60 API calls 7 library calls 65285->65502 65286->65281 65286->65283 65286->65284 65286->65285 65289 414358 65286->65289 65499 41283b 60 API calls strtoxl 65286->65499 65289->65286 65500 410fad 10 API calls 3 library calls 65289->65500 65293 4111f2 __cinit 65291->65293 65503 415899 65293->65503 65294 411211 __initterm_e 65296 411232 __cinit 65294->65296 65507 4103f5 71 API calls __cinit 65294->65507 65296->65166 65298 41427d 65297->65298 65301 414282 65297->65301 65508 417c34 109 API calls __setmbcp 65298->65508 65300 4105c7 65303 409ac0 65300->65303 65301->65300 65509 418fce 70 API calls __wincmdln 65301->65509 65510 4113f0 65303->65510 65306 409b0b 65512 40d5a0 RegOpenKeyExA 65306->65512 65307 409bde StrStrIA 65309 409bee 65307->65309 65320 409bf7 _memset 65307->65320 65579 40ee80 RegCreateKeyExA RegQueryValueExA GetSystemTimeAsFileTime RegCloseKey RegCloseKey 65309->65579 65310 409b24 65312 409bbe ctype 65310->65312 65523 40a2b0 65310->65523 65312->65307 65313 409bf3 65313->65320 65333 409b98 ctype 65313->65333 65315 409b3a 65537 402770 65315->65537 65318 409bb8 65318->65172 65319 409b5e 65553 40eb50 65319->65553 65580 40d890 72 API calls std::_String_base::_Xlen 65320->65580 65322 409b63 65322->65312 65323 409b6a 65322->65323 65324 402770 std::runtime_error::runtime_error 72 API calls 65323->65324 65326 409b89 65324->65326 65557 40eba0 65326->65557 65327 409c6c 65581 409930 72 API calls 3 library calls 65327->65581 65330 409c91 65582 409930 72 API calls 3 library calls 65330->65582 65578 40f693 5 API calls __invoke_watson 65333->65578 65334 409caf 65583 40d6d0 112 API calls 2 library calls 65334->65583 65336 409cbb vClnr_initData 65337 409cf2 65336->65337 65338 409ccd EndDialog IsWindow 65336->65338 65340 409d0b 65337->65340 65341 409cfd CloseHandle 65337->65341 65338->65337 65339 409ce7 Sleep 65338->65339 65339->65337 65342 409d13 vClnr_getText vClnr_getText 65340->65342 65343 409edc 65340->65343 65341->65340 65345 409e37 vClnr_getText vClnr_getText vClnr_getText vClnr_getText vClnr_unitData 65342->65345 65346 409d6c 65342->65346 65344 409ee1 GetModuleFileNameA PathRemoveFileSpecA PathAddBackslashA lstrcatA 65343->65344 65347 409f34 65344->65347 65348 409fff 65344->65348 65345->65344 65584 40d3e0 72 API calls std::_String_base::_Xlen 65346->65584 65351 40a043 PathFileExistsA 65347->65351 65352 409f3d 65347->65352 65616 40d9c0 5 API calls ctype 65348->65616 65355 40a0f8 65351->65355 65356 40a059 lstrlenA 65351->65356 65352->65348 65357 409f46 PathFileExistsA 65352->65357 65353 409d82 65585 40d3e0 72 API calls std::_String_base::_Xlen 65353->65585 65354 40a144 65617 40f693 5 API calls __invoke_watson 65354->65617 65611 40e9d0 CreateFileA GetFileSize VirtualAlloc ReadFile CloseHandle 65355->65611 65362 40a073 LoadStringA 65356->65362 65363 40a088 lstrlenA 65356->65363 65364 40a004 65357->65364 65365 409f5c lstrlenA 65357->65365 65359 409d98 65586 40e150 72 API calls 2 library calls 65359->65586 65362->65363 65369 40a096 LoadStringA 65363->65369 65370 40a0ab 65363->65370 65602 40e9d0 CreateFileA GetFileSize VirtualAlloc ReadFile CloseHandle 65364->65602 65371 409f74 LoadStringA 65365->65371 65372 409f85 lstrlenA 65365->65372 65367 40a15a 65367->65172 65368 40a109 65612 40d3e0 72 API calls std::_String_base::_Xlen 65368->65612 65369->65370 65606 40d3e0 72 API calls std::_String_base::_Xlen 65370->65606 65371->65372 65378 409f97 LoadStringA 65372->65378 65379 409fa8 65372->65379 65374 40a015 65603 40d3e0 72 API calls std::_String_base::_Xlen 65374->65603 65375 409da1 GetActiveWindow 65587 40a1d0 98 API calls 65375->65587 65378->65379 65596 40d3e0 72 API calls std::_String_base::_Xlen 65379->65596 65383 40a118 65613 401740 72 API calls 2 library calls 65383->65613 65384 40a0c1 65607 40d3e0 72 API calls std::_String_base::_Xlen 65384->65607 65385 40a024 65604 401740 72 API calls 2 library calls 65385->65604 65386 409fbe 65597 40d3e0 72 API calls std::_String_base::_Xlen 65386->65597 65387 409daf 65393 409e2d 65387->65393 65588 40d890 72 API calls std::_String_base::_Xlen 65387->65588 65390 40a0d7 65608 40e5b0 72 API calls 2 library calls 65390->65608 65595 40e240 5 API calls ctype 65393->65595 65394 40a121 GetActiveWindow 65614 40a160 98 API calls 65394->65614 65396 40a02d GetActiveWindow 65605 40a160 98 API calls 65396->65605 65397 409fd4 65598 40e150 72 API calls 2 library calls 65397->65598 65401 40a0e0 GetActiveWindow 65609 40a240 98 API calls 65401->65609 65404 409dc1 65589 40d3e0 72 API calls std::_String_base::_Xlen 65404->65589 65405 40a03b 65615 401680 5 API calls ctype 65405->65615 65407 409fdd GetActiveWindow 65599 40a1d0 98 API calls 65407->65599 65410 40a0ee 65610 40e6a0 5 API calls ctype 65410->65610 65412 409ddb 65590 40d3e0 72 API calls std::_String_base::_Xlen 65412->65590 65414 409feb 65416 409ff5 65414->65416 65600 40ea50 12 API calls 65414->65600 65601 40e240 5 API calls ctype 65416->65601 65417 409dee 65591 40d6d0 112 API calls 2 library calls 65417->65591 65421 409dfa vClnr_cleanType 65592 40d7b0 EndDialog IsWindow Sleep CloseHandle 65421->65592 65423 409e15 65424 409e20 65423->65424 65593 40edf0 GetSystemTimeAsFileTime RegCreateKeyExA RegSetValueExA RegCloseKey 65423->65593 65594 40d9c0 5 API calls ctype 65424->65594 65633 41127b 65427->65633 65429 41136a 65429->65173 65430->65140 65431->65146 65432->65148 65433->65155 65434->65159 65435->65163 65436->65167 65437->65140 65438->65181 65439->65185 65441->65198 65443 413ab7 65442->65443 65444 413ad8 GetModuleHandleA 65442->65444 65443->65444 65445 413ac1 TlsGetValue 65443->65445 65446 413ae9 65444->65446 65451 413ad0 65444->65451 65448 413acc 65445->65448 65463 413a38 60 API calls 2 library calls 65446->65463 65448->65444 65448->65451 65449 413aee 65450 413af2 GetProcAddress 65449->65450 65449->65451 65450->65451 65451->65201 65452->65208 65453->65212 65456 414038 65454->65456 65457 413fae 65456->65457 65458 414058 Sleep 65456->65458 65464 40f9ce 65456->65464 65457->65209 65460 413b1b 60 API calls __init_pointers 65457->65460 65459 41406d 65458->65459 65459->65456 65459->65457 65460->65216 65461->65219 65463->65449 65465 40f9da ___FrameUnwindToState 65464->65465 65466 40f9f2 65465->65466 65476 40fa11 _memset 65465->65476 65477 4117c0 60 API calls _raise 65466->65477 65468 40f9f7 65478 4110a9 60 API calls 2 library calls 65468->65478 65469 40fa83 HeapAlloc 65469->65476 65473 40fa07 ___FrameUnwindToState 65473->65456 65476->65469 65476->65473 65479 412a16 60 API calls 2 library calls 65476->65479 65480 413344 5 API calls 2 library calls 65476->65480 65481 40faca LeaveCriticalSection _flsall 65476->65481 65482 412a51 60 API calls ___crtInitCritSecAndSpinCount 65476->65482 65477->65468 65479->65476 65480->65476 65481->65476 65482->65476 65483->65222 65484->65232 65485->65236 65486->65255 65487->65259 65488->65254 65490 4143c6 65489->65490 65493 414433 65490->65493 65497 418fce 70 API calls __wincmdln 65490->65497 65492 414531 65492->65270 65492->65271 65493->65492 65494 418fce 70 API calls __wincmdln 65493->65494 65494->65493 65495->65265 65496->65273 65497->65490 65498->65279 65499->65286 65500->65289 65501->65283 65502->65283 65504 41589d 65503->65504 65505 413aa4 __init_pointers 60 API calls 65504->65505 65506 4158b5 65504->65506 65505->65504 65506->65294 65507->65296 65508->65301 65509->65301 65511 409ad0 #17 StrStrIA 65510->65511 65511->65306 65511->65312 65513 40d640 65512->65513 65514 40d5e2 RegQueryValueExA 65512->65514 65620 40f693 5 API calls __invoke_watson 65513->65620 65514->65513 65516 40d607 65514->65516 65618 409930 72 API calls 3 library calls 65516->65618 65517 40d651 65517->65310 65520 40d628 65619 40f693 5 API calls __invoke_watson 65520->65619 65522 40d639 65522->65310 65525 40a2c9 65523->65525 65524 40a300 65526 40a318 65524->65526 65622 40f5a1 72 API calls 4 library calls 65524->65622 65525->65524 65528 40a2e7 65525->65528 65529 40a32b 65526->65529 65533 40a352 65526->65533 65623 40f5a1 72 API calls 4 library calls 65526->65623 65621 40a3a0 72 API calls 3 library calls 65528->65621 65535 40a33e 65529->65535 65624 4028e0 72 API calls 5 library calls 65529->65624 65532 40a2f9 65532->65315 65533->65315 65535->65533 65625 40f7ce 60 API calls 3 library calls 65535->65625 65538 402783 65537->65538 65539 402788 65537->65539 65626 40f632 72 API calls 4 library calls 65538->65626 65541 4027ba 65539->65541 65542 40279b 65539->65542 65544 4027c4 65541->65544 65629 40f5a1 72 API calls 4 library calls 65541->65629 65627 402850 72 API calls 2 library calls 65542->65627 65550 4027d7 65544->65550 65630 4028e0 72 API calls 5 library calls 65544->65630 65545 4027a7 65628 402850 72 API calls 2 library calls 65545->65628 65549 4027b1 65549->65319 65552 4027ea 65550->65552 65631 40f7ce 60 API calls 3 library calls 65550->65631 65552->65319 65554 40eb5b 65553->65554 65555 40eb5f PathFileExistsA 65553->65555 65554->65555 65556 40eb6a ctype 65555->65556 65556->65322 65558 402770 std::runtime_error::runtime_error 72 API calls 65557->65558 65559 40ec2d PathFileExistsA 65558->65559 65561 40ec67 ctype 65559->65561 65564 40ec4b ctype 65559->65564 65562 402770 std::runtime_error::runtime_error 72 API calls 65561->65562 65563 40ec8e 65562->65563 65566 40a2b0 72 API calls 65563->65566 65565 40ed9b ctype 65564->65565 65565->65564 65632 40f693 5 API calls __invoke_watson 65565->65632 65567 40ec9e FindFirstFileA FindNextFileA 65566->65567 65567->65564 65573 40eccf 65567->65573 65570 409b8e 65570->65333 65571 402770 std::runtime_error::runtime_error 72 API calls 65571->65573 65572 40a2b0 72 API calls 65572->65573 65573->65571 65573->65572 65574 40ed2e GetFileAttributesA 65573->65574 65576 40ed43 65573->65576 65577 40ed47 DeleteFileA 65573->65577 65574->65573 65575 40ed52 FindNextFileA 65574->65575 65575->65564 65575->65573 65576->65577 65577->65575 65578->65318 65579->65313 65580->65327 65581->65330 65582->65334 65583->65336 65584->65353 65585->65359 65586->65375 65587->65387 65588->65404 65589->65412 65590->65417 65591->65421 65592->65423 65593->65424 65594->65393 65595->65345 65596->65386 65597->65397 65598->65407 65599->65414 65600->65416 65601->65348 65602->65374 65603->65385 65604->65396 65605->65405 65606->65384 65607->65390 65608->65401 65609->65410 65610->65348 65611->65368 65612->65383 65613->65394 65614->65405 65615->65348 65616->65354 65617->65367 65618->65520 65619->65522 65620->65517 65621->65532 65624->65535 65625->65533 65626->65539 65627->65545 65628->65549 65630->65550 65631->65552 65632->65570 65634 411287 ___FrameUnwindToState 65633->65634 65652 412a16 60 API calls 2 library calls 65634->65652 65636 41128e 65637 41130d _abort 65636->65637 65638 4112b2 65636->65638 65653 411348 LeaveCriticalSection _flsall 65637->65653 65658 413b1b 60 API calls __init_pointers 65638->65658 65641 411329 65643 411345 ___FrameUnwindToState 65641->65643 65654 41293e LeaveCriticalSection 65641->65654 65642 4112bd 65659 413b1b 60 API calls __init_pointers 65642->65659 65643->65429 65646 41133c 65655 411117 65646->65655 65647 4112fd _abort 65647->65637 65649 4112cb 65649->65647 65660 413b12 60 API calls __init_pointers 65649->65660 65661 413b1b 60 API calls __init_pointers 65649->65661 65652->65636 65653->65641 65654->65646 65662 4110f1 GetModuleHandleA 65655->65662 65658->65642 65659->65649 65660->65649 65661->65649 65663 411100 GetProcAddress 65662->65663 65664 411116 ExitProcess 65662->65664 65663->65664 65665 411110 65663->65665 65665->65664 65666 100a6877 65667 100a687e 65666->65667 65668 100a6883 65666->65668 65684 100b3796 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 65667->65684 65672 100a6781 65668->65672 65671 100a6894 65674 100a678d __msize 65672->65674 65673 100a67da 65678 100a682a __msize 65673->65678 65738 10038e50 27 API calls ___DllMainCRTStartup 65673->65738 65674->65673 65674->65678 65685 100a65a8 65674->65685 65677 100a67ed 65683 100a680a 65677->65683 65739 10038e50 27 API calls ___DllMainCRTStartup 65677->65739 65678->65671 65679 100a65a8 __CRT_INIT@12 152 API calls 65679->65678 65681 100a6801 65682 100a65a8 __CRT_INIT@12 152 API calls 65681->65682 65682->65683 65683->65678 65683->65679 65684->65668 65686 100a65bb GetProcessHeap HeapAlloc 65685->65686 65687 100a66d2 65685->65687 65688 100a65df GetVersionExA 65686->65688 65695 100a65d8 65686->65695 65689 100a670d 65687->65689 65697 100a66d8 65687->65697 65690 100a65fa GetProcessHeap HeapFree 65688->65690 65691 100a65ef GetProcessHeap HeapFree 65688->65691 65692 100a676b 65689->65692 65693 100a6712 65689->65693 65694 100a6626 65690->65694 65691->65695 65692->65695 65768 100a9c2b 61 API calls 2 library calls 65692->65768 65763 100a9934 49 API calls __woutput_l 65693->65763 65740 100ad04e HeapCreate 65694->65740 65695->65673 65697->65695 65698 100a66f7 65697->65698 65759 100a9373 49 API calls __CRT_INIT@12 65697->65759 65698->65695 65760 100af23c 50 API calls __woutput_l 65698->65760 65700 100a6717 65764 100a78ba 49 API calls __calloc_impl 65700->65764 65704 100a665c 65704->65695 65707 100a6665 65704->65707 65706 100a6723 65706->65695 65765 100a98a2 49 API calls __CRT_INIT@12 65706->65765 65750 100a9ca0 60 API calls 5 library calls 65707->65750 65708 100a6701 65761 100a997f 52 API calls __woutput_l 65708->65761 65711 100a6706 65762 100ad0a8 VirtualFree HeapFree HeapFree HeapDestroy 65711->65762 65713 100a666a __RTC_Initialize 65716 100a666e 65713->65716 65718 100a667d GetCommandLineA 65713->65718 65715 100a6741 65721 100a6748 65715->65721 65722 100a675f 65715->65722 65751 100ad0a8 VirtualFree HeapFree HeapFree HeapDestroy 65716->65751 65752 100b346d 58 API calls 3 library calls 65718->65752 65719 100a6673 65719->65695 65766 100a99bc 49 API calls 4 library calls 65721->65766 65767 100a32cd 49 API calls 5 library calls 65722->65767 65724 100a668d 65753 100aefe8 54 API calls 3 library calls 65724->65753 65726 100a674f GetCurrentThreadId 65726->65695 65728 100a6697 65729 100a669b 65728->65729 65755 100b33b4 99 API calls 3 library calls 65728->65755 65754 100a997f 52 API calls __woutput_l 65729->65754 65732 100a66a7 65733 100a66bb 65732->65733 65756 100b3137 98 API calls 5 library calls 65732->65756 65733->65719 65758 100af23c 50 API calls __woutput_l 65733->65758 65736 100a66b0 65736->65733 65757 100a91dd 56 API calls 3 library calls 65736->65757 65738->65677 65739->65681 65741 100ad06e 65740->65741 65742 100ad071 65740->65742 65741->65704 65769 100acff3 49 API calls 2 library calls 65742->65769 65744 100ad076 65745 100ad080 65744->65745 65746 100ad0a4 65744->65746 65770 100ac09d HeapAlloc 65745->65770 65746->65704 65748 100ad08a 65748->65746 65749 100ad08f HeapDestroy 65748->65749 65749->65741 65750->65713 65751->65719 65752->65724 65753->65728 65754->65716 65755->65732 65756->65736 65757->65733 65758->65729 65759->65698 65760->65708 65761->65711 65762->65695 65763->65700 65764->65706 65765->65715 65766->65726 65767->65719 65768->65695 65769->65744 65770->65748

                                            Executed Functions

                                            Function 00409AC0 Relevance: 93.2, APIs: 39, Strings: 14, Instructions: 463stringsleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 409ac0-409b05 call 4113f0 #17 StrStrIA 3 409bd9 0->3 4 409b0b-409b26 call 40d5a0 0->4 5 409bde-409bec StrStrIA 3->5 12 409b2c-409b68 call 40a2b0 call 402770 call 40eb50 4->12 13 409bbe 4->13 7 409bee-409bf5 call 40ee80 5->7 8 409bff-409ccb call 410660 * 4 call 40d890 call 409930 * 2 call 40d6d0 vClnr_initData 5->8 18 409ba5-409bbb call 40f693 7->18 19 409bf7 7->19 52 409cf2-409cfb 8->52 53 409ccd-409ce5 EndDialog IsWindow 8->53 17 409bc3-409bc8 12->17 36 409b6a-409b89 call 402770 call 40eba0 12->36 13->17 17->5 22 409bca-409bd7 call 40f68e 17->22 19->8 22->5 44 409b8e-409b96 36->44 44->18 46 409b98-409ba2 call 40f68e 44->46 46->18 55 409d0b-409d0d 52->55 56 409cfd-409d04 CloseHandle 52->56 53->52 54 409ce7-409cec Sleep 53->54 54->52 57 409d13-409d66 vClnr_getText * 2 55->57 58 409edc 55->58 56->55 60 409e37-409eda vClnr_getText * 4 vClnr_unitData 57->60 61 409d6c-409db2 call 40d3e0 * 2 call 40e150 GetActiveWindow call 40a1d0 57->61 59 409ee1-409f2e GetModuleFileNameA PathRemoveFileSpecA PathAddBackslashA lstrcatA 58->59 62 409f34-409f37 59->62 63 40a137-40a15d call 40d9c0 call 40f693 59->63 60->59 108 409db4-409e19 call 40d890 call 40d3e0 * 2 call 40d6d0 vClnr_cleanType call 40d7b0 61->108 109 409e2d-409e32 call 40e240 61->109 66 40a043-40a053 PathFileExistsA 62->66 67 409f3d-409f40 62->67 70 40a0f8-40a131 call 40e9d0 call 40d3e0 call 401740 GetActiveWindow call 40a160 66->70 71 40a059-40a071 lstrlenA 66->71 67->63 72 409f46-409f56 PathFileExistsA 67->72 122 40a132 call 401680 70->122 77 40a073-40a086 LoadStringA 71->77 78 40a088-40a094 lstrlenA 71->78 79 40a004-40a03e call 40e9d0 call 40d3e0 call 401740 GetActiveWindow call 40a160 72->79 80 409f5c-409f72 lstrlenA 72->80 77->78 84 40a096-40a0a9 LoadStringA 78->84 85 40a0ab-40a0f6 call 40d3e0 * 2 call 40e5b0 GetActiveWindow call 40a240 call 40e6a0 78->85 79->122 86 409f74-409f83 LoadStringA 80->86 87 409f85-409f95 lstrlenA 80->87 84->85 85->63 86->87 93 409f97-409fa6 LoadStringA 87->93 94 409fa8-409fee call 40d3e0 * 2 call 40e150 GetActiveWindow call 40a1d0 87->94 93->94 135 409ff0 call 40ea50 94->135 136 409ff5-409fff call 40e240 94->136 145 409e20-409e28 call 40d9c0 108->145 146 409e1b call 40edf0 108->146 109->60 122->63 135->136 136->63 145->109 146->145
                                            APIs
                                            • #17.COMCTL32 ref: 00409AEB
                                            • StrStrIA.KERNELBASE(?,004208F4), ref: 00409AFD
                                            • StrStrIA.SHLWAPI(?,004208F8), ref: 00409BE4
                                            • _memset.LIBCMT ref: 00409C15
                                            • _memset.LIBCMT ref: 00409C2B
                                            • _memset.LIBCMT ref: 00409C41
                                            • _memset.LIBCMT ref: 00409C57
                                            • vClnr_initData.VCLNR(Please Wait,0000000B), ref: 00409CBB
                                            • EndDialog.USER32(?,00000000), ref: 00409CCF
                                            • IsWindow.USER32(?), ref: 00409CDD
                                            • Sleep.KERNEL32(000001F4), ref: 00409CEC
                                            • CloseHandle.KERNEL32(?,Please Wait,0000000B), ref: 00409CFE
                                            • vClnr_getText.VCLNR(00000000,Text,Msg,ENU,?,?,Please Wait,0000000B), ref: 00409D39
                                              • Part of subcall function 0040D5A0: RegOpenKeyExA.KERNELBASE ref: 0040D5D8
                                              • Part of subcall function 0040D5A0: RegQueryValueExA.KERNELBASE(?,ProgramFilesDir,00000000,?,?,?), ref: 0040D5FD
                                            • vClnr_getText.VCLNR(00000000,Text,Title,ENU,?,?,00000000,Text,Msg,ENU,?,?,Please Wait,0000000B), ref: 00409D5F
                                            • GetActiveWindow.USER32 ref: 00409DA1
                                            • vClnr_cleanType.VCLNR(00000000,Uninstall,Please Wait), ref: 00409E00
                                            • vClnr_getText.VCLNR(00000000,Text,EndMsg,ENU,?,?,00000000,Text,Title,ENU,?,?,00000000,Text,Msg,ENU), ref: 00409E5D
                                            • vClnr_getText.VCLNR(00000000,Text,EndTitle,ENU,?,?,00000000,Text,EndMsg,ENU,?,?,00000000,Text,Title,ENU), ref: 00409E83
                                            • vClnr_getText.VCLNR(00000000,Text,EndMsgReboot,ENU,?,?,00000000,Text,EndTitle,ENU,?,?,00000000,Text,EndMsg,ENU), ref: 00409EA9
                                              • Part of subcall function 00402770: std::_String_base::_Xlen.LIBCPMT ref: 00402783
                                              • Part of subcall function 0040EB50: PathFileExistsA.KERNELBASE(?,00409B63,?,00000000,000000FF), ref: 0040EB60
                                            • vClnr_getText.VCLNR(00000000,Text,EndTitleReboot,ENU,?,?,00000000,Text,EndMsgReboot,ENU,?,?,00000000,Text,EndTitle,ENU), ref: 00409ECF
                                            • vClnr_unitData.VCLNR(00000000,00000000,Text,EndTitleReboot,ENU,?,?,00000000,Text,EndMsgReboot,ENU,?,?,00000000,Text,EndTitle), ref: 00409ED5
                                            • GetModuleFileNameA.KERNEL32(?,?,00000104,Please Wait,0000000B), ref: 00409EF3
                                            • PathRemoveFileSpecA.SHLWAPI(?), ref: 00409F01
                                            • PathAddBackslashA.SHLWAPI(?), ref: 00409F0F
                                            • lstrcatA.KERNEL32(?,done.), ref: 00409F22
                                            • PathFileExistsA.SHLWAPI(?), ref: 00409F4E
                                            • lstrlenA.KERNEL32(?), ref: 00409F64
                                            • LoadStringA.USER32(?,000003EB,?,00000208), ref: 00409F83
                                            • lstrlenA.KERNEL32(?), ref: 00409F8D
                                            • LoadStringA.USER32(?,000003ED,?,00000208), ref: 00409FA6
                                            • GetActiveWindow.USER32 ref: 00409FDD
                                              • Part of subcall function 00402770: std::_String_base::_Xlen.LIBCPMT ref: 004027BF
                                              • Part of subcall function 00402770: _memcpy_s.LIBCMT ref: 0040282A
                                              • Part of subcall function 0040EBA0: PathFileExistsA.KERNELBASE(?,?,00000000), ref: 0040EC41
                                              • Part of subcall function 0040E9D0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000208,?,0040A109,?), ref: 0040E9E6
                                              • Part of subcall function 0040E9D0: GetFileSize.KERNEL32(00000000,00000000,00000000,?,0040A109,?), ref: 0040E9F6
                                              • Part of subcall function 0040E9D0: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,0040A109,?), ref: 0040EA08
                                              • Part of subcall function 0040E9D0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,0040A109), ref: 0040EA26
                                              • Part of subcall function 0040E9D0: CloseHandle.KERNEL32(00000000,?,0040A109,?), ref: 0040EA37
                                            • GetActiveWindow.USER32 ref: 0040A02D
                                              • Part of subcall function 0040A160: GetCurrentThreadId.KERNEL32 ref: 0040A16F
                                              • Part of subcall function 0040A160: EnterCriticalSection.KERNEL32(004271CC,?,0040A12F,00000000), ref: 0040A17D
                                              • Part of subcall function 0040A160: LeaveCriticalSection.KERNEL32(004271CC,?,0040A12F,00000000), ref: 0040A196
                                              • Part of subcall function 00401680: DeleteObject.GDI32(0040A137), ref: 004016F1
                                              • Part of subcall function 00401680: DestroyIcon.USER32(?,000000FF), ref: 0040170A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Clnr_getText$Path$Window_memset$ActiveExists$CloseCriticalDataHandleLoadSectionStringString_base::_Xlenlstrlenstd::_$AllocBackslashClnr_cleanClnr_initClnr_unitCreateCurrentDeleteDestroyDialogEnterIconLeaveModuleNameObjectOpenQueryReadRemoveSizeSleepSpecThreadTypeValueVirtual_memcpy_slstrcat
                                            • String ID: ENU$EndMsg$EndMsgReboot$EndTitle$EndTitleReboot$Initializing Custom Cure$Msg$Please Wait$Running Custom Cure$Text$Title$Uninstall$\Acceleration Software\Anti-Virus\customcleaner$done.
                                            • API String ID: 1256616221-2942484561
                                            • Opcode ID: 247f10e3c4a9042f6f4319182787e588437b956f6d705b6139bca8fc9e6c7555
                                            • Instruction ID: e81a6c5a5f5efd3b30fdf7aa0beeba71ec4d75fb571970f6325275adb8a70a5c
                                            • Opcode Fuzzy Hash: 247f10e3c4a9042f6f4319182787e588437b956f6d705b6139bca8fc9e6c7555
                                            • Instruction Fuzzy Hash: C0F105B1604300ABD620EF66DC8699F77E8AF84744F404D3FF545A31C2DB7899058BAB
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10003710 Relevance: 24.2, APIs: 16, Instructions: 204encryptionfilestringCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 171 10003710-1000377b CreateFileA 172 10003793-100037aa ImageEnumerateCertificates 171->172 173 1000377d-10003781 GetLastError 171->173 176 100037c2-100037c6 172->176 177 100037ac-100037b0 GetLastError 172->177 174 10003783-10003788 173->174 175 1000378d-1000378e call 100977a0 173->175 174->175 175->172 181 100037d2-100037ed ImageGetCertificateHeader 176->181 182 100037c8-100037cd call 100977a0 176->182 179 100037b2-100037b7 177->179 180 100037bc-100037bd call 100977a0 177->180 179->180 180->176 185 10003805-1000381a call 100a2f50 181->185 186 100037ef-100037f3 GetLastError 181->186 182->181 192 10003826-1000383f ImageGetCertificateData 185->192 193 1000381c-10003821 call 100977a0 185->193 188 100037f5-100037fa 186->188 189 100037ff-10003800 call 100977a0 186->189 188->189 189->185 195 10003841-10003849 GetLastError 192->195 196 1000385b-100038a0 CryptVerifyMessageSignature 192->196 193->192 197 10003855-10003856 call 100977a0 195->197 198 1000384b-10003850 195->198 199 100038a2-100038aa GetLastError 196->199 200 100038bc-100038e0 CertGetNameStringA call 100a2f50 196->200 197->196 198->197 203 100038b6-100038b7 call 100977a0 199->203 204 100038ac-100038b1 199->204 207 100038e2-100038e7 call 100977a0 200->207 208 100038ec-10003913 call 100a2ed0 CertGetNameStringA lstrcmpA 200->208 203->200 204->203 207->208 212 10003915-1000391a call 100977a0 208->212 213 1000391f-10003924 208->213 212->213 215 10003934-1000393a 213->215 216 10003926-1000392d CertFreeCertificateContext 213->216 217 10003943-10003964 call 100a2de2 215->217 218 1000393c-1000393d CloseHandle 215->218 216->215 218->217
                                            APIs
                                            • CreateFileA.KERNELBASE(00000104,80000000,00000001,00000000,00000003,10000080,00000000,9E6FDE2E,?,74DEE800), ref: 10003767
                                            • GetLastError.KERNEL32(?,74DEE800,?,?,?,?,?,?,?,?,00000000), ref: 1000377D
                                            • ImageEnumerateCertificates.IMAGEHLP(00000000,000000FF,00000000,00000000,00000000,?,74DEE800,?,?,?,?,?,?,?,?,00000000), ref: 100037A2
                                            • GetLastError.KERNEL32(?,74DEE800,?,?,?,?,?,?,?,?,00000000), ref: 100037AC
                                            • ImageGetCertificateHeader.IMAGEHLP(00000000,00000000,?,?,74DEE800), ref: 100037E5
                                            • GetLastError.KERNEL32(?,74DEE800), ref: 100037EF
                                            • ImageGetCertificateData.IMAGEHLP(00000000,00000000,?,?,?,74DEE800), ref: 10003837
                                            • GetLastError.KERNEL32(?,?,?,74DEE800), ref: 10003841
                                            • CryptVerifyMessageSignature.CRYPT32(00000014,00000000,?,?,00000000,?,000000FF), ref: 10003898
                                            • GetLastError.KERNEL32(?,?,00000000,?,000000FF,?,?), ref: 100038A2
                                            • CertGetNameStringA.CRYPT32(000000FF,00000004,00000000,00000000,00000000,00000000), ref: 100038D0
                                            • _memset.LIBCMT ref: 100038F0
                                            • CertGetNameStringA.CRYPT32(000000FF,00000004,00000000,00000000,?,00000000), ref: 10003904
                                            • lstrcmpA.KERNEL32(?,?,?,00000000), ref: 1000390B
                                            • CertFreeCertificateContext.CRYPT32(000000FF,?,?,?,00000000), ref: 10003927
                                            • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 1000393D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CertCertificateImage$NameString$CertificatesCloseContextCreateCryptDataEnumerateFileFreeHandleHeaderMessageSignatureVerify_memsetlstrcmp
                                            • String ID:
                                            • API String ID: 3232583120-0
                                            • Opcode ID: b6c157c65399d9ce08c25410a0806576e2c3ac6d6cb8903c0ef1bb74dfe24317
                                            • Instruction ID: c789f7966c18d0157c8fad72bd6866a7ac3a70a8e41083e7a5ec7a75f2ae7a8c
                                            • Opcode Fuzzy Hash: b6c157c65399d9ce08c25410a0806576e2c3ac6d6cb8903c0ef1bb74dfe24317
                                            • Instruction Fuzzy Hash: 2A6120B5D40219ABEB21DFA4CC85BDEBBFCEF04750F118529F919F6280DB74A9048B64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EBA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 221 40eba0-40ec3a call 402770 224 40ec40-40ec49 PathFileExistsA 221->224 225 40ec3c 221->225 226 40ec67-40ec6b 224->226 227 40ec4b-40ec4f 224->227 225->224 228 40ec7a-40eca6 call 402770 call 40a2b0 226->228 229 40ec6d-40ec77 call 40f68e 226->229 230 40ec55-40ec62 call 40f68e 227->230 231 40ed6c-40ed70 227->231 253 40eca8 228->253 254 40ecac-40ecc9 FindFirstFileA FindNextFileA 228->254 229->228 230->231 235 40ed72-40ed7c call 40f68e 231->235 236 40ed7f-40ed8f 231->236 235->236 239 40ed91-40ed96 call 40f68e 236->239 240 40ed9e-40edb1 236->240 248 40ed9b 239->248 245 40edc3-40edee call 40f693 240->245 246 40edb3-40edc0 call 40f68e 240->246 246->245 248->240 253->254 254->231 256 40eccf 254->256 257 40ecd5-40ed00 call 402770 call 40a2b0 256->257 262 40ed03-40ed0a 257->262 262->262 263 40ed0c-40ed28 call 40a2b0 262->263 266 40ed2a 263->266 267 40ed2e-40ed37 GetFileAttributesA 263->267 266->267 268 40ed52-40ed61 FindNextFileA 267->268 269 40ed39-40ed41 267->269 268->257 272 40ed67 268->272 270 40ed43 269->270 271 40ed47-40ed4a DeleteFileA 269->271 270->271 271->268 272->231
                                            APIs
                                              • Part of subcall function 00402770: std::_String_base::_Xlen.LIBCPMT ref: 00402783
                                            • PathFileExistsA.KERNELBASE(?,?,00000000), ref: 0040EC41
                                            • FindFirstFileA.KERNELBASE(?,?,\*.*,00000004,?,00000000,000000FF), ref: 0040ECB2
                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 0040ECC0
                                            • GetFileAttributesA.KERNELBASE(?,?,?,00420B8C,00000001,?,00000000,000000FF), ref: 0040ED2F
                                            • DeleteFileA.KERNEL32(?), ref: 0040ED48
                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 0040ED58
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Find$Next$AttributesDeleteExistsFirstPathString_base::_Xlenstd::_
                                            • String ID: \*.*
                                            • API String ID: 2418973547-1173974218
                                            • Opcode ID: 8bf264289b2df936fb37b961c4c46088fecb3c814e7efb03df339498d422de6a
                                            • Instruction ID: 3af262a651f10c0787774060d5c5d8319d009678d48c2326122d886d7e3c8188
                                            • Opcode Fuzzy Hash: 8bf264289b2df936fb37b961c4c46088fecb3c814e7efb03df339498d422de6a
                                            • Instruction Fuzzy Hash: 026169715083809BD720DB66C985A9BF7E8BF99704F404E3FF58592290DB7AD9088B1B
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10003980 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87stringCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 100039AB
                                            • _memset.LIBCMT ref: 100039C1
                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100039D8
                                            • PathStripPathA.KERNELBASE(7FFFFFFF,?,00000104,00000104,7FFFFFFF), ref: 10003A1A
                                            • lstrcmpiA.KERNEL32(00000104,regsvr32.exe), ref: 10003A30
                                            • lstrcmpiA.KERNEL32(00000104,setup.exe), ref: 10003A40
                                            • GetVersion.KERNEL32(?,00000104,00000104,7FFFFFFF), ref: 10003A46
                                            • lstrcmpiA.KERNEL32(00000104,consent.exe), ref: 10003A60
                                            • lstrcmpiA.KERNEL32(00000104,dllhost.exe), ref: 10003A70
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrcmpi$Path_memset$FileModuleNameStripVersion
                                            • String ID: consent.exe$dllhost.exe$eAcceleration Corporation$regsvr32.exe$setup.exe
                                            • API String ID: 1337139354-2010927307
                                            • Opcode ID: 8dc72700d29374d41bfb905d2f1105ca3fb0d05df59f70a54f6eaf161fb3ef17
                                            • Instruction ID: 25d5e6f87e1f3e5c1a4a78c0bc74f6fe1f9f9978e2088740d468fc6069f27372
                                            • Opcode Fuzzy Hash: 8dc72700d29374d41bfb905d2f1105ca3fb0d05df59f70a54f6eaf161fb3ef17
                                            • Instruction Fuzzy Hash: C421BB79508301A7E320D7A4CC86FDB77D8EB98740F414919BA98961D5DFB4D184C7B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D5A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 273 40d5a0-40d5e0 RegOpenKeyExA 274 40d640-40d657 call 40f693 273->274 275 40d5e2-40d605 RegQueryValueExA 273->275 275->274 277 40d607-40d60e 275->277 278 40d610-40d617 277->278 278->278 280 40d619-40d63f call 409930 call 40f693 278->280
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE ref: 0040D5D8
                                            • RegQueryValueExA.KERNELBASE(?,ProgramFilesDir,00000000,?,?,?), ref: 0040D5FD
                                            Strings
                                            • ProgramFilesDir, xrefs: 0040D5F7
                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0040D5C1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: OpenQueryValue
                                            • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                            • API String ID: 4153817207-2634093826
                                            • Opcode ID: 886d47e81eefbce30aa0ab217e8da235c53166b59996b723939b566e2a7f73b5
                                            • Instruction ID: 44600e8f5c0706f4398c88b91d9047045949a721ea1488bbd1946677fc2934a4
                                            • Opcode Fuzzy Hash: 886d47e81eefbce30aa0ab217e8da235c53166b59996b723939b566e2a7f73b5
                                            • Instruction Fuzzy Hash: 8A11E3756043055FD328CF25DC46FEB77E8ABC8B04F80483EFA45D7291E67999088666
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00412ACE Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 285 412ace-412aec HeapCreate 286 412af1-412afe call 412a73 285->286 287 412aee-412af0 285->287 290 412b00-412b0d call 412b28 286->290 291 412b24-412b27 286->291 290->291 294 412b0f-412b22 HeapDestroy 290->294 294->287
                                            APIs
                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00410542,00000001), ref: 00412ADF
                                            • HeapDestroy.KERNEL32 ref: 00412B15
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Heap$CreateDestroy
                                            • String ID:
                                            • API String ID: 3296620671-0
                                            • Opcode ID: c1aa5b62f3c4ecf02a7d46bd7972243e8a2ced4354cf522deb3f5ccb1f5840ce
                                            • Instruction ID: 38d7b368f7fea56ed4f06c8e1fcbf4f9ae13f3cf9c9aba956584ebc0f1f334fe
                                            • Opcode Fuzzy Hash: c1aa5b62f3c4ecf02a7d46bd7972243e8a2ced4354cf522deb3f5ccb1f5840ce
                                            • Instruction Fuzzy Hash: 2BE09B317583019BDB259F355E05BAA37E4FB44796F20443AF800C4150E7FC9492D61C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100AD04E Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 295 100ad04e-100ad06c HeapCreate 296 100ad06e-100ad070 295->296 297 100ad071-100ad07e call 100acff3 295->297 300 100ad080-100ad08d call 100ac09d 297->300 301 100ad0a4-100ad0a7 297->301 300->301 304 100ad08f-100ad0a2 HeapDestroy 300->304 304->296
                                            APIs
                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,100A665C,00000001,?,?,00000001,?,?,100A67DA,00000001,?,?,100ECFA8,0000000C), ref: 100AD05F
                                            • HeapDestroy.KERNEL32(?,?,00000001,?,?,100A67DA,00000001,?,?,100ECFA8,0000000C,100A6894,?), ref: 100AD095
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Heap$CreateDestroy
                                            • String ID:
                                            • API String ID: 3296620671-0
                                            • Opcode ID: 984de0f2995c5f49fbce39f29e0675f1a369e2605e59063ca1c751d942aaa264
                                            • Instruction ID: 3c26682419b1e5f003a77b9ab2b2bbe4d0ca10eba9aec26eed8aa071da170dea
                                            • Opcode Fuzzy Hash: 984de0f2995c5f49fbce39f29e0675f1a369e2605e59063ca1c751d942aaa264
                                            • Instruction Fuzzy Hash: 40E06DB5655312DFF710FBB18D45B2937E4EB40696F018826F802C50A0FBB0C541E601
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00411117 Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 305 411117-411125 call 4110f1 ExitProcess
                                            APIs
                                            • ___crtCorExitProcess.LIBCMT ref: 0041111B
                                              • Part of subcall function 004110F1: GetModuleHandleA.KERNEL32(mscoree.dll,00411120,00000000,0040FBB8,000000FF,0000001E,00000001,00000000,00000000,?,00414001,00000000,00000001,00000000,004129A0,00000018), ref: 004110F6
                                              • Part of subcall function 004110F1: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00411106
                                            • ExitProcess.KERNEL32 ref: 00411125
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                            • String ID:
                                            • API String ID: 2427264223-0
                                            • Opcode ID: 16895db0b9c5c36d459746a6a4d9e02b56c013e03274675ae6c144b6b7cd9541
                                            • Instruction ID: 5a3e15d9e576d9534445d5e814c66e7b95e777ae1b4fea5fe7f77285916e3e95
                                            • Opcode Fuzzy Hash: 16895db0b9c5c36d459746a6a4d9e02b56c013e03274675ae6c144b6b7cd9541
                                            • Instruction Fuzzy Hash: BBB01230004111AFC6012B11DD0B44D7F61FF44700F00C82DF04400030DF714CE0BA05
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EB50 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 308 40eb50-40eb59 309 40eb5b 308->309 310 40eb5f-40eb68 PathFileExistsA 308->310 309->310 311 40eb81-40eb86 310->311 312 40eb6a-40eb6f 310->312 315 40eb95-40eb9a 311->315 316 40eb88-40eb92 call 40f68e 311->316 313 40eb71-40eb7b call 40f68e 312->313 314 40eb7e-40eb80 312->314 313->314 316->315
                                            APIs
                                            • PathFileExistsA.KERNELBASE(?,00409B63,?,00000000,000000FF), ref: 0040EB60
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ExistsFilePath
                                            • String ID:
                                            • API String ID: 1174141254-0
                                            • Opcode ID: a01873b0fc7ad3cda506024aef2334e2a1f2f79906342e6aec3a3065705a28f8
                                            • Instruction ID: 19c67eb7f8f524e1b73afd34f31bcb04c11665ccf76d37902524423db1c4ec66
                                            • Opcode Fuzzy Hash: a01873b0fc7ad3cda506024aef2334e2a1f2f79906342e6aec3a3065705a28f8
                                            • Instruction Fuzzy Hash: 47E0EDB06043019BEB14DFA6C80884BB3A4AB90340F804C3DF443831A1EB3AE08ACF0B
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 100458D0 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 238stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 100453F0: _memset.LIBCMT ref: 10045487
                                              • Part of subcall function 100453F0: _memset.LIBCMT ref: 1004549A
                                              • Part of subcall function 100453F0: lstrcpynA.KERNEL32(?,?,00000104,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 100454B6
                                              • Part of subcall function 100453F0: StrRChrIA.SHLWAPI(?,00000000,0000005C,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 100454C3
                                              • Part of subcall function 100453F0: FindFirstFileA.KERNEL32(?,?,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 100454DB
                                              • Part of subcall function 100453F0: FindFirstFileA.KERNEL32(?,?,?,?,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 10045502
                                            • _memset.LIBCMT ref: 10045948
                                            • lstrcpynA.KERNEL32(?,?,00000104,00000001,00000000,00000000), ref: 10045964
                                            • PathFindFileNameA.SHLWAPI(?), ref: 1004596E
                                            • _memset.LIBCMT ref: 10045985
                                            • lstrcpynA.KERNEL32(?,00000000,00000104), ref: 1004599B
                                            • PathRemoveFileSpecA.SHLWAPI(?), ref: 100459A5
                                            • _memset.LIBCMT ref: 100459BA
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 100459D7
                                            • PathAddBackslashA.SHLWAPI(?), ref: 100459E7
                                            • _memset.LIBCMT ref: 10045A3A
                                            • FindFirstFileA.KERNEL32(?,?,00000104,?,7FFFFFFF), ref: 10045A4F
                                            • FindNextFileA.KERNEL32(00000000,?), ref: 10045A68
                                            • FindNextFileA.KERNEL32(?,?), ref: 10045A78
                                            • _memset.LIBCMT ref: 10045A9F
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 10045ABC
                                            • PathAddBackslashA.SHLWAPI(?), ref: 10045AC6
                                            • StrChrA.SHLWAPI(?,0000003F), ref: 10045ACF
                                            • GetFileAttributesA.KERNEL32(?,?,00000104,?,7FFFFFFF), ref: 10045B47
                                            • PathAddBackslashA.SHLWAPI(?), ref: 10045B68
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$_memset$Find$Pathlstrcpyn$BackslashFirst$Next$AttributesNameRemoveSpec
                                            • String ID: *.*
                                            • API String ID: 1921713180-438819550
                                            • Opcode ID: 562bf55e86886c7e04a8412ad18673ab47698b36899be946ef15bf1914b3278b
                                            • Instruction ID: 21340d430ed43c6afe61032f0088448c7112d65f40055dacd18489d564daaeb6
                                            • Opcode Fuzzy Hash: 562bf55e86886c7e04a8412ad18673ab47698b36899be946ef15bf1914b3278b
                                            • Instruction Fuzzy Hash: 3E8142B5508340ABE320DB64CC85FEBB3ECEBC8711F404A1DFA99D6181EB75A544CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10043A30 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 395filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10043AD2
                                            • lstrcpynA.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 10043AE8
                                            • PathAddBackslashA.SHLWAPI(?), ref: 10043AF6
                                            • _memset.LIBCMT ref: 10043B4B
                                            • FindFirstFileA.KERNEL32(?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043B66
                                            • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043B93
                                            • FindNextFileA.KERNEL32(00000000,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043BB7
                                            • FindNextFileA.KERNEL32(00000000,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043BBF
                                            • _memset.LIBCMT ref: 10043BDE
                                            • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043BF4
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043C02
                                            • GetFileAttributesA.KERNEL32(?,?,00000104,?,7FFFFFFF,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043C57
                                              • Part of subcall function 10043A30: FindNextFileA.KERNEL32(?,?,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043F39
                                              • Part of subcall function 10043A30: FindClose.KERNEL32(00000000,?,?,?,00000104,?,7FFFFFFF), ref: 10043F48
                                            • _memset.LIBCMT ref: 10043D29
                                            • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043D43
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043D51
                                            • _memset.LIBCMT ref: 10043E80
                                            • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10043E9D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: FileFind$_memset$lstrcpyn$BackslashNextPath$First$AttributesClose
                                            • String ID: *.*$._eac_qt_
                                            • API String ID: 3347367808-562819121
                                            • Opcode ID: b4fca12137f2f22dfb9720cfa3975563c426af0283c42cecb75f05b6dae17d5b
                                            • Instruction ID: bec08525af1bea1afe7d4efa7229fed11109dbadd7963b0efdb24b095e7dcb65
                                            • Opcode Fuzzy Hash: b4fca12137f2f22dfb9720cfa3975563c426af0283c42cecb75f05b6dae17d5b
                                            • Instruction Fuzzy Hash: F3E176B6504340AFD724DB54CC81EEBB7E9EBC9300F104A2DFA99C7181EB74A944CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100453F0 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 335stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10045487
                                            • _memset.LIBCMT ref: 1004549A
                                            • lstrcpynA.KERNEL32(?,?,00000104,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 100454B6
                                            • StrRChrIA.SHLWAPI(?,00000000,0000005C,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 100454C3
                                            • FindFirstFileA.KERNEL32(?,?,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 100454DB
                                            • FindFirstFileA.KERNEL32(?,?,?,?,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 10045502
                                            • lstrcpynA.KERNEL32(?,?,00000104,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 1004555B
                                            • PathAddBackslashA.SHLWAPI(?,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 10045565
                                            • StrChrA.SHLWAPI(?,0000003F,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 10045575
                                            • GetFileAttributesA.KERNEL32(?,?,?), ref: 1004562F
                                            • lstrcmpiA.KERNEL32(100D64B0,?), ref: 1004565B
                                            • lstrcmpiA.KERNEL32(100D64AC,?), ref: 10045672
                                            • lstrlenA.KERNEL32(?), ref: 10045687
                                            • lstrlenA.KERNEL32(?), ref: 100456A3
                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,00000000,?,?,?,?), ref: 10045736
                                            • _memset.LIBCMT ref: 10045758
                                            • lstrcpynA.KERNEL32(?,?,00000104,00000104,?,7FFFFFFF,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 10045775
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,?,?,?,?,?,?,00000104,?,7FFFFFFF,?,9E6FDE2E,00000010,00000001,00000000), ref: 10045810
                                            • FindNextFileA.KERNEL32(?,?,?,?), ref: 1004584F
                                            • FindClose.KERNEL32(?), ref: 10045862
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Find$_memsetlstrcpyn$AttributesFirstPathlstrcmpilstrlen$BackslashCloseNextRemoveSpec
                                            • String ID: ._eac_qt_
                                            • API String ID: 497524941-2454909905
                                            • Opcode ID: 327f055b0e63f721c077d4ff0355eeaae51a71dd2fdfc1f014e4476c3efc904e
                                            • Instruction ID: 92ea12287a60d430c6c41f59b0948c1e2806b0787058a58502dbaeb085e5b977
                                            • Opcode Fuzzy Hash: 327f055b0e63f721c077d4ff0355eeaae51a71dd2fdfc1f014e4476c3efc904e
                                            • Instruction Fuzzy Hash: 68C16FB5108341AFD320DB64C880EEFB7E8EBC9340F514A2DFA99D6181EB75E544CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100432E0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 204filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10042EF0: _memset.LIBCMT ref: 10042F6B
                                              • Part of subcall function 10042EF0: _memset.LIBCMT ref: 10042F7E
                                              • Part of subcall function 10042EF0: lstrcpynA.KERNEL32(?,?,00000104,?,9E6FDE2E,00000000), ref: 10042F94
                                              • Part of subcall function 10042EF0: StrRChrIA.SHLWAPI(?,00000000,0000005C,?,9E6FDE2E,00000000), ref: 10042FA5
                                              • Part of subcall function 10042EF0: FindFirstFileA.KERNEL32(?,?,?,9E6FDE2E,00000000), ref: 10042FBD
                                              • Part of subcall function 10042EF0: FindFirstFileA.KERNEL32(?,?,?,?,?,9E6FDE2E,00000000), ref: 10042FE8
                                              • Part of subcall function 10042EF0: lstrcpynA.KERNEL32(?,?,00000104,?,9E6FDE2E,00000000), ref: 10043014
                                              • Part of subcall function 10042EF0: PathAddBackslashA.SHLWAPI(?,?,9E6FDE2E,00000000), ref: 10043022
                                            • _memset.LIBCMT ref: 10043330
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 1004334C
                                            • PathFindFileNameA.SHLWAPI(?), ref: 10043356
                                            • _memset.LIBCMT ref: 1004336D
                                            • lstrcpynA.KERNEL32(?,00000000,00000104), ref: 10043383
                                            • PathRemoveFileSpecA.SHLWAPI(?), ref: 1004338D
                                            • _memset.LIBCMT ref: 100433A2
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 100433BF
                                            • PathAddBackslashA.SHLWAPI(?), ref: 100433CF
                                            • _memset.LIBCMT ref: 10043422
                                            • FindFirstFileA.KERNEL32(?,?,00000104,?,7FFFFFFF), ref: 10043437
                                            • FindNextFileA.KERNEL32(00000000,?), ref: 10043450
                                            • FindNextFileA.KERNEL32(?,?), ref: 10043460
                                            • _memset.LIBCMT ref: 1004347F
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 1004349C
                                            • PathAddBackslashA.SHLWAPI(?), ref: 100434A6
                                            • GetFileAttributesA.KERNEL32(?,?,00000104,?,7FFFFFFF), ref: 100434F5
                                            • PathAddBackslashA.SHLWAPI(?), ref: 10043512
                                            • FindNextFileA.KERNEL32(?,?), ref: 10043588
                                            • FindClose.KERNEL32(?), ref: 1004359B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Find$_memset$Pathlstrcpyn$Backslash$FirstNext$AttributesCloseNameRemoveSpec
                                            • String ID: *.*
                                            • API String ID: 1516988320-438819550
                                            • Opcode ID: b4828089b8af7a5739e10deb297d497b74af2705d8108a29c2769a94d249dea0
                                            • Instruction ID: 120f0946442229c574cf9ddb2e05c483149efde5b2feda8a48c722f5c0dc940e
                                            • Opcode Fuzzy Hash: b4828089b8af7a5739e10deb297d497b74af2705d8108a29c2769a94d249dea0
                                            • Instruction Fuzzy Hash: E17122B6508340ABD324DBA4DC85FEBB3E8FBC8710F044A1DB699961C0EB75A548CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1003C3D0 Relevance: 28.4, APIs: 7, Strings: 9, Instructions: 381stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1003C44C
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9D4
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9E8
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9FC
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA10
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA24
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA38
                                              • Part of subcall function 1003B970: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 1003BA45
                                              • Part of subcall function 1003B970: wsprintfA.USER32 ref: 1003BA70
                                              • Part of subcall function 1003B970: wsprintfA.USER32 ref: 1003BA91
                                              • Part of subcall function 1003B970: GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003BAA7
                                              • Part of subcall function 1003B970: lstrcpynA.KERNEL32(?,?,00000104), ref: 1003BABF
                                            • lstrcmpiA.KERNEL32(?,?), ref: 1003C4BF
                                            • _memset.LIBCMT ref: 1003C5CE
                                            • _memset.LIBCMT ref: 1003C5E2
                                            • GetLocalTime.KERNEL32(?), ref: 1003C5EF
                                            • lstrcatA.KERNEL32(?,?,?,000003EC,?,?,?,?,?,?,?), ref: 1003C873
                                            • lstrcatA.KERNEL32(?,100D6410), ref: 1003C87F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$LocalTimelstrcatwsprintf$FileModuleNamelstrcmpilstrcpyn
                                            • String ID: %.2d:%.2d:%.2d$%d%.2d%.2d$DETECT type <%s> is %d$DETECT type <%s> starting$date$detect$result$time$type
                                            • API String ID: 1030385744-1854765952
                                            • Opcode ID: 94dcc2b78751c2744eb7a4289a2d384956dc2a7f27ef0b100fbbfd32c838d64b
                                            • Instruction ID: b1d7a1e4c7cfeba23c4e6392cfe5b383d0852abb2f7fca315fbcc94b66735ae7
                                            • Opcode Fuzzy Hash: 94dcc2b78751c2744eb7a4289a2d384956dc2a7f27ef0b100fbbfd32c838d64b
                                            • Instruction Fuzzy Hash: E7D1E1752043059FD359DBA9CC81E6AB3E9EBC8741F05892DF989DB281EB70F940C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1003E3D0 Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 456stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1003E454
                                            • _memset.LIBCMT ref: 1003E467
                                            • _memset.LIBCMT ref: 1003E47A
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9D4
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9E8
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9FC
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA10
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA24
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA38
                                              • Part of subcall function 1003B970: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 1003BA45
                                              • Part of subcall function 1003B970: wsprintfA.USER32 ref: 1003BA70
                                              • Part of subcall function 1003B970: wsprintfA.USER32 ref: 1003BA91
                                              • Part of subcall function 1003B970: GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003BAA7
                                              • Part of subcall function 1003B970: lstrcpynA.KERNEL32(?,?,00000104), ref: 1003BABF
                                            • GetLocalTime.KERNEL32(?,?,?,?,?,9E6FDE2E,?,00000000), ref: 1003E497
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000000), ref: 10095312
                                              • Part of subcall function 10095100: VariantInit.OLEAUT32(?), ref: 10095271
                                              • Part of subcall function 10095100: VariantCopy.OLEAUT32(?,00000000), ref: 1009527F
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(?), ref: 100952D4
                                            • StrStrIA.SHLWAPI(?,?,00000000,time,?), ref: 1003E711
                                            • lstrlenA.KERNEL32(?,00000000,time,?), ref: 1003E7E9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$Variant$Clear$CopyInitLocalTimewsprintf$ConvertFileModuleNameString_com_util::lstrcpynlstrlen
                                            • String ID: %.2d:%.2d:%.2d$%d%.2d%.2d$4$clean$date$result$section$time$type
                                            • API String ID: 3842269020-2914343590
                                            • Opcode ID: 93ace28d819c288228a0c6b5325ac1d490f21497339b31d81c6343a172458806
                                            • Instruction ID: 2c419c99239d078d1f00a45786adce604363e1d6498bea10103b85bd479ac113
                                            • Opcode Fuzzy Hash: 93ace28d819c288228a0c6b5325ac1d490f21497339b31d81c6343a172458806
                                            • Instruction Fuzzy Hash: 92F1B2B56043428FD758DF69CD81A6AB7E9EB88341F054A2DF949DB281EB30FD40CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002D6F0 Relevance: 25.0, APIs: 5, Strings: 9, Instructions: 498COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__itoa_s
                                            • String ID: 0x%X$DRB$DRB%d: SUCCESS <%s> data 0x%X$data$hive$item$key$reg$value
                                            • API String ID: 2738638917-3386382311
                                            • Opcode ID: 8ea2df77353aa66f1245197677e3b833955b04c6b41919d1e5f5d61b752116dd
                                            • Instruction ID: ad1d10d59145302d3701fdd06222375c9857fad088f941867378ca828fcb81ae
                                            • Opcode Fuzzy Hash: 8ea2df77353aa66f1245197677e3b833955b04c6b41919d1e5f5d61b752116dd
                                            • Instruction Fuzzy Hash: C8027E716047059FD368EF68D991B6AB3E9FB84300F81892DF5998B681EB71F840CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002DD40 Relevance: 25.0, APIs: 5, Strings: 9, Instructions: 498COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__itoa_s
                                            • String ID: 0x%X$DRD$DRD%d: SUCCESS <%s> data 0x%X$data$hive$item$key$reg$value
                                            • API String ID: 2738638917-1474056948
                                            • Opcode ID: 93551209648479f160222d1c88aba9d0ce96cfa992ed9a627dd1f2e12c1b6c75
                                            • Instruction ID: 281f1f44a0c413773bdbdf11dea5757025ffa05b80774f5ead0d876157a8681b
                                            • Opcode Fuzzy Hash: 93551209648479f160222d1c88aba9d0ce96cfa992ed9a627dd1f2e12c1b6c75
                                            • Instruction Fuzzy Hash: A6029E712047419FD768DE68D981BAAB3E9FB84300F81892DF55A8B681EB71FC44CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002D758 Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 424COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: 0x%X$DRB$DRB%d: SUCCESS <%s> data 0x%X$data$hive$item$key$reg$value
                                            • API String ID: 2102423945-3386382311
                                            • Opcode ID: fd0547aae10cd976b0482fe82831b47df5635a2c8a391513305cc6b806f99f8b
                                            • Instruction ID: 19dce4c001e3bfb0d689d97c5704bb987c99abeb8a5974b558bdad06a40861a9
                                            • Opcode Fuzzy Hash: fd0547aae10cd976b0482fe82831b47df5635a2c8a391513305cc6b806f99f8b
                                            • Instruction Fuzzy Hash: 5DE180712047059FD368EE68DD91B6AB3E9EF84340F81892DF9998B681EB71FC40CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002DDA8 Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 424COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: 0x%X$DRD$DRD%d: SUCCESS <%s> data 0x%X$data$hive$item$key$reg$value
                                            • API String ID: 2102423945-1474056948
                                            • Opcode ID: de181a4134fc5d5e62bb66520dd761569bc3ff6ba50993e7e33c7188cdce8ae7
                                            • Instruction ID: e3234696f4839ecc87476b6112cd5e5b62c871f81ad6eb702944b0e5c1a93dac
                                            • Opcode Fuzzy Hash: de181a4134fc5d5e62bb66520dd761569bc3ff6ba50993e7e33c7188cdce8ae7
                                            • Instruction Fuzzy Hash: FBE191712047019FD768DE68DD81BAAB3EAEF84340F85892DF99A8B681DB71FC40C751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002D756 Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 423COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: 0x%X$DRB$DRB%d: SUCCESS <%s> data 0x%X$data$hive$item$key$reg$value
                                            • API String ID: 2102423945-3386382311
                                            • Opcode ID: 6bc0a559556e03b30ada0d6ba4fe2345440405b0600ec2295749f422c7cc93a8
                                            • Instruction ID: ee0e343936451fba06862ec0170dd5a0308e306e6ae2b6087b8973f4bde7b4c6
                                            • Opcode Fuzzy Hash: 6bc0a559556e03b30ada0d6ba4fe2345440405b0600ec2295749f422c7cc93a8
                                            • Instruction Fuzzy Hash: 8FE181712047059FD368EE68DD91B6AB3E9EF84340F81892DF9998B681EB71FC40C751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002DDA6 Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 423COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: 0x%X$DRD$DRD%d: SUCCESS <%s> data 0x%X$data$hive$item$key$reg$value
                                            • API String ID: 2102423945-1474056948
                                            • Opcode ID: 0f26bbb1da55752051d8bec7278b16c359c5b1d25fafa1ff6b20d88989418843
                                            • Instruction ID: a3f029dfd1f371668dfe1c12e5a8b9dbd3e0613455a65662ebfa90e25d09a5fc
                                            • Opcode Fuzzy Hash: 0f26bbb1da55752051d8bec7278b16c359c5b1d25fafa1ff6b20d88989418843
                                            • Instruction Fuzzy Hash: 36E192712047019FD768DE68DD81BAAB3EAEF84340F85892DF9598B681DB71FC40C751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1003BC60 Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 357stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1003BCD3
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9D4
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9E8
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9FC
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA10
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA24
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA38
                                              • Part of subcall function 1003B970: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 1003BA45
                                              • Part of subcall function 1003B970: wsprintfA.USER32 ref: 1003BA70
                                              • Part of subcall function 1003B970: wsprintfA.USER32 ref: 1003BA91
                                              • Part of subcall function 1003B970: GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003BAA7
                                              • Part of subcall function 1003B970: lstrcpynA.KERNEL32(?,?,00000104), ref: 1003BABF
                                            • _memset.LIBCMT ref: 1003BCFA
                                            • _memset.LIBCMT ref: 1003BD0E
                                            • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 1003BD1B
                                              • Part of subcall function 10096E90: VariantInit.OLEAUT32(?), ref: 10096EE9
                                              • Part of subcall function 10096E90: VariantCopy.OLEAUT32(?,?), ref: 10096EF7
                                              • Part of subcall function 10096E90: VariantClear.OLEAUT32(?), ref: 10096F7A
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000000), ref: 10095312
                                              • Part of subcall function 10095100: VariantInit.OLEAUT32(?), ref: 10095271
                                              • Part of subcall function 10095100: VariantCopy.OLEAUT32(?,00000000), ref: 1009527F
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(?), ref: 100952D4
                                            • lstrcmpiA.KERNEL32(00000000,-00000004), ref: 1003BF88
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$Variant$Clear$CopyInitLocalTimewsprintf$ConvertFileModuleNameString_com_util::lstrcmpilstrcpyn
                                            • String ID: %.2d:%.2d:%.2d$%d%.2d%.2d$4$date$detect$result$section$time$type
                                            • API String ID: 2687205574-1149517297
                                            • Opcode ID: 28fac2e1fe19afc29e48cf73fe58110112078f1d1eb3f2a29b8c6b56fe91e5b1
                                            • Instruction ID: 66ec8d283cc5d9dbeef9ceaf7e4b4e9e70b14ff0f14c22c6c8bbb603cf367f3e
                                            • Opcode Fuzzy Hash: 28fac2e1fe19afc29e48cf73fe58110112078f1d1eb3f2a29b8c6b56fe91e5b1
                                            • Instruction Fuzzy Hash: 57C1C0756047058FD358DF69CC41B6AB3E9EB88345F05892DFA89DB281EB70F940CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1003D340 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 330stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1003D39C
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9D4
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9E8
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003B9FC
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA10
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA24
                                              • Part of subcall function 1003B970: _memset.LIBCMT ref: 1003BA38
                                              • Part of subcall function 1003B970: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 1003BA45
                                              • Part of subcall function 1003B970: wsprintfA.USER32 ref: 1003BA70
                                              • Part of subcall function 1003B970: wsprintfA.USER32 ref: 1003BA91
                                              • Part of subcall function 1003B970: GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003BAA7
                                              • Part of subcall function 1003B970: lstrcpynA.KERNEL32(?,?,00000104), ref: 1003BABF
                                            • lstrcmpiA.KERNEL32(?,-0000000C), ref: 1003D41F
                                            • _memset.LIBCMT ref: 1003D4BA
                                            • _memset.LIBCMT ref: 1003D4CE
                                            • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000003), ref: 1003D4DB
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000000), ref: 10095312
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$ClearLocalTimeVariantwsprintf$ConvertFileModuleNameString_com_util::lstrcmpilstrcpyn
                                            • String ID: %.2d:%.2d:%.2d$%d%.2d%.2d$CLEAN type <%s> is %d$CLEAN type <%s> starting$clean$date$result$time$type
                                            • API String ID: 4262444878-4115319850
                                            • Opcode ID: ed4a8d2b43586fa71de039a51c1d84cb815ff26d6575a82d9a24e5f92c5d6991
                                            • Instruction ID: d1bf09595abc62ef3e9a18f097ee4457066b8b182d7e6bd3cf4cdf0f5a12ae6f
                                            • Opcode Fuzzy Hash: ed4a8d2b43586fa71de039a51c1d84cb815ff26d6575a82d9a24e5f92c5d6991
                                            • Instruction Fuzzy Hash: 35B1E3756043019FD358EB68DC42F6BB3E9EB84744F45492EFA998B281EB70F940C762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10041C80 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 222filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10041CE7
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,00000104,7FFFFFFF,?,?,00000000), ref: 10041D2B
                                            • FindFirstFileA.KERNEL32(?,?,?,00000000), ref: 10041D3D
                                            • FindFirstFileA.KERNEL32(?,?,?,?,?,00000000), ref: 10041D66
                                            • lstrcmpiA.KERNEL32(?,100D64B0), ref: 10041D85
                                            • PathAddBackslashA.SHLWAPI(?,?,00000104,7FFFFFFF,?,00000000), ref: 10041DDC
                                            • FindNextFileA.KERNEL32(00000000,?,?,00000000), ref: 10041E5D
                                            • lstrcmpiA.KERNEL32(?,100D64AC), ref: 10041E7A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Find$FirstPathlstrcmpi$BackslashNextRemoveSpec_memset
                                            • String ID: found <%s>
                                            • API String ID: 2938084122-2530121354
                                            • Opcode ID: 534972414190d7c40e708a7e0c2279aff91d5585a1791be534b5d12db3791789
                                            • Instruction ID: 6178d5f8bf3b7e24af647e8adace3778eafc69c3f56961d6e4ac7267126f5999
                                            • Opcode Fuzzy Hash: 534972414190d7c40e708a7e0c2279aff91d5585a1791be534b5d12db3791789
                                            • Instruction Fuzzy Hash: C6718475108345ABD320DB60CC85EEB73ECEB88710F504B2DF9A9861C1EB75A648CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10034630 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 480COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__itoa_s
                                            • String ID: found <%s>$DMRK$DMRK%d: SUCCESS found %d keys$`$hive$item$key$reg
                                            • API String ID: 2738638917-3012021932
                                            • Opcode ID: f2347805ccbb3c83ff1bacdd5d8607e6ae3160c4f43924af4f0afc32bb22463e
                                            • Instruction ID: cabac50782f0bbbb10a4051d71e667765907e3e6dbd30289d14ee73f3527904a
                                            • Opcode Fuzzy Hash: f2347805ccbb3c83ff1bacdd5d8607e6ae3160c4f43924af4f0afc32bb22463e
                                            • Instruction Fuzzy Hash: EE0274792083408FD354DF68C881B5BB7E6EBC4341F158A1DF9858B291EBB5F845CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002E390 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 352COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__itoa_s
                                            • String ID: DRK$DRK%d: SUCCESS <%s>$`$hive$item$key$reg
                                            • API String ID: 2738638917-602928456
                                            • Opcode ID: e0a5fc182b63964c5eef6cec4c26485629936e43d82c4abb51f77f7f78c10047
                                            • Instruction ID: e7c267a54b3fa1e2c4c488c93e071c82e1221835d636d060326e14eaba901279
                                            • Opcode Fuzzy Hash: e0a5fc182b63964c5eef6cec4c26485629936e43d82c4abb51f77f7f78c10047
                                            • Instruction Fuzzy Hash: AAD1BF712487419FD768DF68D885B9AB3E9FF88304F80892CF5498B681E734F944CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008F310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 117stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PathFileExistsA.SHLWAPI(?,9E6FDE2E,74DE9300,74DF31E0,?), ref: 1008F35F
                                            • PathFindExtensionA.SHLWAPI(?), ref: 1008F36E
                                            • lstrcmpiA.KERNEL32(.exe,00000000), ref: 1008F38A
                                            • lstrcmpiA.KERNEL32(.bat,00000000), ref: 1008F396
                                            • lstrcmpiA.KERNEL32(.com,00000000), ref: 1008F3A2
                                            • _memset.LIBCMT ref: 1008F3C8
                                            • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 1008F3DB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Pathlstrcmpi$ExistsExtensionFileFindNameShort_memset
                                            • String ID: killed task on <%s>$.bat$.com$.exe
                                            • API String ID: 1453697853-3321477379
                                            • Opcode ID: d64c8e7c2afe0f547edff71c74c01b8fb0e0a5ea74bfaf49898804507f8fdd62
                                            • Instruction ID: c1145900a3cc84c9d519bc2f301ae6bff43772ed9121faa300692437fe05d77b
                                            • Opcode Fuzzy Hash: d64c8e7c2afe0f547edff71c74c01b8fb0e0a5ea74bfaf49898804507f8fdd62
                                            • Instruction Fuzzy Hash: F141B1755047519BD360DB689C44BAB77E8EF95790F01042EFA89C3251EF34D604C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D0D0 Relevance: 18.1, APIs: 12, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00403060: EnterCriticalSection.KERNEL32(004271CC,?,?,?,00000000), ref: 00403072
                                              • Part of subcall function 00403060: RegisterWindowMessageA.USER32(WM_ATLGETHOST,?,00000000), ref: 00403083
                                              • Part of subcall function 00403060: RegisterWindowMessageA.USER32(WM_ATLGETCONTROL,?,00000000), ref: 0040308F
                                              • Part of subcall function 00403060: GetClassInfoExA.USER32(00400000,AtlAxWin80,?), ref: 004030B0
                                              • Part of subcall function 00403060: LoadCursorA.USER32 ref: 004030EC
                                              • Part of subcall function 00403060: RegisterClassExA.USER32 ref: 00403113
                                              • Part of subcall function 00403060: _memset.LIBCMT ref: 0040313E
                                              • Part of subcall function 00403060: GetClassInfoExA.USER32(00400000,AtlAxWinLic80,?), ref: 0040315A
                                              • Part of subcall function 00403060: LoadCursorA.USER32 ref: 0040319A
                                              • Part of subcall function 00403060: RegisterClassExA.USER32 ref: 004031C1
                                              • Part of subcall function 00403060: LeaveCriticalSection.KERNEL32(004271CC,?,?,00000000), ref: 004031EF
                                            • FindResourceA.KERNEL32 ref: 0040D0F2
                                            • FindResourceA.KERNEL32(00400000,00000070,000000F0), ref: 0040D105
                                            • LoadResource.KERNEL32(00400000,00000000), ref: 0040D119
                                            • LockResource.KERNEL32(00000000), ref: 0040D11C
                                            • LoadResource.KERNEL32(00400000,00000000), ref: 0040D128
                                            • LockResource.KERNEL32(00000000), ref: 0040D12F
                                            • DialogBoxIndirectParamA.USER32(00400000,00000000,?,0040A490,00000000), ref: 0040D150
                                            • GetLastError.KERNEL32 ref: 0040D161
                                            • GlobalHandle.KERNEL32(00000000), ref: 0040D170
                                            • GlobalFree.KERNEL32(00000000), ref: 0040D177
                                            • GetLastError.KERNEL32 ref: 0040D17F
                                            • SetLastError.KERNEL32(?), ref: 0040D196
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$ClassLoadRegister$ErrorLast$CriticalCursorFindGlobalInfoLockMessageSectionWindow$DialogEnterFreeHandleIndirectLeaveParam_memset
                                            • String ID:
                                            • API String ID: 3856986219-0
                                            • Opcode ID: 2dcdcac3023c4f48b3461a57358b790f7414590411f9f7c2e6ba8610bf577362
                                            • Instruction ID: a2eb6d3e3a85f63891d6502903baf42bf47d839b68e5ee79eb62cff6748ef2c2
                                            • Opcode Fuzzy Hash: 2dcdcac3023c4f48b3461a57358b790f7414590411f9f7c2e6ba8610bf577362
                                            • Instruction Fuzzy Hash: 66210675A003116BD210ABB9AC48A9B76ECDB84761F040636FD14E33C0DF78DC0842BA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10023B20 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 362COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722D1
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722EB
                                              • Part of subcall function 100722A0: lstrlenA.KERNEL32(?,?,00000FFA,7FFFFFFF,?,?,?,?,?,?,00000000), ref: 10072345
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100723DC
                                            • _memset.LIBCMT ref: 10023D41
                                            • __itoa_s.LIBCMT ref: 10023D53
                                              • Part of subcall function 100A387C: _xtoa_s@20.LIBCMT ref: 100A389D
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant_memset$Clear$ConvertCopyInitString__itoa_s_com_util::_xtoa_s@20lstrlen
                                            • String ID: CDRS$CDRS%d: SUCCESS <%s\%s:%s>$data$hive$item$key$reg$value
                                            • API String ID: 3432937315-2127074228
                                            • Opcode ID: 07b0bcd35aafbb01934e0eeb1614652a89f37db5170bc3f152e73ad6859532fa
                                            • Instruction ID: d0ecf6571b936c6badf0e2c129908e3af249b10a4ac9658bd355ce2e46845571
                                            • Opcode Fuzzy Hash: 07b0bcd35aafbb01934e0eeb1614652a89f37db5170bc3f152e73ad6859532fa
                                            • Instruction Fuzzy Hash: F0C10436904710CBC758DF68A844A5EB3E6EBC8710F958A2DF899A7381D771F901CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10024350 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 333COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722D1
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722EB
                                              • Part of subcall function 100722A0: lstrlenA.KERNEL32(?,?,00000FFA,7FFFFFFF,?,?,?,?,?,?,00000000), ref: 10072345
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100723DC
                                            • _memset.LIBCMT ref: 1002456A
                                            • __itoa_s.LIBCMT ref: 1002457C
                                              • Part of subcall function 100A387C: _xtoa_s@20.LIBCMT ref: 100A389D
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(00000003), ref: 10096B80
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant$_memset$Clear$ConvertCopyInitString__itoa_s_com_util::_xtoa_s@20lstrlen
                                            • String ID: CMRV$CMRV%d: <%s\%s:%s>$CMRV%d: SUCCESS deleted %d values$hive$item$key$reg$value
                                            • API String ID: 1830163474-3239705907
                                            • Opcode ID: 3905adb49e2641dff3b74d403bee3a6b6ecdfa8f6777c933a157f9599b2d4615
                                            • Instruction ID: 68afe230abe6593ef9b86cca281c8e1c06633d1a5bf8611c98e6cbca40d266ad
                                            • Opcode Fuzzy Hash: 3905adb49e2641dff3b74d403bee3a6b6ecdfa8f6777c933a157f9599b2d4615
                                            • Instruction Fuzzy Hash: 1EC1EF76908310CBC714DF68A884A5FB3F5EFC8354F860A1DF899AB241DB70E941CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001C350 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 318COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 100165F0: _memset.LIBCMT ref: 1001666D
                                              • Part of subcall function 100165F0: StrRChrIA.SHLWAPI(?,00000000,0000005C), ref: 1001669B
                                              • Part of subcall function 100165F0: StrRChrIA.SHLWAPI(?,00000000,0000005C,?,00000104,7FFFFFFF), ref: 10016700
                                            • _memset.LIBCMT ref: 1001C5FE
                                            • __itoa_s.LIBCMT ref: 1001C610
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__itoa_s
                                            • String ID: CDMF$CDMF%d: <%s>$CDMF%d: <%s> AND subdirs$CDMF%d: SUCCESS NeedReboot %d$file$item$path
                                            • API String ID: 2738638917-927467764
                                            • Opcode ID: 7138950e4c6f79dcae465f8e02bd4420823870ed1ebfd04fc745ff83ed7f2803
                                            • Instruction ID: dd1bb6100cb196b1b57afa3a69fb7bcdebf0f3e00e7dee65d6f54eca2bf22b7b
                                            • Opcode Fuzzy Hash: 7138950e4c6f79dcae465f8e02bd4420823870ed1ebfd04fc745ff83ed7f2803
                                            • Instruction Fuzzy Hash: 17C1E075508344DBD720DF68C885F9ABBE5EF88340F54492DF4849B352C7B1E985CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10023FC0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 270COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: CMRK$CMRK%d: <%s\%s>$CMRK%d: SUCCESS deleted %d keys$hive$item$key$reg
                                            • API String ID: 1081510541-3001772500
                                            • Opcode ID: 056c52862fbe6003888dff5aae209b9be327bb5f1e65d7ccf11f50ca26de6e4b
                                            • Instruction ID: 33823d4e4870d4ae40934369fc8637d0f03230a513a4b42b32e6ac818cbbc3e9
                                            • Opcode Fuzzy Hash: 056c52862fbe6003888dff5aae209b9be327bb5f1e65d7ccf11f50ca26de6e4b
                                            • Instruction Fuzzy Hash: 3891D272A04310CBC714DB68EC85A9FB7F5EBC8754F860A1DF989A7241DB34E944CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100423F0 Relevance: 15.1, APIs: 10, Instructions: 126filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(?,9E6FDE2E,74DE9300,74DF31E0,?,00000000,?,?,?,?,00000104,?,7FFFFFFF,?,9E6FDE2E,00000010), ref: 1004242F
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000,?,?,?,?,00000104,?,7FFFFFFF,?,9E6FDE2E), ref: 1004245C
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000,?,?,?,?,?,?,00000104,?,7FFFFFFF), ref: 10042489
                                            • CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 100424A5
                                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,?,?,00000104,?,7FFFFFFF,?,9E6FDE2E,00000010,00000001), ref: 100424BF
                                            • GetFileSize.KERNEL32(00000000,00000000,?), ref: 100424DA
                                            • GetFileSize.KERNEL32(00000000,00000000,?), ref: 100424F1
                                              • Part of subcall function 1007E9F0: lstrlenA.KERNEL32(?,00000000,00000000,100424FE,00000000,00000000), ref: 1007E9F9
                                            • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000), ref: 1004250B
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000104,?,7FFFFFFF,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 10042512
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000104,?,7FFFFFFF,?,9E6FDE2E,00000010,00000001,00000000,00000000), ref: 10042519
                                              • Part of subcall function 10041A40: GetLastError.KERNEL32(00000000,10004189,?,?), ref: 10041A43
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Create$CloseHandleSizeViewlstrlen$ErrorLastMappingUnmap
                                            • String ID:
                                            • API String ID: 1179649961-0
                                            • Opcode ID: 4d5121366044ac83a883909b4de8576c53185ba453a2f6c61c40b0dd4e7af4fe
                                            • Instruction ID: 136608dbdc72f4fc684e2560a475a3d1fc40dcb505497215257bcca26c989a6c
                                            • Opcode Fuzzy Hash: 4d5121366044ac83a883909b4de8576c53185ba453a2f6c61c40b0dd4e7af4fe
                                            • Instruction Fuzzy Hash: F541BF71204701AFE210DB248CC5FABB7ECEB95790F610A28FE51921D0DB74AD458B7A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100305D0 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 393COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10082160: GetTickCount.KERNEL32 ref: 10082161
                                              • Part of subcall function 10082160: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 10082176
                                            • _memset.LIBCMT ref: 10030704
                                            • __itoa_s.LIBCMT ref: 10030719
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CountLibraryLoadTick__itoa_s_memset
                                            • String ID: DCS$DCS%d: SUCCESS <%s>$X$file$item$path
                                            • API String ID: 2517018591-1173121234
                                            • Opcode ID: d437d5f673ef0d8e7143469b0698e1d3b8039657b56d44d6d9061f8d88cf23bb
                                            • Instruction ID: 6f094666adadefc964a395d49c77f47769cbc8636676b0aff431aab903861cfd
                                            • Opcode Fuzzy Hash: d437d5f673ef0d8e7143469b0698e1d3b8039657b56d44d6d9061f8d88cf23bb
                                            • Instruction Fuzzy Hash: 69E1EEB1A09305DFD768CF68C891A6BB7E5FB88741F40891DF9858B641DB30F940CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001E360 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 272COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722D1
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722EB
                                              • Part of subcall function 100722A0: lstrlenA.KERNEL32(?,?,00000FFA,7FFFFFFF,?,?,?,?,?,?,00000000), ref: 10072345
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100723DC
                                            • _memset.LIBCMT ref: 1001E58C
                                            • __itoa_s.LIBCMT ref: 1001E59E
                                              • Part of subcall function 100A387C: _xtoa_s@20.LIBCMT ref: 100A389D
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant_memset$Clear$ConvertCopyInitString__itoa_s_com_util::_xtoa_s@20lstrlen
                                            • String ID: CDFR$CDFR%d: <%s>$CDFR%d: SUCCESS set %d files to be deleted on reboot$file$item$path
                                            • API String ID: 3432937315-2429094265
                                            • Opcode ID: 7fe2555fe8c030d1ca108f7f3103084e7d7637bffb3ec50ee4f0a0e0fb5a9d61
                                            • Instruction ID: 6256e6dfe30ce32eac59982b15f0bae42b542a0b483775048b88ed375b7b8ec5
                                            • Opcode Fuzzy Hash: 7fe2555fe8c030d1ca108f7f3103084e7d7637bffb3ec50ee4f0a0e0fb5a9d61
                                            • Instruction Fuzzy Hash: DEA1E3756083909BDB20DF68C885B9EBBE5EF89744F50456DF4488B242DB71E980CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100475D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 53serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10038FC2), ref: 100475E5
                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,?,?,?,?,10038FC2), ref: 100475FB
                                            • OpenServiceA.ADVAPI32(00000000,EacCleanDrv,000F01FF,?,?,?,?,?,?,?,?,?,?,10038FC2), ref: 1004760E
                                            • ControlService.ADVAPI32 ref: 10047644
                                            • DeleteService.ADVAPI32(00000000), ref: 1004764B
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,10038FC2), ref: 1004765E
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,10038FC2), ref: 10047661
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Service$CloseHandle$Open$ControlDeleteManager
                                            • String ID: EacCleanDrv
                                            • API String ID: 1859593115-2285477812
                                            • Opcode ID: 5efdcb64b5b872fcd6de5895bb324a8e91ff181a8c45043ace2e951989b07550
                                            • Instruction ID: cce43ce357d00a186b2952d8b6b0d34c9ca442396b3aac9023da7af140525304
                                            • Opcode Fuzzy Hash: 5efdcb64b5b872fcd6de5895bb324a8e91ff181a8c45043ace2e951989b07550
                                            • Instruction Fuzzy Hash: 38015E71A053216FE350DF689C88BAB7FE8FF48751F01452EFE49D2250DBB499048BA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10021110 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 341COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: CDRCF$CDRCF%d: SUCCESS <%s> NeedReboot %d$file$item$path
                                            • API String ID: 1081510541-101625776
                                            • Opcode ID: 4ca247c757b7af1b21bf27e6b10a0681b16b71effd15103dd730a1b8eb3dad04
                                            • Instruction ID: fcd114a74a9befb174cfc33fbd6989a2ce34a7ee2c7c9935af1a074583621bd7
                                            • Opcode Fuzzy Hash: 4ca247c757b7af1b21bf27e6b10a0681b16b71effd15103dd730a1b8eb3dad04
                                            • Instruction Fuzzy Hash: F5D12278608340DBC724DF68D881B9ABBE5EB98714FA04A5DF48897381C771E945CBA3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EA50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38shutdownCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040E960: _memset.LIBCMT ref: 0040E980
                                              • Part of subcall function 0040E960: GetVersionExA.KERNEL32 ref: 0040E994
                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040EA69
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0040EA70
                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040EA86
                                            • AdjustTokenPrivileges.ADVAPI32 ref: 0040EAAE
                                            • GetLastError.KERNEL32 ref: 0040EAB4
                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 0040EAC2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueVersionWindows_memset
                                            • String ID: SeShutdownPrivilege
                                            • API String ID: 712148179-3733053543
                                            • Opcode ID: 4870a09801546a5b76b05468102e4cdedcde85c82c6b5a1acf152ff12a198df7
                                            • Instruction ID: 79bb9dee3d3fc67c46414ad93b52a6dbc50b5057b5dda50d4fb3aca29a2276d0
                                            • Opcode Fuzzy Hash: 4870a09801546a5b76b05468102e4cdedcde85c82c6b5a1acf152ff12a198df7
                                            • Instruction Fuzzy Hash: 4CF0A9743403107BF2109F66CD0EF5A7B9CBB88B04F408D29F604A41D1D7B8E5048B2E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100460A0 Relevance: 12.2, APIs: 8, Instructions: 192filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10009B80: std::_String_base::_Xlen.LIBCPMT ref: 10009BBA
                                              • Part of subcall function 10009B80: std::_String_base::_Xlen.LIBCPMT ref: 10009BD1
                                              • Part of subcall function 10009B80: _memcpy_s.LIBCMT ref: 10009C4A
                                            • SetErrorMode.KERNEL32(00000001,?,00000000,000000FF,100D5038,00000001), ref: 1004615A
                                            • FindFirstFileA.KERNEL32(?,?), ref: 1004617D
                                            • lstrcmpiA.KERNEL32(?,100D64AC), ref: 100461B4
                                            • lstrcmpiA.KERNEL32(?,100D64B0), ref: 100461CF
                                            • StrChrIA.SHLWAPI(?,0000003F,?,?,?,?,?,00000000,000000FF,100D5038,00000001,?,00000000,000000FF), ref: 1004626E
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 100462AE
                                            • SetErrorMode.KERNEL32(00000000), ref: 100462C1
                                            • FindClose.KERNEL32(000000FF), ref: 100462CC
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Find$ErrorFileModeString_base::_Xlenlstrcmpistd::_$CloseFirstNext_memcpy_s
                                            • String ID:
                                            • API String ID: 725104290-0
                                            • Opcode ID: 32194040f6e5d11cc998e1c46d628201b8588bebc5ac2681db6f3e95c28c2ac9
                                            • Instruction ID: 43d22f2c614a5a3577d833c2e078b6ae3c550462d1d13516e980c8f1ea7ff2a4
                                            • Opcode Fuzzy Hash: 32194040f6e5d11cc998e1c46d628201b8588bebc5ac2681db6f3e95c28c2ac9
                                            • Instruction Fuzzy Hash: B3714475508381AFD710CF68CD84A9BBBE8FF99750F500A2DF59582290EB71E908CB63
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10041B00 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32(?,9E6FDE2E,?,?,?), ref: 10041B50
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10041B6F
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 10041B7F
                                            • CloseHandle.KERNEL32(00000000), ref: 10041B88
                                            • _memset.LIBCMT ref: 10041BA9
                                            • FindFirstFileA.KERNEL32 ref: 10041BD3
                                            • FindFirstFileA.KERNEL32(?,?,?), ref: 10041BEA
                                            • FindClose.KERNEL32(00000000), ref: 10041BFB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Find$CloseFirst$AttributesCreateHandleSize_memset
                                            • String ID:
                                            • API String ID: 2293646998-0
                                            • Opcode ID: 2a326cdaa6f8b63b240dbb7df2d1e735dd0f334e64bdee97b961c6bad9c15534
                                            • Instruction ID: 10388b0d27786a3386e7326fcf3eaf17e1ac1131ff4e87d07f7d8bf03c51a0a8
                                            • Opcode Fuzzy Hash: 2a326cdaa6f8b63b240dbb7df2d1e735dd0f334e64bdee97b961c6bad9c15534
                                            • Instruction Fuzzy Hash: 47310475644350ABD220CB24CCC5FDBB7E8EF89760F210A29F9A4D72C0EB349845CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10042260 Relevance: 10.6, APIs: 7, Instructions: 115fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,9E6FDE2E,74DE9300,74DF31E0,?,00000000), ref: 100422EB
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 100422FA
                                            • CloseHandle.KERNEL32(00000000), ref: 10042309
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandleSize
                                            • String ID:
                                            • API String ID: 1378416451-0
                                            • Opcode ID: 28a4b991eb95c6350de1e6934bb26087a01e4cd3e14d98e390d71952c916440f
                                            • Instruction ID: 355b8321c60c8ad6f0a0b0fc364354af28497bf75c8a471068b70bd19a2de415
                                            • Opcode Fuzzy Hash: 28a4b991eb95c6350de1e6934bb26087a01e4cd3e14d98e390d71952c916440f
                                            • Instruction Fuzzy Hash: 4641D675208341ABD220CF24DCC0B9FB7F8EB85761FA14A2CF555C62C1DB35AA44CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10033F10 Relevance: 9.5, APIs: 6, Instructions: 485registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100340D9
                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000104,?,?,00000000,000F003F,?,?,?,00000000,000F003F,?), ref: 1003413F
                                            • _memset.LIBCMT ref: 10034273
                                            • StrRChrIA.SHLWAPI(?,00000000,0000005C), ref: 10034297
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,00000104,7FFFFFFF), ref: 100342FF
                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,000F003F,?), ref: 10034538
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CloseFileOpenPathQueryRemoveSpecValue_memset
                                            • String ID:
                                            • API String ID: 2193496419-0
                                            • Opcode ID: 1aeba4386d7fb1daa86e9141b38a2c12e4e802d37eabe1c267c0bfb8d6ddb6e7
                                            • Instruction ID: 13ac268512a7974357b478533641751b169fe4ae25206b699fab3c2de58d2212
                                            • Opcode Fuzzy Hash: 1aeba4386d7fb1daa86e9141b38a2c12e4e802d37eabe1c267c0bfb8d6ddb6e7
                                            • Instruction Fuzzy Hash: 2C1290B69083808FD725DF58C880A9FB7E9FBC8344F45492DF6899B251DB70A944CB93
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1003E050 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1003E0BE
                                              • Part of subcall function 100040E0: GetFileAttributesA.KERNEL32(?,9E6FDE2E,?,?,?,?), ref: 10004144
                                              • Part of subcall function 100040E0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 10004175
                                              • Part of subcall function 100040E0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000,?,?), ref: 100041A2
                                              • Part of subcall function 100040E0: _memset.LIBCMT ref: 100041D1
                                              • Part of subcall function 10041B00: GetFileAttributesA.KERNEL32(?,9E6FDE2E,?,?,?), ref: 10041B50
                                              • Part of subcall function 10041B00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10041B6F
                                              • Part of subcall function 10041B00: GetFileSize.KERNEL32(00000000,00000000), ref: 10041B7F
                                              • Part of subcall function 10041B00: CloseHandle.KERNEL32(00000000), ref: 10041B88
                                            • lstrcmpiA.KERNEL32(?,?), ref: 1003E141
                                            • lstrcpyA.KERNEL32(?,?,?), ref: 1003E33C
                                            • lstrcpyA.KERNEL32(?,?), ref: 1003E3BD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Create$Attributes_memsetlstrcpy$CloseHandleSizelstrcmpi
                                            • String ID: 4
                                            • API String ID: 1182985388-4088798008
                                            • Opcode ID: f5b5bb80a882bb146d863eff3426c2e7e19a0e2fa78497d0fa32c00f85e8d441
                                            • Instruction ID: 297ec9f2273709b7cff917b6d33b3100531da8af46743efb4ac396f108cd4f8c
                                            • Opcode Fuzzy Hash: f5b5bb80a882bb146d863eff3426c2e7e19a0e2fa78497d0fa32c00f85e8d441
                                            • Instruction Fuzzy Hash: C2A19D717007828FD758DE69C981A6AB7E9EB84341F058A2DE859DF381EB70FD00CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10047760 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 100477A3
                                            • _memset.LIBCMT ref: 100477B6
                                            • DeviceIoControl.KERNEL32(?,0022E008,?,00000004,?,00000414,?,00000000), ref: 100477E2
                                            • _memset.LIBCMT ref: 10047813
                                            • _memset.LIBCMT ref: 1004782D
                                              • Part of subcall function 10090C40: QueryDosDeviceA.KERNEL32(?,?,00000032), ref: 10090C87
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$Device$ControlQuery
                                            • String ID:
                                            • API String ID: 79894852-0
                                            • Opcode ID: 2de4c2bac50e556576c5ec3b797c8cf6bc04d2f58b4f3e75384a9213ff9b7511
                                            • Instruction ID: 0425101d1335b80075883233bbec7d0087f4fd30893cd2d62932186ba5f40b65
                                            • Opcode Fuzzy Hash: 2de4c2bac50e556576c5ec3b797c8cf6bc04d2f58b4f3e75384a9213ff9b7511
                                            • Instruction Fuzzy Hash: 073192B6145340BED220DBA4DC85EDFB3ECEBD8744F40492DB64893141EA70AA48C7B6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100452C0 Relevance: 7.6, APIs: 5, Instructions: 85fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10045307
                                            • FindFirstFileA.KERNEL32(?,?,?,?,00000000), ref: 10045317
                                            • FindClose.KERNEL32(00000000,?,?,00000000), ref: 10045327
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,00000104,7FFFFFFF,?,?,00000000), ref: 10045369
                                            • CopyFileA.KERNEL32(?,?,?), ref: 10045394
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Find$CloseCopyFirstPathRemoveSpec_memset
                                            • String ID:
                                            • API String ID: 2173540614-0
                                            • Opcode ID: 1488b0e5081e3d447ad740cab7648b692f9aae9553fd989de766f65f99c81510
                                            • Instruction ID: 47b99ec0f42a21a3e17457e5b816ae1d4dec858d4050dfb75b02ce9a81bba276
                                            • Opcode Fuzzy Hash: 1488b0e5081e3d447ad740cab7648b692f9aae9553fd989de766f65f99c81510
                                            • Instruction Fuzzy Hash: C321B471108344ABD330DFA58C89BEF77E8EBC5392F61092CF958C6192DBB2A544C765
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040F693 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • IsDebuggerPresent.KERNEL32 ref: 00410F58
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00410F6D
                                            • UnhandledExceptionFilter.KERNEL32(0041E590), ref: 00410F78
                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00410F94
                                            • TerminateProcess.KERNEL32(00000000), ref: 00410F9B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                            • String ID:
                                            • API String ID: 2579439406-0
                                            • Opcode ID: 743bb48724cab8de8fc5ee37a07e49a42b217ea6696bfedaef934a676f404514
                                            • Instruction ID: d2dd8185fdd4272ae12e0d3dbde3363f05707261494d76aa61a72d5624ddfcaa
                                            • Opcode Fuzzy Hash: 743bb48724cab8de8fc5ee37a07e49a42b217ea6696bfedaef934a676f404514
                                            • Instruction Fuzzy Hash: 1B21CEB8A09304DFD720DF65EC856943BE4BB08710FD048BAEE0887261E7B45982DF9D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008FF00 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 210fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1008FF7B
                                            • FindFirstFileA.KERNEL32(?,?,?,?,?,?,00000000,-0000008C,-00000070), ref: 10090020
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: FileFindFirst_memset
                                            • String ID: Killed <%s>
                                            • API String ID: 2959355137-2341557596
                                            • Opcode ID: f17cb6e16cac36e351b7567173454bf13a5da0ba4f3bffab471fc555bc61e58f
                                            • Instruction ID: 0dbc0ca491fc18afb9f0a58f086cfc6a1b09c79fda6006272acdcb1be548b2ae
                                            • Opcode Fuzzy Hash: f17cb6e16cac36e351b7567173454bf13a5da0ba4f3bffab471fc555bc61e58f
                                            • Instruction Fuzzy Hash: C66199756046419FD764CB29CC81AABB3E9EFC8784F01492EF989C7291EB34E940C762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10080440 Relevance: 4.6, APIs: 3, Instructions: 61sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 1008044F
                                              • Part of subcall function 1007FF00: GetProcAddress.KERNEL32(?,ControlService), ref: 1007FF14
                                            • Sleep.KERNEL32(?), ref: 100804AA
                                            • GetTickCount.KERNEL32 ref: 100804C3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CountTick$AddressProcSleep
                                            • String ID:
                                            • API String ID: 1025680776-0
                                            • Opcode ID: 60ae970970fed92a3e2213145f7481349f30c26d48f7d9bdffd642c159d2fd88
                                            • Instruction ID: 36310921d33f98843fd61aa19ca5715d3908eac10c7ab4bdfd4301e7b0f499d6
                                            • Opcode Fuzzy Hash: 60ae970970fed92a3e2213145f7481349f30c26d48f7d9bdffd642c159d2fd88
                                            • Instruction Fuzzy Hash: 7C118272944316ABC380DF29998096FFBE4FBD46A0F41082EFA88D2111D630D949CBA3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10080660 Relevance: 4.6, APIs: 3, Instructions: 61sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 1008066F
                                              • Part of subcall function 1007FF00: GetProcAddress.KERNEL32(?,ControlService), ref: 1007FF14
                                            • Sleep.KERNEL32(?), ref: 100806CA
                                            • GetTickCount.KERNEL32 ref: 100806E3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CountTick$AddressProcSleep
                                            • String ID:
                                            • API String ID: 1025680776-0
                                            • Opcode ID: 8aa450a1b1919fb27310091436f0b7b526a9116372ccdba1c3515fcf50c1439d
                                            • Instruction ID: 3226ef58d3bcb228192e7c77d0d544b9bf359cb21fe19755e0e68617aa09eb39
                                            • Opcode Fuzzy Hash: 8aa450a1b1919fb27310091436f0b7b526a9116372ccdba1c3515fcf50c1439d
                                            • Instruction Fuzzy Hash: 4B1182329053029BD380DF29988096FFBE4FFD46A0F41082EF584D2111E631D959CBA3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D050 Relevance: 1.5, APIs: 1, Instructions: 34comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(0041E44C,00000000,00000001,00420ACC,?), ref: 0040D07C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CreateInstance
                                            • String ID:
                                            • API String ID: 542301482-0
                                            • Opcode ID: 53561f4e0e1022973a24b57f724bdaf7ff04b13830d1745af1af840c7c177546
                                            • Instruction ID: bffe7f3f734d8689e15c7358a544742b22930d485d11ca55fe0b29d9d3918527
                                            • Opcode Fuzzy Hash: 53561f4e0e1022973a24b57f724bdaf7ff04b13830d1745af1af840c7c177546
                                            • Instruction Fuzzy Hash: 8AF0897630021057C321DE5ADC84D43B7E5AFE9725725803EFA4CA7340D7369847C6A8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100BF0FF Relevance: 72.0, APIs: 19, Strings: 22, Instructions: 263COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 678 100bf0ff-100bf111 679 100bf449-100bf456 call 100bbb0a 678->679 680 100bf117-100bf134 678->680 693 100bf459-100bf460 679->693 681 100bf188-100bf18b 680->681 682 100bf136 680->682 687 100bf32c-100bf334 call 100bb75d 681->687 688 100bf191 681->688 684 100bf339-100bf341 call 100bb94d 682->684 685 100bf13c-100bf142 682->685 703 100bf346-100bf349 684->703 690 100bf324-100bf327 685->690 691 100bf148-100bf14f 685->691 687->684 689 100bf197-100bf19a 688->689 688->690 695 100bf31d-100bf322 689->695 696 100bf1a0-100bf1a3 689->696 697 100bf26f-100bf28f call 100bd32b call 100baaf7 call 100bae17 690->697 691->690 698 100bf16a-100bf16f 691->698 699 100bf17e-100bf183 691->699 700 100bf160-100bf165 691->700 701 100bf156-100bf15b 691->701 702 100bf174-100bf179 691->702 695->703 704 100bf1a9-100bf1ac 696->704 705 100bf30e 696->705 708 100bf34f-100bf354 697->708 754 100bf295 697->754 706 100bf313-100bf31b call 100bb75d 698->706 699->706 700->706 701->706 702->706 703->708 709 100bf2b7-100bf2cc call 100ba9e1 703->709 704->690 710 100bf1b2-100bf1c8 704->710 705->706 706->708 714 100bf3a3-100bf3ac 708->714 715 100bf356-100bf35b 708->715 729 100bf3ee-100bf3f8 call 100bae17 709->729 730 100bf2d2-100bf2f3 call 100bee52 709->730 718 100bf1ce-100bf1d1 710->718 719 100bf251-100bf254 710->719 722 100bf3af-100bf3bc call 100bbb2c call 100baaf7 714->722 716 100bf35d-100bf35f 715->716 717 100bf395-100bf3a1 715->717 716->717 724 100bf361-100bf363 716->724 717->722 725 100bf1d3-100bf1d6 718->725 726 100bf247-100bf24c 718->726 727 100bf25a-100bf25d 719->727 728 100bf307-100bf30c 719->728 753 100bf3c1-100bf3cb call 100bae17 722->753 724->717 734 100bf365-100bf367 724->734 735 100bf1d8-100bf1db 725->735 736 100bf224-100bf227 725->736 726->706 737 100bf25f-100bf262 727->737 738 100bf2b4-100bf2b6 727->738 728->706 761 100bf3fa-100bf3fd 729->761 762 100bf432-100bf447 call 100bee52 729->762 763 100bf302-100bf305 730->763 764 100bf2f5-100bf2fd call 100bb94d 730->764 734->717 745 100bf369-100bf36c 734->745 746 100bf21a-100bf21f 735->746 747 100bf1dd-100bf1e0 735->747 743 100bf229-100bf22c 736->743 744 100bf2a6-100bf2ab 736->744 748 100bf2ad-100bf2b2 737->748 749 100bf264-100bf26a 737->749 738->709 755 100bf22e-100bf231 743->755 756 100bf23d-100bf242 743->756 744->706 745->753 757 100bf36e-100bf375 745->757 746->706 758 100bf1f8-100bf215 call 100bf0ff call 100bbb2c 747->758 759 100bf1e2-100bf1e8 747->759 748->706 749->744 760 100bf26c 749->760 753->754 783 100bf3d1-100bf3e9 call 100bbae8 call 100bb654 753->783 767 100bf298-100bf2a1 call 100ba9e1 754->767 755->744 768 100bf233-100bf238 755->768 756->706 769 100bf387-100bf393 757->769 770 100bf377-100bf379 757->770 758->693 759->744 772 100bf1ee-100bf1f3 759->772 760->697 774 100bf3ff-100bf40f call 100bb75d 761->774 775 100bf420-100bf423 761->775 762->693 763->767 764->763 767->693 768->706 769->722 770->769 779 100bf37b-100bf37d 770->779 772->706 774->762 792 100bf411-100bf41e call 100bb94d 774->792 775->762 777 100bf425-100bf42d call 100bb75d 775->777 777->762 779->769 786 100bf37f-100bf381 779->786 783->754 786->769 790 100bf383-100bf385 786->790 790->753 790->769 792->762
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Name::operator=$Name::operator+=operator+$Decorator::getType$DataNameName::
                                            • String ID: volatile$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                            • API String ID: 81047387-3072089766
                                            • Opcode ID: e775424dc06f2437d626cd20c0527ebffce0841596e7165e2d371553170ba145
                                            • Instruction ID: 58495e07ed6ab0c927dca690ef81e5c82135a2d2bfcf35d0d02c84046f8d3f42
                                            • Opcode Fuzzy Hash: e775424dc06f2437d626cd20c0527ebffce0841596e7165e2d371553170ba145
                                            • Instruction Fuzzy Hash: 5F81C17D80028AAACB20DA64DD81EFD37E4DB15790F20826EF911E7192D772EF459721
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10048490 Relevance: 54.5, APIs: 24, Strings: 7, Instructions: 264windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,9E6FDE2E,?,?,?,?,?,100CE91B,000000FF,1000C967), ref: 100484EA
                                            • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?,100CE91B,000000FF,1000C967,00000110), ref: 100484FB
                                            • SetForegroundWindow.USER32 ref: 10048500
                                            • GetSystemMetrics.USER32(0000000C), ref: 1004850E
                                            • GetSystemMetrics.USER32(0000000B), ref: 10048514
                                            • LoadImageA.USER32(10000000,000003EE,00000001,00000000,00000000,00000000), ref: 1004852D
                                            • GetSystemMetrics.USER32(00000032), ref: 10048534
                                            • GetSystemMetrics.USER32(00000031), ref: 1004853C
                                            • LoadImageA.USER32(10000000,000003EE,00000001,00000000,?,00000000), ref: 10048554
                                            • SendMessageA.USER32(?,00000080,00000001,?), ref: 1004856D
                                            • SendMessageA.USER32(?,00000080,00000000,?), ref: 1004857D
                                              • Part of subcall function 100480F0: GetModuleHandleA.KERNEL32(vclnr.dll,?,?,75BF3EB0), ref: 10048119
                                              • Part of subcall function 100480F0: GetModuleHandleA.KERNEL32(?,?,?,?,75BF3EB0), ref: 1004814C
                                              • Part of subcall function 100480F0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,75BF3EB0), ref: 10048163
                                              • Part of subcall function 100480F0: PathRemoveFileSpecA.SHLWAPI(?,?,75BF3EB0), ref: 1004816E
                                            • PathAppendA.SHLWAPI(?,resources\images,?,00000104,?,00000080,00000000,?,?,?,000000FE,00000000,00000000,00000000,00000000,00000003), ref: 1004859A
                                            • GetDlgItem.USER32(?,000003ED), ref: 100485CE
                                            • GetDlgItem.USER32(00000000,000003ED), ref: 100485F0
                                            • SetWindowTextA.USER32(00000000,Threat Scanner), ref: 100485FE
                                            • _memset.LIBCMT ref: 10048617
                                            • _memset.LIBCMT ref: 10048633
                                            • GetDlgItem.USER32(00000000,000003EC), ref: 10048643
                                            • GetWindowTextA.USER32(00000000,?,00000824), ref: 10048653
                                            • GetDlgItem.USER32(?,000003EC), ref: 10048696
                                            • SetWindowTextA.USER32(00000000,?), ref: 100486A1
                                            • lstrcmpiA.KERNEL32(?,?), ref: 10048707
                                              • Part of subcall function 10048050: GetDlgItem.USER32(?,000003E9), ref: 1004805D
                                              • Part of subcall function 10048050: GetWindowTextLengthA.USER32(00000000), ref: 10048066
                                              • Part of subcall function 10048050: lstrlenA.KERNEL32(?,?,75BF6C40,75C08FB0,100486C8,Current Internet Explorer Settings -), ref: 10048073
                                              • Part of subcall function 10048050: CoTaskMemAlloc.OLE32(?,?,75BF6C40,75C08FB0,100486C8,Current Internet Explorer Settings -), ref: 1004807E
                                              • Part of subcall function 10048050: GetWindowTextA.USER32(00000000,00000000,?), ref: 1004808D
                                              • Part of subcall function 10048050: SetWindowTextA.USER32(00000000,00000000), ref: 100480C1
                                              • Part of subcall function 10048050: SendMessageA.USER32(00000000,00000115,00000007,00000000), ref: 100480D1
                                              • Part of subcall function 10048050: CoTaskMemFree.OLE32(00000000,?,75BF6C40,75C08FB0,100486C8,Current Internet Explorer Settings -), ref: 100480D8
                                            • GetDlgItem.USER32(?,000003E9), ref: 10048789
                                            • SendMessageA.USER32(00000000,000000B5,00000002,00000000), ref: 10048795
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Window$ItemText$MessageMetricsSendSystem$Module$FileHandleImageLoadPathTask_memset$AllocAppendForegroundFreeLengthNameRemoveSpeclstrcmpilstrlen
                                            • String ID: $Current Internet Explorer Settings -$Current: $Homepage:$Safe: $Threat Scanner$resources\images
                                            • API String ID: 873723305-1078101925
                                            • Opcode ID: 8e90f646277a05a7157b3781e40bdb13ec53c21f57d1122c8991631548d222ce
                                            • Instruction ID: 61e95e58e4a10f5cddc5432b45cb67bb170d781506669a4257df04f62059ee0f
                                            • Opcode Fuzzy Hash: 8e90f646277a05a7157b3781e40bdb13ec53c21f57d1122c8991631548d222ce
                                            • Instruction Fuzzy Hash: E5919B71244344ABE664DBA4CC92F9FB3E8EB48700F104929F695D72C1EB70FA04CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040B990 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 446registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcmpiA.KERNEL32 ref: 0040BA24
                                            • lstrcmpiA.KERNEL32(0040B1F3,ForceRemove), ref: 0040BA35
                                            • CharNextA.USER32(0040B1F3), ref: 0040BA70
                                            • lstrcmpiA.KERNEL32(0040B1F3,0040B1F3), ref: 0040BA94
                                            • lstrlenA.KERNEL32(0040B1F3,?), ref: 0040BAED
                                            • lstrcmpiA.KERNEL32(0040B1F3,NoRemove), ref: 0040BB40
                                            • lstrcmpiA.KERNEL32(0040B1F3,Val), ref: 0040BB6D
                                            • RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020006,?), ref: 0040BC1A
                                            • RegDeleteValueA.ADVAPI32(?,?), ref: 0040BC35
                                            • RegCloseKey.ADVAPI32(?), ref: 0040BC4D
                                            • CharNextA.USER32(0040B1F3), ref: 0040BC76
                                            • RegOpenKeyExA.ADVAPI32(?,0040B1F3,00000000,0002001F,?), ref: 0040BCB6
                                            • RegCloseKey.ADVAPI32(0040B1F3), ref: 0040BCC5
                                            • RegOpenKeyExA.ADVAPI32(?,0040B1F3,00000000,00020019,?), ref: 0040BCED
                                            • RegCloseKey.ADVAPI32(0040B1F3), ref: 0040BCFC
                                            • lstrlenA.KERNEL32(0040B1F3), ref: 0040BDE8
                                            • RegCloseKey.ADVAPI32(0040B1F3), ref: 0040BE53
                                            • RegCloseKey.ADVAPI32(?), ref: 0040BEDE
                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 0040BF10
                                            • RegCloseKey.ADVAPI32(0040B1F3), ref: 0040BF2C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Close$lstrcmpi$Open$CharDeleteNextlstrlen$Value
                                            • String ID: Delete$ForceRemove$NoRemove$Val
                                            • API String ID: 1659507741-1781481701
                                            • Opcode ID: 92a2796b48521131461f17064b4f9f4a034914720e4aed22d38cfd25b6f5b05d
                                            • Instruction ID: 119ce3654f00841e9ef2059238c3960f7680cec1ad6fd5ab1cd9fda3aeeca96c
                                            • Opcode Fuzzy Hash: 92a2796b48521131461f17064b4f9f4a034914720e4aed22d38cfd25b6f5b05d
                                            • Instruction Fuzzy Hash: 90F17B71A043168BD7209F26D884B6BB7E8EF84704F04493EF945A72D1DB78DD448AEE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000BB30 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 263windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • BeginPaint.USER32(?,?), ref: 1000BB5B
                                            • GetClientRect.USER32(?,?), ref: 1000BB86
                                            • GetObjectA.GDI32(?,00000018,?), ref: 1000BBB1
                                            • CreateCompatibleDC.GDI32(?), ref: 1000BBD2
                                            • SelectObject.GDI32(00000000,?), ref: 1000BBE5
                                            • StretchBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00CC0020), ref: 1000BC29
                                            • GetObjectA.GDI32(?,00000018,?), ref: 1000BC54
                                            • SelectObject.GDI32(00000000,?), ref: 1000BC73
                                            • StretchBlt.GDI32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?,00CC0020), ref: 1000BCC2
                                            • GetObjectA.GDI32(?,00000018,?), ref: 1000BCED
                                            • SelectObject.GDI32(00000000,?), ref: 1000BD0C
                                            • StretchBlt.GDI32 ref: 1000BD59
                                            • _memset.LIBCMT ref: 1000BD76
                                            • GetWindowTextA.USER32(?,?,00000400), ref: 1000BD8F
                                            • _memset.LIBCMT ref: 1000BDA9
                                            • _strcpy_s.LIBCMT ref: 1000BDD0
                                              • Part of subcall function 1000B6B0: GetDeviceCaps.GDI32(00000000,0000005A), ref: 1000B702
                                              • Part of subcall function 1000B6B0: MulDiv.KERNEL32(00000000), ref: 1000B709
                                              • Part of subcall function 1000B6B0: DPtoLP.GDI32(00000000,00000001,00000001), ref: 1000B721
                                              • Part of subcall function 1000B6B0: DPtoLP.GDI32(00000000,?,00000001), ref: 1000B733
                                              • Part of subcall function 1000B6B0: ReleaseDC.USER32(00000000,00000000), ref: 1000B74E
                                              • Part of subcall function 1000B6B0: CreateFontIndirectA.GDI32(?), ref: 1000B759
                                            • SelectObject.GDI32(?,?), ref: 1000BE03
                                            • SetTextColor.GDI32(?,00FFFFFF), ref: 1000BE11
                                            • SetBkMode.GDI32(?,00000001), ref: 1000BE1E
                                            • DrawTextA.USER32(?,?,000000FF,?,00000025), ref: 1000BE3A
                                            • SelectObject.GDI32(?,00000000), ref: 1000BE46
                                            • DeleteObject.GDI32(?), ref: 1000BE4F
                                            • DeleteDC.GDI32(00000000), ref: 1000BE5A
                                            • EndPaint.USER32(?,?), ref: 1000BE6A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Object$Select$StretchText$CreateDeletePaint_memset$BeginCapsClientColorCompatibleDeviceDrawFontIndirectModeRectReleaseWindow_strcpy_s
                                            • String ID: Arial$n
                                            • API String ID: 1921741625-879564702
                                            • Opcode ID: 426f8c83f6a3d1e911c5ba68e53a3feab2363f49486fa4a3c1cb28d03b8a9eff
                                            • Instruction ID: ad84adc4e07ff61ed62d6107acaf559fe935501466f75d2f68a0632bf9dbefa2
                                            • Opcode Fuzzy Hash: 426f8c83f6a3d1e911c5ba68e53a3feab2363f49486fa4a3c1cb28d03b8a9eff
                                            • Instruction Fuzzy Hash: 1BB1B6B1608341AFE350CF69C985B6BBBE8EFC8744F10491DF68997250DB70E944CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1003B970 Relevance: 36.9, APIs: 12, Strings: 9, Instructions: 157stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10094AE0: VariantInit.OLEAUT32(?), ref: 10094BCC
                                              • Part of subcall function 10094AE0: VariantCopy.OLEAUT32(?,?), ref: 10094BDA
                                              • Part of subcall function 10094AE0: VariantClear.OLEAUT32(?), ref: 10094C14
                                            • _memset.LIBCMT ref: 1003B9D4
                                            • _memset.LIBCMT ref: 1003B9E8
                                            • _memset.LIBCMT ref: 1003B9FC
                                            • _memset.LIBCMT ref: 1003BA10
                                            • _memset.LIBCMT ref: 1003BA24
                                            • _memset.LIBCMT ref: 1003BA38
                                            • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 1003BA45
                                            • wsprintfA.USER32 ref: 1003BA70
                                            • wsprintfA.USER32 ref: 1003BA91
                                            • GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003BAA7
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 1003BABF
                                            • __itoa_s.LIBCMT ref: 1003BB0D
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(00000003), ref: 10096B80
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000000), ref: 10095312
                                              • Part of subcall function 10095100: VariantInit.OLEAUT32(?), ref: 10095271
                                              • Part of subcall function 10095100: VariantCopy.OLEAUT32(?,00000000), ref: 1009527F
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(?), ref: 100952D4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant$Clear_memset$CopyInit$wsprintf$ConvertFileLocalModuleNameStringTime__itoa_s_com_util::lstrcpyn
                                            • String ID: %.2d:%.2d:%.2d$%d%.2d%.2d$date$path$scan$time$vclnr$vclnr_log$version
                                            • API String ID: 1350293373-184518127
                                            • Opcode ID: 5d96958bec2ad55c222ebd0cdaf2dc7e3b768d8b86aa60969e8d69eadc9137a5
                                            • Instruction ID: 73fd47891e8b7aa3afafd7f7da9c3b8604d63d432c326c2e3f140e7df9cc4bdd
                                            • Opcode Fuzzy Hash: 5d96958bec2ad55c222ebd0cdaf2dc7e3b768d8b86aa60969e8d69eadc9137a5
                                            • Instruction Fuzzy Hash: 0F5143B5104710BAE225DBA0CC82FEF739DDF88701F404919F78896181EBB4B684D7B6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008FE10 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 86libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 1008FE13
                                            • LoadLibraryA.KERNEL32(Kernel32.dll,-00000001), ref: 1008FE3C
                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 1008FE51
                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 1008FE5F
                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 1008FE6D
                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 1008FE7B
                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 1008FE89
                                            • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 1008FE97
                                            • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 1008FEA5
                                            • LoadLibraryA.KERNEL32(Advapi32.dll,-00000001), ref: 1008FEB5
                                            • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 1008FEC7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressProc$LibraryLoad$CountCurrentProcessTick
                                            • String ID: Advapi32.dll$CreateToolhelp32Snapshot$Kernel32.dll$Module32First$Module32Next$Process32First$Process32Next$Thread32First$Thread32Next
                                            • API String ID: 2964836496-542782556
                                            • Opcode ID: 6d095fa61a9b038f6276782c13b471d781f0a10a129323a471dcc00e0c1cb453
                                            • Instruction ID: fa5333bb77e5fd74b1acaec89b0d448e32215196f589164063ad03690de7e527
                                            • Opcode Fuzzy Hash: 6d095fa61a9b038f6276782c13b471d781f0a10a129323a471dcc00e0c1cb453
                                            • Instruction Fuzzy Hash: 83211C71901B14ABC360EF79DC44B67B7E8FF98740B024A1EE68A93A11DB74F9058B74
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039460 Relevance: 34.7, APIs: 23, Instructions: 175filestringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32 ref: 10039472
                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 10039482
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1003949B
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 100394B1
                                            • lstrlenA.KERNEL32(?,?,?), ref: 100394C2
                                            • VirtualAlloc.KERNEL32(00000000,00000005,00001000,00000004,?,?), ref: 100394D6
                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?), ref: 100394FD
                                            • CloseHandle.KERNEL32(00000000,?,?), ref: 1003950C
                                            • StrStrIA.SHLWAPI(00000000,?,?,?), ref: 10039518
                                            • StrChrA.SHLWAPI(00000000,00000A0D,?,?), ref: 10039530
                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?), ref: 1003955A
                                            • lstrlenA.KERNEL32(-00000002,?,?), ref: 1003956E
                                            • VirtualAlloc.KERNEL32(00000000,-00000001,00001000,00000004,?,?), ref: 10039583
                                            • VirtualFree.KERNEL32(00000000,-00000001,00004000,00000000,00000005,00000000,00000000,00000005,100D62E8,00000000,00000005,?,?,?), ref: 100395C9
                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,?,?), ref: 100395D7
                                            • WriteFile.KERNEL32(?,00000000,00000000,?,?), ref: 100395E4
                                            • CloseHandle.KERNEL32(?,?,?), ref: 100395F7
                                            • VirtualFree.KERNEL32(00000000,00000005,00004000,?,?), ref: 10039608
                                            • SetFileAttributesA.KERNEL32(?,?), ref: 10039616
                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?), ref: 10039628
                                            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00000005,?,?,?), ref: 10039650
                                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,?), ref: 10039659
                                            • CloseHandle.KERNEL32(00000000,?,?), ref: 1003966C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Virtuallstrlen$AttributesCloseCreateHandle$AllocFreeWrite$ReadSize
                                            • String ID:
                                            • API String ID: 4138779055-0
                                            • Opcode ID: 86cefe33f1d60b2668b2efce002533917afc05dd19cbe42d61f59e8179322190
                                            • Instruction ID: 14d0dc675bdd5a75e79fcc73ce2c4c0b493f7b6fd5d5ab9007b77c380d614756
                                            • Opcode Fuzzy Hash: 86cefe33f1d60b2668b2efce002533917afc05dd19cbe42d61f59e8179322190
                                            • Instruction Fuzzy Hash: BA518F75104310BFE3519B648CC9FAF7BACEB99752F024608FE85962D0DB70A8458B76
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10043730 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 147filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowsDirectoryA.KERNEL32 ref: 10043768
                                            • PathAddBackslashA.SHLWAPI(?), ref: 10043773
                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?,00000104,00000104,7FFFFFFF), ref: 100437D5
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 100437F1
                                            • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 1004380B
                                            • lstrcmpiA.KERNEL32(NUL,?), ref: 1004381B
                                            • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10043833
                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000001,00000080,00000000), ref: 1004384A
                                            • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10043861
                                            • CloseHandle.KERNEL32(00000000), ref: 10043864
                                            • CloseHandle.KERNEL32(00000000), ref: 1004387F
                                            • lstrlenA.KERNEL32(?,?,00000000,00000104,?,?,?,00000000), ref: 100438D5
                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 100438E5
                                            • CloseHandle.KERNEL32(00000000), ref: 100438F8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: FilePath$CloseHandleNameShort$Create$BackslashDirectoryPointerWindowsWritelstrcmpilstrlen
                                            • String ID: %s=%s$NUL$WinInit.ini
                                            • API String ID: 2009088085-4082237098
                                            • Opcode ID: 7f6e2aaaaaf770d48316f3791b0e968aa0c90f5f325de40a0e123a921646644c
                                            • Instruction ID: 707a2823b19f5340a63aab2ffec48370332a987f8420980cd0b468f6ccecfa8f
                                            • Opcode Fuzzy Hash: 7f6e2aaaaaf770d48316f3791b0e968aa0c90f5f325de40a0e123a921646644c
                                            • Instruction Fuzzy Hash: 444150B12043117BE220DB649C85FEBB7ECEB88710F514A28FB95D60D1EB74E5488765
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00413627 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 156fileCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _strcpy_s.LIBCMT ref: 00413693
                                            • __invoke_watson.LIBCMT ref: 004136A4
                                            • GetModuleFileNameA.KERNEL32(00000000,00427701,00000104,00000000,00000000,00000000,00413CE9,00000001,00000214), ref: 004136C0
                                            • _strcpy_s.LIBCMT ref: 004136D5
                                            • __invoke_watson.LIBCMT ref: 004136E8
                                            • __invoke_watson.LIBCMT ref: 0041372B
                                            • _strcat_s.LIBCMT ref: 0041373E
                                            • __invoke_watson.LIBCMT ref: 0041374F
                                            • _strcat_s.LIBCMT ref: 00413760
                                            • __invoke_watson.LIBCMT ref: 00413771
                                            • GetStdHandle.KERNEL32(000000F4,00000000,00000000,00000000,76ED5E70,00000003,004137F3,000000FC,0040FBA7,00000001,00000000,00000000,?,00414001,00000000,00000001), ref: 00413790
                                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00414001,00000000,00000001,00000000,004129A0,00000018,00422928,0000000C,00412A2F,00000000), ref: 004137BB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __invoke_watson$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $vB
                                            • API String ID: 1189052327-3432895298
                                            • Opcode ID: 821c87101ddc74962e7abe3dfd658e71c7d80a19ee01b9ff2fe4368e2c2656a2
                                            • Instruction ID: fc49e960db9c9ebbcd7b225ccbde2c80e44edd10de05808f9c863348699644c7
                                            • Opcode Fuzzy Hash: 821c87101ddc74962e7abe3dfd658e71c7d80a19ee01b9ff2fe4368e2c2656a2
                                            • Instruction Fuzzy Hash: 39312AF26402117AF5213A226C87FEB314C9B11765F55413BFD1AA12C3FA9D8AC181FE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403060 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 109registrywindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(004271CC,?,?,?,00000000), ref: 00403072
                                            • RegisterWindowMessageA.USER32(WM_ATLGETHOST,?,00000000), ref: 00403083
                                            • RegisterWindowMessageA.USER32(WM_ATLGETCONTROL,?,00000000), ref: 0040308F
                                            • GetClassInfoExA.USER32(00400000,AtlAxWin80,?), ref: 004030B0
                                            • LoadCursorA.USER32 ref: 004030EC
                                            • RegisterClassExA.USER32 ref: 00403113
                                            • _memset.LIBCMT ref: 0040313E
                                            • GetClassInfoExA.USER32(00400000,AtlAxWinLic80,?), ref: 0040315A
                                            • LoadCursorA.USER32 ref: 0040319A
                                            • RegisterClassExA.USER32 ref: 004031C1
                                            • LeaveCriticalSection.KERNEL32(004271CC,?,?,00000000), ref: 004031EF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClassRegister$CriticalCursorInfoLoadMessageSectionWindow$EnterLeave_memset
                                            • String ID: AtlAxWin80$AtlAxWinLic80$WM_ATLGETCONTROL$WM_ATLGETHOST$qB$qB
                                            • API String ID: 297118034-4094181980
                                            • Opcode ID: d9141cccf6f478d08ae5f095f4999e1f13bc7f66bf32f757cb938daec168e587
                                            • Instruction ID: f18c213220539ff86d96fe39771390d4d1dade976fd6ce6ecf96ca2dc2159a13
                                            • Opcode Fuzzy Hash: d9141cccf6f478d08ae5f095f4999e1f13bc7f66bf32f757cb938daec168e587
                                            • Instruction Fuzzy Hash: 884159B09083159BC310DF56E84496BFFE8AFC8744F80492FF988A32A1D7759A05CB5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00413E70 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00410554), ref: 00413E76
                                            • __mtterm.LIBCMT ref: 00413E82
                                              • Part of subcall function 00413BC4: TlsFree.KERNEL32(00000014,00413FEF), ref: 00413BEF
                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00413E98
                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00413EA5
                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00413EB2
                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00413EBF
                                            • TlsAlloc.KERNEL32 ref: 00413F0F
                                            • TlsSetValue.KERNEL32(00000000), ref: 00413F2A
                                            • __init_pointers.LIBCMT ref: 00413F34
                                            • __calloc_crt.LIBCMT ref: 00413FA9
                                            • GetCurrentThreadId.KERNEL32 ref: 00413FD9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                            • API String ID: 630932248-3819984048
                                            • Opcode ID: 330927dacea227b3f50f312235674bc30da3adea3dfae721500c347e72814930
                                            • Instruction ID: 919b8486bd5b23e83ac4bbdafde387158798c16aef8e050f2255a8a1ddaa22ad
                                            • Opcode Fuzzy Hash: 330927dacea227b3f50f312235674bc30da3adea3dfae721500c347e72814930
                                            • Instruction Fuzzy Hash: BE316A35B083019ADB31AF76BC05B8A7BA4AB04766750493BF410E36A1DB7D87C6CB5C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100A9CA0 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100A666A,?,?,00000001,?,?,100A67DA,00000001,?,?,100ECFA8,0000000C,100A6894,?), ref: 100A9CA6
                                            • __mtterm.LIBCMT ref: 100A9CB2
                                              • Part of subcall function 100A997F: TlsFree.KERNEL32(00000013,100A6706,?,?,00000001,?,?,100A67DA,00000001,?,?,100ECFA8,0000000C,100A6894,?), ref: 100A99AA
                                              • Part of subcall function 100A997F: DeleteCriticalSection.KERNEL32(00000000,00000000,?,00000001,100A6706,?,?,00000001,?,?,100A67DA,00000001,?,?,100ECFA8,0000000C), ref: 100ABE9F
                                              • Part of subcall function 100A997F: DeleteCriticalSection.KERNEL32(00000013,?,00000001,100A6706,?,?,00000001,?,?,100A67DA,00000001,?,?,100ECFA8,0000000C,100A6894), ref: 100ABEC9
                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 100A9CC8
                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 100A9CD5
                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 100A9CE2
                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 100A9CEF
                                            • TlsAlloc.KERNEL32(?,?,00000001,?,?,100A67DA,00000001,?,?,100ECFA8,0000000C,100A6894,?), ref: 100A9D3F
                                            • TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,100A67DA,00000001,?,?,100ECFA8,0000000C,100A6894,?), ref: 100A9D5A
                                            • __init_pointers.LIBCMT ref: 100A9D64
                                            • __calloc_crt.LIBCMT ref: 100A9DD9
                                            • GetCurrentThreadId.KERNEL32 ref: 100A9E09
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                            • API String ID: 2125014093-3819984048
                                            • Opcode ID: db88ac82ea5a53a1d1678f7a36389ca0d5cc5c1ebf2ee6ce3130867f264bca36
                                            • Instruction ID: 912fd653de144f0dea69fec37509fb8f92dada670038bd39ec9303e5ae8acfd0
                                            • Opcode Fuzzy Hash: db88ac82ea5a53a1d1678f7a36389ca0d5cc5c1ebf2ee6ce3130867f264bca36
                                            • Instruction Fuzzy Hash: 77317539A01331EBE790DFF98C959963BE4EB113B0F11862AF810922B1DF35D451DB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004036D0 Relevance: 28.8, APIs: 19, Instructions: 286commemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongA.USER32(?,000000EC), ref: 0040372C
                                            • GetWindowLongA.USER32(?,000000EC), ref: 0040373F
                                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0040374A
                                            • GetWindowLongA.USER32(?,000000EB), ref: 0040375B
                                            • OleUninitialize.OLE32 ref: 0040376D
                                            • OleInitialize.OLE32(00000000), ref: 0040377B
                                            • GetWindowTextLengthA.USER32(?), ref: 00403785
                                            • GetWindowTextA.USER32(?,00000000,-00000001), ref: 004037D9
                                            • SetWindowTextA.USER32(?,0042004C), ref: 004037E5
                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 0040380E
                                            • GlobalLock.KERNEL32(00000000), ref: 0040381B
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00403837
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00403844
                                            • SysFreeString.OLEAUT32(?), ref: 0040386A
                                            • DefWindowProcA.USER32(?,?,?,?,?,00000002,00000000), ref: 004039CB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Window$GlobalLong$Text$AllocCreateFreeInitializeLengthLockProcStreamStringUninitializeUnlock
                                            • String ID:
                                            • API String ID: 2199760997-0
                                            • Opcode ID: b445acff0193f4ca299a9874fd6c9ea7690fe25c1273cbfc8482279a6de2e147
                                            • Instruction ID: ee6229c3fb97691b7a5edd49daf722ee7ea8a47e44100809c73f9776f9289dfb
                                            • Opcode Fuzzy Hash: b445acff0193f4ca299a9874fd6c9ea7690fe25c1273cbfc8482279a6de2e147
                                            • Instruction Fuzzy Hash: 8FA1A4B5900104AFCB10DF69CC44AEFBBBDAF88315F14856AF901B7391D7789E418BA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004046B0 Relevance: 28.7, APIs: 19, Instructions: 162windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • BeginPaint.USER32(?,?,?,?,?), ref: 004046D4
                                            • GetClientRect.USER32(?,?), ref: 004046ED
                                            • CreateSolidBrush.GDI32(?), ref: 004046FA
                                            • FillRect.USER32(00000000,?,00000000), ref: 0040470D
                                            • DeleteObject.GDI32(00000000), ref: 00404714
                                            • EndPaint.USER32(?,?,?,?,?), ref: 00404723
                                            • BeginPaint.USER32(?,00000008), ref: 00404758
                                            • GetClientRect.USER32(?,?), ref: 00404771
                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0040478A
                                            • CreateCompatibleDC.GDI32(00000000), ref: 0040479F
                                            • SelectObject.GDI32(00000000,00000000), ref: 004047B1
                                            • CreateSolidBrush.GDI32(?), ref: 004047C6
                                            • FillRect.USER32(00000000,?,00000000), ref: 004047D9
                                            • DeleteObject.GDI32(00000000), ref: 004047E0
                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00404821
                                            • SelectObject.GDI32(00000000,?), ref: 0040482D
                                            • DeleteDC.GDI32(00000000), ref: 00404838
                                            • DeleteObject.GDI32(00000000), ref: 0040483F
                                            • EndPaint.USER32(?,00000008), ref: 0040484E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Object$CreateDeletePaintRect$BeginBrushClientCompatibleFillSelectSolid$Bitmap
                                            • String ID:
                                            • API String ID: 671382356-0
                                            • Opcode ID: 720f9306017ea945916aa73d469a0765651409cf45f4de2c1396c125d7522e52
                                            • Instruction ID: 91898022d567277f82f98118229d62c110988cdb54ebe12e512689fb360bb1a3
                                            • Opcode Fuzzy Hash: 720f9306017ea945916aa73d469a0765651409cf45f4de2c1396c125d7522e52
                                            • Instruction Fuzzy Hash: 67514FB9204345AFD314DB65DC89F6BB7E8EBC8704F00892DFA5697290DB74E805CB25
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401B30 Relevance: 27.3, APIs: 18, Instructions: 309memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceA.KERNEL32(00400000,?,000000F0), ref: 00401B78
                                            • LoadResource.KERNEL32(00400000,00000000), ref: 00401B90
                                            • LockResource.KERNEL32(00000000), ref: 00401B9B
                                              • Part of subcall function 00402E80: GetLastError.KERNEL32(00401ED8), ref: 00402E80
                                            • FindResourceA.KERNEL32(00400000,?,00000005), ref: 00401BAF
                                            • LoadResource.KERNEL32(00400000,00000000), ref: 00401BC0
                                            • LockResource.KERNEL32(00000000), ref: 00401BCF
                                            • GetWindow.USER32(?,00000005), ref: 00401C16
                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00401C83
                                            • GlobalLock.KERNEL32(00000000), ref: 00401C94
                                            • _memcpy_s.LIBCMT ref: 00401CA2
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00401CB1
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00401CBF
                                            • MapDialogRect.USER32(?,?), ref: 00401D71
                                            • SetWindowContextHelpId.USER32(?,?), ref: 00401DD0
                                            • SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013,?,?,?,?,?,00000000,00000000), ref: 00401E15
                                            • SysFreeString.OLEAUT32(?), ref: 00401E33
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$Global$LockWindow$FindLoad$AllocContextCreateDialogErrorFreeHelpLastRectStreamStringUnlock_memcpy_s
                                            • String ID:
                                            • API String ID: 1546720860-0
                                            • Opcode ID: ef390200e138dd2ee7c05b9db789a7414d8f21f5da4ad95296b581e601ace3cd
                                            • Instruction ID: 8258246d0e04818573ceb44dd7300169d1b0dcd6057109df4deefc6bdda7fc54
                                            • Opcode Fuzzy Hash: ef390200e138dd2ee7c05b9db789a7414d8f21f5da4ad95296b581e601ace3cd
                                            • Instruction Fuzzy Hash: 4AC170B56083129FC314DF25C844A6BB7F9BF88754F144A2EF845A73A0D738E941CB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039190 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 182registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StringFromIID.OLE32 ref: 100391C0
                                            • CoGetMalloc.OLE32(00000001,00000001), ref: 100391E8
                                            • GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 10039222
                                            • RegCreateKeyExA.ADVAPI32(80000000,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 100392B0
                                            • _memset.LIBCMT ref: 100392D3
                                            • lstrlenA.KERNEL32(?), ref: 100392FF
                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,-00000001), ref: 1003931E
                                              • Part of subcall function 10038E80: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,10038F1D,?,?,?,?,?,00000000,00000103), ref: 10038E90
                                              • Part of subcall function 10038E80: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,00000103), ref: 10038E97
                                            Strings
                                            • CLSID\%s\InprocServer32, xrefs: 1003922D
                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 10039401
                                            • *vclnr.dll, xrefs: 1003936A
                                            • vclnr_setup_update.exe, xrefs: 100393C7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrlen$ByteCharCreateFileFromMallocModuleMultiNameStringValueWide_memset
                                            • String ID: *vclnr.dll$CLSID\%s\InprocServer32$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$vclnr_setup_update.exe
                                            • API String ID: 3169227120-1155500738
                                            • Opcode ID: 2de423bf7cc1373ebd2a972baca28098fb6e8b3ca64150e290836725c675dc73
                                            • Instruction ID: 4a261b639bf972ad8eff9b37ebfe64ed8df09c6d3f16c0a7a0c849879c502920
                                            • Opcode Fuzzy Hash: 2de423bf7cc1373ebd2a972baca28098fb6e8b3ca64150e290836725c675dc73
                                            • Instruction Fuzzy Hash: AD6147B6108345AFE310DFA4CCC4EABB7E9EB88340F41491DFA8596251DBB4E9048B62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403220 Relevance: 25.8, APIs: 17, Instructions: 262commemorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongA.USER32(?,000000EC), ref: 0040327C
                                            • GetWindowLongA.USER32(?,000000EC), ref: 0040328F
                                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0040329A
                                            • GetWindowLongA.USER32(?,000000EB), ref: 004032AB
                                            • OleUninitialize.OLE32 ref: 004032BD
                                            • OleInitialize.OLE32(00000000), ref: 004032CB
                                            • GetWindowTextLengthA.USER32(?), ref: 004032D5
                                            • GetWindowTextA.USER32(?,00000000,-00000001), ref: 0040332C
                                            • SetWindowTextA.USER32(?,0042004C), ref: 00403338
                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00403361
                                            • GlobalLock.KERNEL32(00000000), ref: 0040336E
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040338A
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00403397
                                            • lstrlenA.KERNEL32(00000000), ref: 004033B3
                                            • DefWindowProcA.USER32(?,?,?,?,?,00000002,00000000), ref: 004034D6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Window$GlobalLong$Text$AllocCreateInitializeLengthLockProcStreamUninitializeUnlocklstrlen
                                            • String ID:
                                            • API String ID: 2367841626-0
                                            • Opcode ID: 19cf785e9e39c3bd5e89f26d3ed3de2ed6be539e42f0dc8ce661b79281fc8ad8
                                            • Instruction ID: a6257934d03da342b86d37bcffad4ca8fdbe2ee0f916df7b9e721b7afb758a82
                                            • Opcode Fuzzy Hash: 19cf785e9e39c3bd5e89f26d3ed3de2ed6be539e42f0dc8ce661b79281fc8ad8
                                            • Instruction Fuzzy Hash: A191A075A00104AFDB11DF69CC84AAF7BBCAF88315F14412AF915B7391DB389E418BA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100215C0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 306registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1002163A
                                            • StrRChrIA.SHLWAPI(?,00000000,0000005C), ref: 1002164C
                                            • StrRChrIA.SHLWAPI(?,00000000,0000005C,?), ref: 100216A0
                                            • _memset.LIBCMT ref: 1002173B
                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?,?,00000104,7FFFFFFF,?,00000000,0000005C), ref: 10021799
                                            • _memset.LIBCMT ref: 100217C1
                                            • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000104), ref: 100217DD
                                            • _memset.LIBCMT ref: 10021816
                                            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000104,?,00000000), ref: 10021835
                                            • _memset.LIBCMT ref: 10021851
                                              • Part of subcall function 10091090: LoadLibraryA.KERNEL32(shlwapi.dll), ref: 100910E9
                                              • Part of subcall function 10091090: GetProcAddress.KERNEL32(00000000,PathMatchSpecExA), ref: 100910FD
                                            • SHDeleteKeyA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000104), ref: 100218A6
                                              • Part of subcall function 10071F90: _memset.LIBCMT ref: 10071F9E
                                              • Part of subcall function 10071F90: lstrcpynA.KERNEL32(?,HKLM,?), ref: 10071FB8
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722D1
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722EB
                                              • Part of subcall function 100722A0: lstrlenA.KERNEL32(?,?,00000FFA,7FFFFFFF,?,?,?,?,?,?,00000000), ref: 10072345
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100723DC
                                            • RegCloseKey.ADVAPI32(?,?,00000000,0000005C), ref: 100219C5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$AddressCloseDeleteEnumInfoLibraryLoadOpenProcQuerylstrcpynlstrlen
                                            • String ID: deleted regkey <%s\%s>$%s\%s
                                            • API String ID: 1212631083-3434458360
                                            • Opcode ID: 1da425a78ec02914f0b33ffc477f8d463efa47c9bf650b0f62ce140e477ebe61
                                            • Instruction ID: 88ec01dc58dbc09e2252265c5b97e98faeb5d62bee24e4f4129881faf9c424fd
                                            • Opcode Fuzzy Hash: 1da425a78ec02914f0b33ffc477f8d463efa47c9bf650b0f62ce140e477ebe61
                                            • Instruction Fuzzy Hash: D9B150B5508380AFD320DB64DC95FDBB7E9EBD8344F444A2DF68987141EB70A948CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002D270 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 201COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _fprintf$_fputs$_fopen_s_ftell
                                            • String ID: %lu$%lu$%s$Total$# Start Time$%04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu
                                            • API String ID: 3879937992-2312185180
                                            • Opcode ID: 4ed89209e1fb3dbabae142d700c8fb9f6187ef9d322c29be2b23f40af629c985
                                            • Instruction ID: 6ff9c5b3a37c91cb750b692c98a283f2b12b94ddaf90614b0ca525302ba16e27
                                            • Opcode Fuzzy Hash: 4ed89209e1fb3dbabae142d700c8fb9f6187ef9d322c29be2b23f40af629c985
                                            • Instruction Fuzzy Hash: 3A717F75800621DBCB10FF98E88585AF3E5EE88750785895BFD996B206D730FD84CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004081F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 173COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStockObject.GDI32(00000011), ref: 0040824D
                                            • GetStockObject.GDI32(0000000D), ref: 00408255
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ObjectStock
                                            • String ID:
                                            • API String ID: 3428563643-3916222277
                                            • Opcode ID: f2844432be7a03a17221cb325490f6b95feffb95391b88cd52dc752945319c5b
                                            • Instruction ID: 5d191337052de26555fc1d54a34f780b6a46d052587aa1bfe793aaf5a7ad2c42
                                            • Opcode Fuzzy Hash: f2844432be7a03a17221cb325490f6b95feffb95391b88cd52dc752945319c5b
                                            • Instruction Fuzzy Hash: 15518975E002189BDB10DFA5DD45B9EBBB8AF48700F14402EE845FB391EB789D028B99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10075C90 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 168memorynetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10075CD3
                                            • WSAStartup.WS2_32(00000002,?), ref: 10075D0F
                                            • CoTaskMemAlloc.OLE32(00000000), ref: 10075D52
                                            • _memset.LIBCMT ref: 10075DAC
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0000004C,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,00000000), ref: 10075DCC
                                            • _memset.LIBCMT ref: 10075DDD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$AllocByteCharMultiStartupTaskWide
                                            • String ID: G'
                                            • API String ID: 2057449638-1542159958
                                            • Opcode ID: 3d5e0a0d9f57275220a164d9011368e24234baabae878eb09f7ff0dc1a80833c
                                            • Instruction ID: 6d981d338ddc45b28a9e98418bb8205d89c724ab5c56a93a065584a1b4c376eb
                                            • Opcode Fuzzy Hash: 3d5e0a0d9f57275220a164d9011368e24234baabae878eb09f7ff0dc1a80833c
                                            • Instruction Fuzzy Hash: 5351A371504351AFD220DF64CC85FDBB7E8EF88714F018A1DF69956180DBB4B548CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100062A0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 144stringprocesssynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 100062C9
                                            • _memset.LIBCMT ref: 100062E2
                                            • GetVersionExA.KERNEL32 ref: 100062F7
                                            • _memset.LIBCMT ref: 10006311
                                            • lstrcpynA.KERNEL32(?,?,00000208,?,?,?,?,?,00000000,00000040), ref: 10006327
                                            • PathFileExistsA.SHLWAPI(?,?,00000208,?,?,?,?,?,00000000,00000040), ref: 10006335
                                            • PathQuoteSpacesA.SHLWAPI(?,?,00000208,?,?,?,?,?,00000000,00000040), ref: 10006348
                                            • lstrlenA.KERNEL32(?,?,00000208,?,?,?,?,?,00000000,00000040), ref: 10006357
                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 10006438
                                            • CloseHandle.KERNEL32(?), ref: 1000644D
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10006460
                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 10006470
                                            • CloseHandle.KERNEL32(?), ref: 1000647F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$CloseHandlePathProcess$CodeCreateExistsExitFileObjectQuoteSingleSpacesVersionWaitlstrcpynlstrlen
                                            • String ID: D
                                            • API String ID: 3486870782-2746444292
                                            • Opcode ID: d94ebe8b3e9cd17fb51802af97e6d13041a624845e1db2cffd99b26cf20427fc
                                            • Instruction ID: 44de9cc41fb0c3894453c1a6889a5d80a05a5437a5ba75e892f24741c3d7bf44
                                            • Opcode Fuzzy Hash: d94ebe8b3e9cd17fb51802af97e6d13041a624845e1db2cffd99b26cf20427fc
                                            • Instruction Fuzzy Hash: 3A51B375108301ABE360CF64CC85FEBB7E9EB88744F114A2CFA98861C5EB74E544CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100399D0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 109filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PathFileExistsA.SHLWAPI(?,00000000,?,?), ref: 100399F8
                                            • GetFileAttributesA.KERNEL32(?,?,?), ref: 10039A07
                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?), ref: 10039A17
                                            • _memset.LIBCMT ref: 10039A28
                                            • GetVersionExA.KERNEL32 ref: 10039A3D
                                            • WritePrivateProfileSectionA.KERNEL32(?,100D564E,?), ref: 10039A51
                                            • _memset.LIBCMT ref: 10039A74
                                              • Part of subcall function 10039870: GetFileAttributesA.KERNEL32(?,?,?,?,10039AA3,?,?,00000000), ref: 10039897
                                              • Part of subcall function 10039870: SetFileAttributesA.KERNEL32(?,00000080), ref: 100398A7
                                              • Part of subcall function 10039870: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100398BE
                                              • Part of subcall function 10039870: GetFileSize.KERNEL32(00000000,00000000,00000000), ref: 100398D2
                                              • Part of subcall function 10039870: GetProcessHeap.KERNEL32(00000008,-00000001), ref: 100398E0
                                              • Part of subcall function 10039870: HeapAlloc.KERNEL32(00000000), ref: 100398E7
                                              • Part of subcall function 10039870: ReadFile.KERNEL32(00000000,00000000,-00000001,?,00000000), ref: 1003990A
                                              • Part of subcall function 10039870: CloseHandle.KERNEL32(00000000), ref: 1003991F
                                              • Part of subcall function 10039870: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000005,00000080,00000000,00000000,-00000001), ref: 10039969
                                              • Part of subcall function 10039870: lstrlenA.KERNEL32(00000000,?,00000000), ref: 1003997E
                                              • Part of subcall function 10039870: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 10039987
                                              • Part of subcall function 10039870: CloseHandle.KERNEL32(00000000), ref: 1003999A
                                            • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?), ref: 10039ACB
                                            • lstrlenA.KERNEL32(00000000,00000094,00000000), ref: 10039AE3
                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 10039AEC
                                            • CloseHandle.KERNEL32(00000000), ref: 10039AFC
                                            • LocalFree.KERNEL32(00000000), ref: 10039B03
                                            • SetFileAttributesA.KERNEL32(?,?,?,?), ref: 10039B10
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Attributes$CloseCreateHandleWrite$Heap_memsetlstrlen$AllocExistsFreeLocalPathPrivateProcessProfileReadSectionSizeVersion
                                            • String ID: [%s]
                                            • API String ID: 26153863-2520767521
                                            • Opcode ID: 3283e300d8cc970a33b4c1ee85632d837e63c0415ef9f7e097d6bba41ef5fbc4
                                            • Instruction ID: ef36fd5bd536aad435abf7149099daa85bd976aa58af0c36df2c3edfaf9cd0a3
                                            • Opcode Fuzzy Hash: 3283e300d8cc970a33b4c1ee85632d837e63c0415ef9f7e097d6bba41ef5fbc4
                                            • Instruction Fuzzy Hash: 1131A375204310AFE221DBA49CC9FEBB7ECEF9A741F014418FA8596141EB749845C7B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039000 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 107stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10039026
                                            • _memset.LIBCMT ref: 10039037
                                            • GetModuleFileNameA.KERNEL32(10000000,?,00000104,?,?,?,?,?,-00000001), ref: 1003904D
                                            • PathRemoveFileSpecA.SHLWAPI(00000104,?,00000104,7FFFFFFF,?,?,?,?,?,-00000001), ref: 1003908E
                                            • PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,-00000001), ref: 10039099
                                            • GetShortPathNameA.KERNEL32(00000104,00000104,00000104), ref: 100390F1
                                            • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10039103
                                            • _memset.LIBCMT ref: 10039114
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 10039148
                                            • SHSetValueA.SHLWAPI(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eac_vclnr,UninstallString,00000001,?,00000000), ref: 10039168
                                            Strings
                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eac_vclnr, xrefs: 1003915E
                                            • UninstallString, xrefs: 10039159
                                            • regsvr32.exe, xrefs: 100390C5
                                            • %s /u /s %s, xrefs: 10039126
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Path$Name_memset$FileShort$BackslashModuleRemoveSpecValuelstrlen
                                            • String ID: %s /u /s %s$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eac_vclnr$UninstallString$regsvr32.exe
                                            • API String ID: 1497175255-4062946477
                                            • Opcode ID: 196d5c4d00529ab518fd3115d82a3d6cb6f9b173a5ca24aceb815fbd3e090068
                                            • Instruction ID: d5b754aeac2b0cb7051d160b1aa1bb3a2741b7ffd4226f4f18486a12a29a47c6
                                            • Opcode Fuzzy Hash: 196d5c4d00529ab518fd3115d82a3d6cb6f9b173a5ca24aceb815fbd3e090068
                                            • Instruction Fuzzy Hash: 7A319CB5144304BBE324DB94CC86FEB77A8EB98710F404E1DB7A8960D1DBB4E584C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405950 Relevance: 24.3, APIs: 16, Instructions: 332COMMON
                                            Download Yara Rule
                                            APIs
                                            • RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 004059AC
                                            • IsWindow.USER32(?), ref: 004059BB
                                            • GetSysColor.USER32(00000005), ref: 00405A0D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Window$ColorRedraw
                                            • String ID:
                                            • API String ID: 826266318-0
                                            • Opcode ID: 49bf297b6ff59cee661e77ef939ba2f80f445625039fcad63b5154866cb679b6
                                            • Instruction ID: 8dc624af1383980b7f404b0027f55d943035e464cd881dbdce2073e6591f93d6
                                            • Opcode Fuzzy Hash: 49bf297b6ff59cee661e77ef939ba2f80f445625039fcad63b5154866cb679b6
                                            • Instruction Fuzzy Hash: 22C18B746047029BE710DF59C884B6BB7E9EF88714F14852AF944AB390CB38EC45CFA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100BC026 Relevance: 24.1, APIs: 16, Instructions: 128COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Name::operator+$operator+$Decorator::getNameName::Name::operator+=$DataDimensionName::operator=PrimaryType
                                            • String ID:
                                            • API String ID: 3177127644-0
                                            • Opcode ID: 0cfea88d4ce1d86b5fb9166d724616df5f6f076e49aa21d0748acdfb501a15a5
                                            • Instruction ID: 090b5ccc546c032942955f52797e4f56fe8b7e81027568b312b4d82d0d720580
                                            • Opcode Fuzzy Hash: 0cfea88d4ce1d86b5fb9166d724616df5f6f076e49aa21d0748acdfb501a15a5
                                            • Instruction Fuzzy Hash: 35415F7E90060DABDB25D6A4CC46EEF77ACEF44651F00412AF611B71C2EFB4EA458B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039680 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 97filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000), ref: 100396BC
                                            • GetFileSize.KERNEL32(00000000,00000000,?), ref: 100396D0
                                            • CoTaskMemAlloc.OLE32(-0000000A), ref: 100396DC
                                            • _memset.LIBCMT ref: 100396F0
                                            • ReadFile.KERNEL32 ref: 1003970A
                                            • _memset.LIBCMT ref: 10039725
                                            • StrStrIA.SHLWAPI(00000000,?,?,?,00000000,00000000,-0000000A,?,00000000), ref: 10039748
                                            • StrStrIA.SHLWAPI(00000000,[,?,?,00000000,00000000,-0000000A,?,00000000), ref: 1003975A
                                            • StrDupA.SHLWAPI(00000000,?,?,00000000,00000000,-0000000A,?,00000000), ref: 10039771
                                            • CoTaskMemFree.OLE32(00000000), ref: 1003977C
                                            • CloseHandle.KERNEL32(00000000), ref: 10039783
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Task_memset$AllocCloseCreateFreeHandleReadSize
                                            • String ID: [$[%s]
                                            • API String ID: 3804851700-991817682
                                            • Opcode ID: 6500c5ed171762f54a175b3ef2c517ab0b570a48e1ee01035dff37e9b21c1711
                                            • Instruction ID: ed4651bd41fe694c89c1b66b05deb9bcd5e6033f1b4732445080fbc5ce63d2ac
                                            • Opcode Fuzzy Hash: 6500c5ed171762f54a175b3ef2c517ab0b570a48e1ee01035dff37e9b21c1711
                                            • Instruction Fuzzy Hash: BE31E371504320ABE321DFA48C89FEB7BECEF89751F010518FE4996181DB749584C7B6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039870 Relevance: 22.6, APIs: 15, Instructions: 120memoryfilestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32(?,?,?,?,10039AA3,?,?,00000000), ref: 10039897
                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 100398A7
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100398BE
                                            • GetFileSize.KERNEL32(00000000,00000000,00000000), ref: 100398D2
                                            • GetProcessHeap.KERNEL32(00000008,-00000001), ref: 100398E0
                                            • HeapAlloc.KERNEL32(00000000), ref: 100398E7
                                            • ReadFile.KERNEL32(00000000,00000000,-00000001,?,00000000), ref: 1003990A
                                            • CloseHandle.KERNEL32(00000000), ref: 1003991F
                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000005,00000080,00000000,00000000,-00000001), ref: 10039969
                                            • lstrlenA.KERNEL32(00000000,?,00000000), ref: 1003997E
                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 10039987
                                            • CloseHandle.KERNEL32(00000000), ref: 1003999A
                                              • Part of subcall function 100397B0: StrStrIA.SHLWAPI(?,?,-00000001,74DF2EE0,00000000,1003994C,00000000,-00000001), ref: 100397CB
                                              • Part of subcall function 100397B0: lstrlenA.KERNEL32(?,?), ref: 100397E3
                                              • Part of subcall function 100397B0: lstrlenA.KERNEL32(00000000), ref: 100397E8
                                              • Part of subcall function 100397B0: lstrlenA.KERNEL32(-00000001), ref: 100397F7
                                              • Part of subcall function 100397B0: StrChrA.SHLWAPI(00000000,0000000D), ref: 10039819
                                              • Part of subcall function 100397B0: StrChrA.SHLWAPI(00000000,0000000A), ref: 10039823
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 1003999F
                                            • HeapFree.KERNEL32(00000000), ref: 100399A6
                                            • SetFileAttributesA.KERNEL32(?,?), ref: 100399BB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Heaplstrlen$Attributes$CloseCreateHandleProcess$AllocFreeReadSizeWrite
                                            • String ID:
                                            • API String ID: 1288955785-0
                                            • Opcode ID: 858c66ce95ccb07685566190817d205be08b4bee403677d4fabc1ba88a94793a
                                            • Instruction ID: aee911ed7aa2e78d750eb36cc485bcd6e08ca867b08bdd4e7ab881d046224680
                                            • Opcode Fuzzy Hash: 858c66ce95ccb07685566190817d205be08b4bee403677d4fabc1ba88a94793a
                                            • Instruction Fuzzy Hash: 7C319331204320AFE251DB658C89F9F7BECEF45792F02051DFE89AA190DB749885CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001BDF0 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 220COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1001BFB0
                                            • __itoa_s.LIBCMT ref: 1001BFC2
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClearConvertStringVariant__itoa_s_com_util::_memset
                                            • String ID: file <%s>$ new <%s>$ rmv <%s>$CCLF$CCLF%d: SUCCESS--$CCLF%d: end------$added$item$path$removed
                                            • API String ID: 1548807189-3111248139
                                            • Opcode ID: d3092d33339b19a7f666501c8f77e765bb37534a5e022dafb6f071c43c045824
                                            • Instruction ID: 33036f0b87e63fa30d689d91165c1a5c299477e6dbabd7cb3ab63ff89dbab49d
                                            • Opcode Fuzzy Hash: d3092d33339b19a7f666501c8f77e765bb37534a5e022dafb6f071c43c045824
                                            • Instruction Fuzzy Hash: 5771CD75600749DBDB20CF68DC81FDE73E9EB88740F414429FA548B282DB75E981CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418C16 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,004276E8,00413789,004276E8,Microsoft Visual C++ Runtime Library,00012010), ref: 00418C43
                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00418C5F
                                              • Part of subcall function 00413AA4: TlsGetValue.KERNEL32(00000000,00413B19,00000000,00418C24,00000000,00000000,00000314,?,?,?,004276E8,00413789,004276E8,Microsoft Visual C++ Runtime Library,00012010), ref: 00413AB1
                                              • Part of subcall function 00413AA4: TlsGetValue.KERNEL32(00000006,?,?,?,004276E8,00413789,004276E8,Microsoft Visual C++ Runtime Library,00012010), ref: 00413AC8
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00418C7C
                                              • Part of subcall function 00413AA4: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,004276E8,00413789,004276E8,Microsoft Visual C++ Runtime Library,00012010), ref: 00413ADD
                                              • Part of subcall function 00413AA4: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00413AF8
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00418C91
                                            • __invoke_watson.LIBCMT ref: 00418CB2
                                              • Part of subcall function 00410FAD: _memset.LIBCMT ref: 00411039
                                              • Part of subcall function 00410FAD: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 00411057
                                              • Part of subcall function 00410FAD: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00411061
                                              • Part of subcall function 00410FAD: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0041106B
                                              • Part of subcall function 00410FAD: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 00411086
                                              • Part of subcall function 00410FAD: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 0041108D
                                              • Part of subcall function 00413B1B: TlsGetValue.KERNEL32(00000000,00413BB0), ref: 00413B28
                                              • Part of subcall function 00413B1B: TlsGetValue.KERNEL32(00000006), ref: 00413B3F
                                              • Part of subcall function 00413B1B: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 00413B54
                                              • Part of subcall function 00413B1B: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00413B6F
                                            • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00418CC6
                                            • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00418CDE
                                            • __invoke_watson.LIBCMT ref: 00418D51
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                            • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                            • API String ID: 2940365033-1046234306
                                            • Opcode ID: abb0f84ac8e0d27499fb927e326e8bf4ddfbfb0236b574047551030c2f78b412
                                            • Instruction ID: c9648ecf0ab4661f21f43c4e70d1a04c01799ee6d4afc6b0f2276fd3a1ca11ee
                                            • Opcode Fuzzy Hash: abb0f84ac8e0d27499fb927e326e8bf4ddfbfb0236b574047551030c2f78b412
                                            • Instruction Fuzzy Hash: E3418375A05305AECF20AFA5EC859DF7FB9AF54319B24042FE404D2291DF3C99C18A6D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10072080 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 134memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 100720DB
                                            • GetModuleFileNameA.KERNEL32(?,?,00000104,00000000,00000000,75BF8400), ref: 100720EE
                                            • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10072101
                                            • GetFileVersionInfoSizeA.VERSION(?,00000000,00000000,00000000,75BF8400), ref: 10072119
                                            • CoTaskMemAlloc.OLE32(00000000,?,?,00000000,00000000,00000000,75BF8400), ref: 1007212D
                                            • GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,75BF8400), ref: 10072150
                                            • VerQueryValueA.VERSION(00000000,100D5038,00000000,00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,75BF8400), ref: 10072169
                                            • CoTaskMemAlloc.OLE32(?,00000000,100D5038,00000000,00000000,?,00000000,00000000,00000000), ref: 1007218B
                                            • lstrcpynA.KERNEL32(?,00000000,?), ref: 100721C1
                                            • CoTaskMemFree.OLE32(00000000), ref: 100721C8
                                            • CoTaskMemFree.OLE32(00000000,00000000,100D5038,00000000,00000000,?,00000000,00000000,00000000), ref: 100721EF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Task$File$AllocFreeInfoNameVersion$ModulePathQueryShortSizeValue_memsetlstrcpyn
                                            • String ID: %d.%d.%d.%d
                                            • API String ID: 129075626-3491811756
                                            • Opcode ID: de93a1985a28e6c183a4287423fc74a488349eb71800b9de8ae86cf4a6e10310
                                            • Instruction ID: 5edd3955fe004f16c93c49a2258b3c496ad4fe606b365e536f5a44d11dde38a9
                                            • Opcode Fuzzy Hash: de93a1985a28e6c183a4287423fc74a488349eb71800b9de8ae86cf4a6e10310
                                            • Instruction Fuzzy Hash: 18417BB5504311AFD310DF59CC84EABB7E8FB98350F41892DFA8993241E734A944CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10041FC0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MoveFileExA.KERNEL32(?,-00000002,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 10041FFD
                                              • Part of subcall function 100419C0: GetLastError.KERNEL32(9E6FDE2E,?,?,?,?,?,?,?,00000000,0000013C), ref: 100419E6
                                            • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 1004201B
                                            • GetWindowsDirectoryA.KERNEL32(?,00000104,74DF3520,?,00000000), ref: 1004202E
                                            • PathAddBackslashA.SHLWAPI(?), ref: 10042039
                                            • PathFileExistsA.SHLWAPI(?,?,00000104,?,7FFFFFFF), ref: 10042083
                                            • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000001,00000080,00000000,?,00000104,7FFFFFFF), ref: 100420E2
                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 10042102
                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 10042112
                                            • CloseHandle.KERNEL32(00000000), ref: 10042119
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$MovePath$BackslashCloseCreateDirectoryErrorExistsHandleLastWindowsWritelstrlen
                                            • String ID: NUL$WinInit.ini$[rename]
                                            • API String ID: 3399670684-3452916884
                                            • Opcode ID: cd5dff133221f2ac2249769c6767c808f5639d018caf4c36dfcb30e6db03d268
                                            • Instruction ID: f8b49c84763b881df5b2411908632036d3a11ebc62dcc65f7dcb1cad4589eca9
                                            • Opcode Fuzzy Hash: cd5dff133221f2ac2249769c6767c808f5639d018caf4c36dfcb30e6db03d268
                                            • Instruction Fuzzy Hash: A0319FB22443116BE320DB648CC5FEB73D8EB98710F514A29FF95D61D1DBB0D50887A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039F50 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 84stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10039F70
                                            • _memset.LIBCMT ref: 10039F84
                                            • _memset.LIBCMT ref: 10039F98
                                            • _memset.LIBCMT ref: 10039FAC
                                            • GetLocalTime.KERNEL32 ref: 10039FB8
                                            • wsprintfA.USER32 ref: 10039FEF
                                            • GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003A009
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 1003A021
                                              • Part of subcall function 10072080: _memset.LIBCMT ref: 100720DB
                                              • Part of subcall function 10072080: GetModuleFileNameA.KERNEL32(?,?,00000104,00000000,00000000,75BF8400), ref: 100720EE
                                              • Part of subcall function 10072080: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10072101
                                              • Part of subcall function 10072080: GetFileVersionInfoSizeA.VERSION(?,00000000,00000000,00000000,75BF8400), ref: 10072119
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722D1
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100722EB
                                              • Part of subcall function 100722A0: lstrlenA.KERNEL32(?,?,00000FFA,7FFFFFFF,?,?,?,?,?,?,00000000), ref: 10072345
                                              • Part of subcall function 100722A0: _memset.LIBCMT ref: 100723DC
                                            Strings
                                            • vClnr version: %s, xrefs: 1003A061
                                            • %d%.2d%.2d %.2d:%.2d:%.2d, xrefs: 10039FE9
                                            • Initialized from program <%s>, xrefs: 1003A070
                                            • vClnr Start-------- %s, xrefs: 1003A04F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$FileName$Module$InfoLocalPathShortSizeTimeVersionlstrcpynlstrlenwsprintf
                                            • String ID: %d%.2d%.2d %.2d:%.2d:%.2d$Initialized from program <%s>$vClnr Start-------- %s$vClnr version: %s
                                            • API String ID: 519372960-640991545
                                            • Opcode ID: 03bcf884b43a0df57a0d9a0de5aeba46478a65ba9e47e4108a884e2a209c92e7
                                            • Instruction ID: fd233e711bf9649eeefceb2bc9da449a20dac4d63ef5ac40be1288f6f07d47cb
                                            • Opcode Fuzzy Hash: 03bcf884b43a0df57a0d9a0de5aeba46478a65ba9e47e4108a884e2a209c92e7
                                            • Instruction Fuzzy Hash: AD31F2B5154350BBE224DB94CC86FFB73E8EB88B00F40890DF79596191E7B4A688C776
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EF80 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 70memorylibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsProcessorFeaturePresent.KERNEL32(0000000C,?,0040F051,?,004051F7), ref: 0040EF83
                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,?), ref: 0040EF9D
                                            • GetProcAddress.KERNEL32(00000000,InterlockedPushEntrySList), ref: 0040EFB7
                                            • GetProcAddress.KERNEL32(00000000,InterlockedPopEntrySList), ref: 0040EFC4
                                            • GetProcessHeap.KERNEL32(00000000,00000008), ref: 0040EFF6
                                            • HeapAlloc.KERNEL32(00000000), ref: 0040EFF9
                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0040F00D
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040F019
                                            • HeapFree.KERNEL32(00000000), ref: 0040F01C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Heap$AddressProcProcess$AllocCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
                                            • String ID: InterlockedPopEntrySList$InterlockedPushEntrySList$kernel32.dll
                                            • API String ID: 3830925854-2586642590
                                            • Opcode ID: b7fcce3faf4a91bf61d244b3037d86ce01781972966783e97963b03a96a3f572
                                            • Instruction ID: acc5d9e5269d93141b89b0c9237c4ef96125495558da9ee627e8855cd78eddcc
                                            • Opcode Fuzzy Hash: b7fcce3faf4a91bf61d244b3037d86ce01781972966783e97963b03a96a3f572
                                            • Instruction Fuzzy Hash: F111C17A640248BFE3709FA6EC88E677BACEB44751314843BE901D3391CB399811DB6C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001DB20 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 308fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1001DB7F
                                              • Part of subcall function 10042150: GetFileAttributesA.KERNEL32(?), ref: 10042170
                                              • Part of subcall function 10042150: lstrlenA.KERNEL32(?), ref: 10042182
                                              • Part of subcall function 10042150: _memset.LIBCMT ref: 10042197
                                              • Part of subcall function 10042150: lstrcpynA.KERNEL32(?,?,00000104), ref: 100421AA
                                              • Part of subcall function 10042150: PathAddBackslashA.SHLWAPI(?), ref: 100421B5
                                              • Part of subcall function 10041930: lstrlenA.KERNEL32(?,74DE9300,74DF31E0,00000000), ref: 1004195B
                                              • Part of subcall function 10041930: _memset.LIBCMT ref: 10041971
                                              • Part of subcall function 10041930: lstrcmpiA.KERNEL32(?,?), ref: 10041993
                                            • _memset.LIBCMT ref: 1001DBC1
                                            • GetTempPathA.KERNEL32(00000104,?), ref: 1001DBD6
                                            • GetTempFileNameA.KERNEL32(?,EAC,00000000,?), ref: 1001DBF7
                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 1001DC14
                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 1001DDD8
                                            • _memset.LIBCMT ref: 1001DE09
                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 1001DE54
                                              • Part of subcall function 10079DF0: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000,74DE8B60,1001DC3E), ref: 10079E07
                                              • Part of subcall function 10079EA0: GetFileSize.KERNEL32(?,00000000,9E6FDE2E), ref: 10079EE7
                                              • Part of subcall function 10079EA0: CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 10079F04
                                              • Part of subcall function 10079EA0: MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 10079F1B
                                              • Part of subcall function 10079EA0: UnmapViewOfFile.KERNEL32(00000000), ref: 10079F62
                                              • Part of subcall function 10079EA0: CloseHandle.KERNEL32(?), ref: 10079F71
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$_memset$Copy$CreatePathTempViewlstrlen$AttributesBackslashCloseHandleMappingNameSizeUnmaplstrcmpilstrcpyn
                                            • String ID: ._eac_qt_$EAC$gfff
                                            • API String ID: 2050989335-3963223330
                                            • Opcode ID: 3cf019709d5d310b2702736f716d05e91335530769d65160063ee917975f7aa2
                                            • Instruction ID: 1fdfc3a2b17cc204d153888750e9c6627835b85cfc23c528bf6f43161c1d6adc
                                            • Opcode Fuzzy Hash: 3cf019709d5d310b2702736f716d05e91335530769d65160063ee917975f7aa2
                                            • Instruction Fuzzy Hash: 9BB162B61143419BD725FF64DC81EEB77ECEF94640F01491EF5858A151EB30EA88C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002E3F8 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 281COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__itoa_s
                                            • String ID: DRK$DRK%d: SUCCESS <%s>$`$hive$item$key$reg
                                            • API String ID: 2738638917-602928456
                                            • Opcode ID: 84890a35960017f66bb80da463067e673dc290a03f55ba0829102c5f26c2e5a0
                                            • Instruction ID: 20a5ccd88ad5994aa9c486f8d99769951f1f3f4b52f82e04401f46d2e611c805
                                            • Opcode Fuzzy Hash: 84890a35960017f66bb80da463067e673dc290a03f55ba0829102c5f26c2e5a0
                                            • Instruction Fuzzy Hash: 34A1AF712047419FD758DF68D985BAAB3E5FF88304F80892CF5998B681E730F840CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002E3F6 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 280COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__itoa_s
                                            • String ID: DRK$DRK%d: SUCCESS <%s>$`$hive$item$key$reg
                                            • API String ID: 2738638917-602928456
                                            • Opcode ID: 4e3143468c1099c6a9bb7080c25dcdde6736b0b96ef7884cb43edb49db74b30f
                                            • Instruction ID: 3fda5a83f6bc780fd7cec1e9415c6a42d949c2dbcdadabd2b51fa7284aa85cb5
                                            • Opcode Fuzzy Hash: 4e3143468c1099c6a9bb7080c25dcdde6736b0b96ef7884cb43edb49db74b30f
                                            • Instruction Fuzzy Hash: 28A1B0712047419FD758DF68D985AAAB3E5FF84304F80892CF5998B681E730F840CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001BAC0 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 257COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1001BCFE
                                            • __itoa_s.LIBCMT ref: 1001BD10
                                              • Part of subcall function 100A387C: _xtoa_s@20.LIBCMT ref: 100A389D
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ConvertCopyInitString__itoa_s_com_util::_memset_xtoa_s@20
                                            • String ID: FailIfExists %d, NeedReboot %d, Action %d$ dst <%s>$ src <%s>$CCF$CCF%d: SUCCESS---$CCF%d: end-------$dst$item$src
                                            • API String ID: 2171680423-416221873
                                            • Opcode ID: 79fd67fbdc78a229ff9df72f49a640a1da6892bc78b699bee7d739f638ca1aab
                                            • Instruction ID: 32b6acfa1399ef463c2a9eb346636344709fba6bb7e22bd0f93bd27f268d2794
                                            • Opcode Fuzzy Hash: 79fd67fbdc78a229ff9df72f49a640a1da6892bc78b699bee7d739f638ca1aab
                                            • Instruction Fuzzy Hash: F491A274508B15DFD724DFA8DCC1A6AB3E9EF88740F10492DF5854B641EB71E884CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10003580 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 116libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 100035AD
                                            • _memset.LIBCMT ref: 100035CB
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 100035DD
                                            • _memset.LIBCMT ref: 100035EA
                                            • LoadLibraryA.KERNEL32(wintrust.dll,?,?,00000000), ref: 10003645
                                            • GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 1000365D
                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 100036AE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharLibraryMultiWide_memset$AddressFreeLoadProc
                                            • String ID: 0$O$WinVerifyTrust$wintrust.dll
                                            • API String ID: 3326169991-587118203
                                            • Opcode ID: 18a90bf57e006b06c746d3d1a22e9a558f9070d6ee0f04d387a4be25da14c3f9
                                            • Instruction ID: 2f737e7e4ec53acc2705b73d94273ce470d80353b6ee6d014462c719053ba84c
                                            • Opcode Fuzzy Hash: 18a90bf57e006b06c746d3d1a22e9a558f9070d6ee0f04d387a4be25da14c3f9
                                            • Instruction Fuzzy Hash: 9D4158B1D04259AFDB10CFE8CC849DEBFB8EF08254F118269E925A7281D7315A44CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10084020 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 108stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10084043
                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10084055
                                            • PathAddBackslashA.SHLWAPI(?), ref: 10084066
                                            • PathFileExistsA.SHLWAPI(?,?,00000104,?,7FFFFFFF), ref: 100840B2
                                            • _memset.LIBCMT ref: 100840C9
                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 100840DB
                                            • PathAddBackslashA.SHLWAPI(?), ref: 100840E6
                                            • PathFileExistsA.SHLWAPI(?,?,00000104,?,7FFFFFFF), ref: 1008412B
                                            • lstrcpynA.KERNEL32(?,?,?), ref: 10084142
                                            • lstrcpynA.KERNEL32(?,?,?), ref: 1008415A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Path$BackslashDirectoryExistsFile_memsetlstrcpyn$SystemWindows
                                            • String ID: notepad.exe
                                            • API String ID: 1415170566-3945792927
                                            • Opcode ID: d3e7591f63e3be233cba5bc0175ec215f5c9bd82ad5970ac0039891e3f3114f8
                                            • Instruction ID: b3f0febe5409cb5bd8be1cd62ef3c2d41141c5c5620069a30dfdb786d7e1664a
                                            • Opcode Fuzzy Hash: d3e7591f63e3be233cba5bc0175ec215f5c9bd82ad5970ac0039891e3f3114f8
                                            • Instruction Fuzzy Hash: 963185B6504315ABD314DBA4CCC5DEBB7ECFB94710F014A1DFAA486181EB74E548CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10071F90 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 55stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrcpyn$_memset
                                            • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                                            • API String ID: 4001466986-62392802
                                            • Opcode ID: 9ae6e979298d6e757d2722404a912d33bf4c761cab9ef3e2d6d9ce9821fbe77e
                                            • Instruction ID: 7b6b2b7fd335cec78c2b3158a6bb46d65efc525dc3fc96e97d0f147848563d26
                                            • Opcode Fuzzy Hash: 9ae6e979298d6e757d2722404a912d33bf4c761cab9ef3e2d6d9ce9821fbe77e
                                            • Instruction Fuzzy Hash: E6018436104261A7D210D719AC89FDF6BA8EBE6272F12841FFE89E2011D75884C296B6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040BFC0 Relevance: 18.3, APIs: 12, Instructions: 340stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040C490: lstrcmpiA.KERNEL32(?,00000000), ref: 0040C4FF
                                            • lstrlenA.KERNEL32(?,00000000), ref: 0040C0A3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrcmpilstrlen
                                            • String ID:
                                            • API String ID: 3649823140-0
                                            • Opcode ID: afbd50d2f2497bb1c81715c163bb993d8f04ec6530e2fcba0fdc5d911fcec5ea
                                            • Instruction ID: 5b2b94be32a7f5e22e980c52393e21f1e49a9ea8cf96da8bb920d2e87d1508bf
                                            • Opcode Fuzzy Hash: afbd50d2f2497bb1c81715c163bb993d8f04ec6530e2fcba0fdc5d911fcec5ea
                                            • Instruction Fuzzy Hash: 48D1CA71900218DBDB24DB65CCC1BEEB7B4AB48314F1442FBEA45B72C1D6789E848F99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040B3C0 Relevance: 18.2, APIs: 12, Instructions: 177memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE), ref: 0040B413
                                            • CoTaskMemAlloc.OLE32(00000000,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE), ref: 0040B43D
                                            • CoTaskMemFree.OLE32(00000000,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE), ref: 0040B456
                                            • CharNextA.USER32(?,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE), ref: 0040B481
                                            • CharNextA.USER32(?,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE), ref: 0040B48E
                                            • CharNextA.USER32(?,?,?,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538), ref: 0040B4AA
                                            • CoTaskMemFree.OLE32(00000000,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE), ref: 0040B4C9
                                            • CharNextA.USER32(00000000,?,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF), ref: 0040B4E7
                                            • CoTaskMemFree.OLE32(?), ref: 0040B4FE
                                            • CharNextA.USER32(00000000,?,00000000,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538), ref: 0040B564
                                            • CoTaskMemFree.OLE32(?), ref: 0040B57F
                                            • CoTaskMemFree.OLE32(?), ref: 0040B598
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Task$CharFreeNext$Alloclstrlen
                                            • String ID:
                                            • API String ID: 1357197425-0
                                            • Opcode ID: 8a86c8c5520f2ae50769164c90e6226a3320a9dc1a117972686ae24507a67ca8
                                            • Instruction ID: 15fedd31c0f0e0a29d7b036f44343caecbf312efa91456b5f8d73fc6711ba680
                                            • Opcode Fuzzy Hash: 8a86c8c5520f2ae50769164c90e6226a3320a9dc1a117972686ae24507a67ca8
                                            • Instruction Fuzzy Hash: B2516971504355AFC7108F298C84A6BBBE8EB48718F54497EF989E7381D738DA408B9E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10047E40 Relevance: 18.1, APIs: 12, Instructions: 149COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 10047E52
                                            • GetParent.USER32 ref: 10047E73
                                            • GetWindow.USER32(?,00000004), ref: 10047E7C
                                            • GetWindowRect.USER32(?,?), ref: 10047E8C
                                            • GetWindowLongA.USER32(?,000000F0), ref: 10047EA1
                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 10047EC2
                                            • GetWindowRect.USER32(?,?), ref: 10047EF4
                                            • GetParent.USER32 ref: 10047EFF
                                            • GetClientRect.USER32(00000000,?), ref: 10047F0F
                                            • GetClientRect.USER32(?,?), ref: 10047F17
                                            • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 10047F22
                                            • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,?,?,?,00000010,75C08FB0), ref: 10047FAF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Window$Rect$ClientLongParent$InfoParametersPointsSystem
                                            • String ID:
                                            • API String ID: 2289592163-0
                                            • Opcode ID: 68eb3e94780aac4fdd22f05ff15ac30265eafad547fc96a3418af80179914e06
                                            • Instruction ID: 9b2b242eee6f1438f0645f7e5da5909f1d146be1730a7a683bd6c0710d76d033
                                            • Opcode Fuzzy Hash: 68eb3e94780aac4fdd22f05ff15ac30265eafad547fc96a3418af80179914e06
                                            • Instruction Fuzzy Hash: 90415C712043119FD314CF29CD84B5AB7E9FB88654F264A28FD59D3294EB30ED448BA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10075ED0 Relevance: 18.1, APIs: 12, Instructions: 107networkstringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WS2_32(00000002,?), ref: 10075F28
                                            • WSAEnumNameSpaceProvidersA.WS2_32(?,00000000), ref: 10075F46
                                            • WSAGetLastError.WS2_32(?,?,00000000), ref: 10075F51
                                            • CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 10075F67
                                            • WSAEnumNameSpaceProvidersA.WS2_32(?,00000000), ref: 10075F81
                                            • _memset.LIBCMT ref: 10075F9F
                                            • UuidToStringA.RPCRT4(00000000,?), ref: 10075FAD
                                            • lstrcpynA.KERNEL32(?,?,00000104,?,?,00000000), ref: 10075FC2
                                            • RpcStringFreeA.RPCRT4(?), ref: 10075FC9
                                            • lstrcpynA.KERNEL32(?,?,00000104,?,?,00000000), ref: 10075FE0
                                            • CoTaskMemFree.OLE32(00000000,?,?,00000000), ref: 10075FFF
                                            • WSACleanup.WS2_32 ref: 10076005
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: EnumFreeNameProvidersSpaceStringTasklstrcpyn$AllocCleanupErrorLastStartupUuid_memset
                                            • String ID:
                                            • API String ID: 1908277572-0
                                            • Opcode ID: 455368f52069f06bdaa3de7669403d3d4ea254e6c1f50ba713d49a3b45debe96
                                            • Instruction ID: 85022af7e1f53350b7929c2c0c7cd9aef02f60b5e6ae0fac70cd1130191f8afe
                                            • Opcode Fuzzy Hash: 455368f52069f06bdaa3de7669403d3d4ea254e6c1f50ba713d49a3b45debe96
                                            • Instruction Fuzzy Hash: A63150B65043119FD310DFA4DC84A9BB7ECEF88750F06892DFA8597141DB74E948CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100B5D1C Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 403COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __freea__isleadbyte_l_malloc
                                            • String ID: a/p$am/pm
                                            • API String ID: 492057358-3206640213
                                            • Opcode ID: f3c001aea72e96e0479e249b0d13f783e2df6357a4f9c96fe097e6cde406c1e6
                                            • Instruction ID: c9160847b5f1677bbe7ff669c60e65fb332495c7e1a19d3771cb0f1225debb67
                                            • Opcode Fuzzy Hash: f3c001aea72e96e0479e249b0d13f783e2df6357a4f9c96fe097e6cde406c1e6
                                            • Instruction Fuzzy Hash: 05D1DF3C5042469EDB55CF28C8907A9BBF2EF1A382F2444AAD8919B352D736DD41CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001D6A0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 340COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: CWRS$CWRS%d: SUCCESS <%s\%s:%s> value <%s>$data$hive$item$key$reg$value
                                            • API String ID: 1081510541-2181314117
                                            • Opcode ID: 24604da8fa492260d50e6ed2ac38e235f9b4c1257315a76d45d1ada1867562e0
                                            • Instruction ID: 73b044bfe7b7c75aa9d0e78a42fa292f16f3d2bf61e98184d8fe9d2710786b39
                                            • Opcode Fuzzy Hash: 24604da8fa492260d50e6ed2ac38e235f9b4c1257315a76d45d1ada1867562e0
                                            • Instruction Fuzzy Hash: 14C1C375908314DBDB20FFA4D884B9EB3B5EF88340F50452AF9956B241EB34E9C4CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001D2A0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 306COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: CWRD$CWRD%d: SUCCESS <%s\%s:%s> value %d$data$hive$item$key$reg$value
                                            • API String ID: 1081510541-2388064184
                                            • Opcode ID: 3544531f4b444959d2f27e90d698cc1b2479385f1cbb5da44dda42c5b6ebbbaf
                                            • Instruction ID: a10be57d0b932a338e743f65dde99263f4affe7a843228d323c1fab286a6b4c0
                                            • Opcode Fuzzy Hash: 3544531f4b444959d2f27e90d698cc1b2479385f1cbb5da44dda42c5b6ebbbaf
                                            • Instruction Fuzzy Hash: 92B19DB5504704DBE720FFA8D885B5EB3EAEF88340F01492EF5895B241DB35E984CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001C0D0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 186COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: file <%s>$ section <%s>$CDIS$CDIS%d: SUCCESS--$CDIS%d: end------$item$path$removed
                                            • API String ID: 1081510541-4118773768
                                            • Opcode ID: ddca0150bf65a498775b368ee82b11a89858577353176e69c7f713bcaee7784d
                                            • Instruction ID: 7327b4bcc90148afc4c584a5e543bd5cfcb93bc6439981fa374fbd83e3496005
                                            • Opcode Fuzzy Hash: ddca0150bf65a498775b368ee82b11a89858577353176e69c7f713bcaee7784d
                                            • Instruction Fuzzy Hash: 6651E475600348EBDB20DFA8CC81FDE73E9EB85740F41442AF9448B242DB35E980CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100BF8F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 164libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(USER32.DLL), ref: 100BF921
                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 100BF93D
                                              • Part of subcall function 100A982B: TlsGetValue.KERNEL32(100BA25E,100BA2DE,100BA25E,00000014,100ABF83,00000000,00000FA0,100ED3C8,0000000C,100ABFE2,100A28F0,?,?,100B4645,00000004,100ED568), ref: 100A9838
                                              • Part of subcall function 100A982B: TlsGetValue.KERNEL32(00000005,?,100B4645,00000004,100ED568,0000000C,100A78CD,100A28F0,100A28F0,00000000,00000000,00000000,100A9AA4,00000001,00000214), ref: 100A984F
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 100BF95A
                                              • Part of subcall function 100A982B: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100B4645,00000004,100ED568,0000000C,100A78CD,100A28F0,100A28F0,00000000,00000000,00000000,100A9AA4,00000001,00000214), ref: 100A9864
                                              • Part of subcall function 100A982B: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 100A987F
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 100BF96F
                                            • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 100BF9A4
                                            • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 100BF9BC
                                              • Part of subcall function 100A98A2: TlsGetValue.KERNEL32(80040111,100AA6D1,100A32BD,100A28F0,?,100A28F0,00000008,10029968,00000008), ref: 100A98AF
                                              • Part of subcall function 100A98A2: TlsGetValue.KERNEL32(00000005,?,100A28F0,00000008,10029968,00000008), ref: 100A98C6
                                              • Part of subcall function 100A98A2: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100A28F0,00000008,10029968,00000008), ref: 100A98DB
                                              • Part of subcall function 100A98A2: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 100A98F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressProc$Value$HandleModule$LibraryLoad
                                            • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                            • API String ID: 2808121998-1046234306
                                            • Opcode ID: c687ab09a7ac0b13477fa4d4adc6678c511c238cdded3b0a3f0dadcb57582883
                                            • Instruction ID: 9f59a3764b34f0f57ec489b9ead57d4c360b4da4def1aef67d759f3bd0f65ed9
                                            • Opcode Fuzzy Hash: c687ab09a7ac0b13477fa4d4adc6678c511c238cdded3b0a3f0dadcb57582883
                                            • Instruction Fuzzy Hash: 0E41B3B9A00354EFDF44EFE48CC59AEBBE8EB05290B11442EE509E3110DF76A940DB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039B80 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 89libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10039BBE
                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000103,?), ref: 10039BD1
                                            • PathRemoveFileSpecA.SHLWAPI(?), ref: 10039BDC
                                            • PathFileExistsA.SHLWAPI(?,?,00000104,?,7FFFFFFF), ref: 10039C25
                                            • LoadLibraryA.KERNEL32(?), ref: 10039C34
                                            • LoadLibraryA.KERNEL32(dbghelp.dll), ref: 10039C45
                                            • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 10039C59
                                            • FreeLibrary.KERNEL32(?), ref: 10039C89
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: FileLibrary$LoadPath$AddressExistsFreeModuleNameProcRemoveSpec_memset
                                            • String ID: MiniDumpWriteDump$dbghelp.dll
                                            • API String ID: 3590327206-4105291546
                                            • Opcode ID: 4a0bee4061c5c3743005b3f7f464ae3684326ecd023793016543b84576331e87
                                            • Instruction ID: f6c30ca587b34139a921631901721ccfb0618d1f074ee968f26a7a7de8df0a42
                                            • Opcode Fuzzy Hash: 4a0bee4061c5c3743005b3f7f464ae3684326ecd023793016543b84576331e87
                                            • Instruction Fuzzy Hash: 98315075608351AFD314DF64CC84DEBBBE8EB88750F018A1DBA99C6290DB30E544CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00413C01 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,004229C8,0000000C,00413D12,00000000,00000000), ref: 00413C12
                                            • GetProcAddress.KERNEL32(?,EncodePointer), ref: 00413C46
                                            • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00413C56
                                            • InterlockedIncrement.KERNEL32(004257C0), ref: 00413C78
                                            • __lock.LIBCMT ref: 00413C80
                                            • ___addlocaleref.LIBCMT ref: 00413C9F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                            • String ID: (TB$DecodePointer$EncodePointer$KERNEL32.DLL
                                            • API String ID: 1036688887-3531372467
                                            • Opcode ID: 440eb3366ba47602dc281e05652a11c84b0e5cf8bd7dc600d0969ac68a4a4322
                                            • Instruction ID: fde444b880c312efe8f061791a7b280439a7ccaa8d3383e57e95e41027e9a714
                                            • Opcode Fuzzy Hash: 440eb3366ba47602dc281e05652a11c84b0e5cf8bd7dc600d0969ac68a4a4322
                                            • Instruction Fuzzy Hash: E0114F75A40705AFD720AF769805BDABBF0BF04315F50881FE895A3291DBB89A80CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10033210 Relevance: 16.8, APIs: 11, Instructions: 285registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10033283
                                            • StrRChrIA.SHLWAPI(?,00000000,0000005C), ref: 100332AD
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 100332C1
                                            • StrRChrIA.SHLWAPI(?,00000000,0000005C), ref: 100332E1
                                            • _memset.LIBCMT ref: 10033382
                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?,?,00000104,7FFFFFFF), ref: 100333E0
                                            • _memset.LIBCMT ref: 10033408
                                            • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000104), ref: 10033424
                                            • _memset.LIBCMT ref: 10033457
                                            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000104), ref: 10033476
                                            • RegCloseKey.ADVAPI32(?), ref: 100335BF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$CloseEnumInfoOpenQuerylstrcpyn
                                            • String ID:
                                            • API String ID: 125511322-0
                                            • Opcode ID: dd158a66bae40d5250171311d1e02b4b953fae69640191616360498b2cb83b1c
                                            • Instruction ID: 42f8c62475df06786114d97f6679bf03e3f1a7118783475283ad7778f0965575
                                            • Opcode Fuzzy Hash: dd158a66bae40d5250171311d1e02b4b953fae69640191616360498b2cb83b1c
                                            • Instruction Fuzzy Hash: 35B15EB25083809FD321DF64C8D1FDBB7E8EB89754F048A1DF58987251DB70AA48CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1003469E Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 247COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__itoa_s
                                            • String ID: found <%s>$DMRK$hive$item$key$reg
                                            • API String ID: 2738638917-3636709901
                                            • Opcode ID: 9663465c8ae735dd11969738e4eddbe30478d821ef916f84b74f814988512db3
                                            • Instruction ID: 0b4654dddccffd1668bbb3b61f53b7b4cd8572ab5c0450009ed1c7dcedf3508b
                                            • Opcode Fuzzy Hash: 9663465c8ae735dd11969738e4eddbe30478d821ef916f84b74f814988512db3
                                            • Instruction Fuzzy Hash: CC919B392083009FD358DE68C881B5BB7E6EBC4341F158A1DF9858F295EBB5F841CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008A300 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 58libraryloadersynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(001F0FFF,00000000,00000001,-00000018,?,SeDebugPrivilege,00000001,?,00000000,00000000,1009042C,?,?,?,?,00000104), ref: 1008A325
                                            • GetModuleHandleA.KERNEL32(Kernel32.dll,00000224), ref: 1008A338
                                            • GetProcAddress.KERNEL32(00000000,FreeLibrary), ref: 1008A34B
                                              • Part of subcall function 10087D70: GetProcAddress.KERNEL32(?,CreateRemoteThread), ref: 10087D85
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,-00000018,00000000,00000000,00000000,00000000), ref: 1008A365
                                            • CloseHandle.KERNEL32(00000000), ref: 1008A371
                                            • CloseHandle.KERNEL32(00000000,-00000018,00000000,00000000,00000000,00000000), ref: 1008A378
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Handle$AddressCloseProc$ModuleObjectOpenProcessSingleWait
                                            • String ID: FreeLibrary$Kernel32.dll$SeDebugPrivilege
                                            • API String ID: 454157205-1832910496
                                            • Opcode ID: 443aa77103841e563cd6f1605e280d1e100a338a88da4ae286e8a6c7e6fcf007
                                            • Instruction ID: b889bc960421ce1751aa01e508a0d4beff48ad4c1f0fecb2a481efaa42dd68c4
                                            • Opcode Fuzzy Hash: 443aa77103841e563cd6f1605e280d1e100a338a88da4ae286e8a6c7e6fcf007
                                            • Instruction Fuzzy Hash: 2E01B5715003287FE210EBA5DC88EBB7B6CFF8A361B114709FA26922E0DB616C458771
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100A99BC Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,100ED0C0,0000000C,100A9ACD,00000000,00000000,?,?,100A28F0,100A98EC,?,100A28F0,00000008,10029968,00000008), ref: 100A99CD
                                            • GetProcAddress.KERNEL32(?,EncodePointer), ref: 100A9A01
                                            • GetProcAddress.KERNEL32(?,DecodePointer), ref: 100A9A11
                                            • InterlockedIncrement.KERNEL32(100F22B8), ref: 100A9A33
                                            • __lock.LIBCMT ref: 100A9A3B
                                            • ___addlocaleref.LIBCMT ref: 100A9A5A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                            • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                            • API String ID: 1036688887-2843748187
                                            • Opcode ID: 64833e1b9162032853610f665d15494d780d9155daa2282ebef689f3b2b6348f
                                            • Instruction ID: ded44bf2f85e07ee64d5dfc138cef1cf748ac2b0cabb42b2227abe8cf3ad6562
                                            • Opcode Fuzzy Hash: 64833e1b9162032853610f665d15494d780d9155daa2282ebef689f3b2b6348f
                                            • Instruction Fuzzy Hash: 39116A78900706DFE710DFB98C41B9ABBE0EF44354F00891AE8AAA3291CB34A901CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004096B0 Relevance: 15.1, APIs: 10, Instructions: 114COMMON
                                            Download Yara Rule
                                            APIs
                                            • SelectObject.GDI32(?,00000000), ref: 004096C9
                                            • SetTextColor.GDI32(?,?), ref: 004096D8
                                            • SetBkMode.GDI32(?,00000001), ref: 004096E5
                                            • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00409721
                                            • GetClientRect.USER32(00000000,?), ref: 00409748
                                            • GetClientRect.USER32(00000000,?), ref: 0040977C
                                            • DrawTextA.USER32(?,?,?,?,00000001), ref: 004097D5
                                            • SelectObject.GDI32(?,?), ref: 004097E1
                                            • SetTextColor.GDI32(?,?), ref: 004097ED
                                            • SetBkMode.GDI32(?,?), ref: 004097F9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Text$ClientColorModeObjectRectSelect$DrawExtentPoint32
                                            • String ID:
                                            • API String ID: 1077105972-0
                                            • Opcode ID: ab0ef5bf814faae8447f41c81039d354bb3259faa8a5dd2e0215dadc7088deec
                                            • Instruction ID: e6b5243e39dae90998260fb60a54bf03e1a6a1ce11eb689bd1ddd189a48850b0
                                            • Opcode Fuzzy Hash: ab0ef5bf814faae8447f41c81039d354bb3259faa8a5dd2e0215dadc7088deec
                                            • Instruction Fuzzy Hash: ED41D5B5508305AFD340DF5AD98496AFBF9FB88700F80992EF98993211C774A844CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401420 Relevance: 15.1, APIs: 10, Instructions: 101windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004012D0: GetMapMode.GDI32(00000000,00000000,?,?,00000000,00000000,004010A7,?,004095B3,?,?,?,00000000), ref: 004012E2
                                              • Part of subcall function 004012D0: SetMapMode.GDI32(00000000,00000003), ref: 004012FD
                                              • Part of subcall function 004012D0: SetMapMode.GDI32(00000000,00000000), ref: 00401308
                                            • CreateCompatibleDC.GDI32(?), ref: 00401469
                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040147C
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401488
                                            • GetBkColor.GDI32(?), ref: 00401493
                                            • CreateSolidBrush.GDI32(00000000), ref: 0040149A
                                            • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004014EA
                                            • SelectObject.GDI32(00000000,?), ref: 004014F6
                                            • DeleteObject.GDI32(?), ref: 00401507
                                            • DeleteObject.GDI32(00000000), ref: 0040150A
                                            • DeleteObject.GDI32(?), ref: 00401511
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Object$CreateDeleteMode$CompatibleSelect$BitmapBrushColorSolidStretch
                                            • String ID:
                                            • API String ID: 2352530456-0
                                            • Opcode ID: 36e387e402db64a5f2a4fc5cf4cbf012137c57183f8e6dd2d26d8ac3ade98c8a
                                            • Instruction ID: e17701ded911252131d4690af8c08b5b172197876e80a45b8abdbef971380d25
                                            • Opcode Fuzzy Hash: 36e387e402db64a5f2a4fc5cf4cbf012137c57183f8e6dd2d26d8ac3ade98c8a
                                            • Instruction Fuzzy Hash: AE31D275204304AFD204EF59CC84E6BBBECFBCD644F108A2DFA8597261C674AD058B66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406960 Relevance: 15.1, APIs: 10, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb6542f1a1b355222ccde28f3ee9020c93d5e901cc78e39d897cfa0e14123b5a
                                            • Instruction ID: ad7afb663cc07bae5605a93d6fd9c34b7de1d8557c2404d000679f36f49b08f1
                                            • Opcode Fuzzy Hash: cb6542f1a1b355222ccde28f3ee9020c93d5e901cc78e39d897cfa0e14123b5a
                                            • Instruction Fuzzy Hash: 4C31B4756042059FD304EF29D888F9BBFA8EF89304F118569FC46A7255D778D810CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401360 Relevance: 15.1, APIs: 10, Instructions: 76windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateCompatibleDC.GDI32(?), ref: 0040136A
                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040137D
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401389
                                            • GetBkColor.GDI32(?), ref: 00401394
                                            • CreateSolidBrush.GDI32(00000000), ref: 0040139B
                                            • BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 004013E7
                                            • SelectObject.GDI32(00000000,?), ref: 004013F3
                                            • DeleteObject.GDI32(?), ref: 00401404
                                            • DeleteObject.GDI32(00000000), ref: 00401407
                                            • DeleteObject.GDI32(?), ref: 0040140E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Object$CreateDelete$CompatibleSelect$BitmapBrushColorSolid
                                            • String ID:
                                            • API String ID: 3300307677-0
                                            • Opcode ID: af2c2b998acdd1f27856021ceefded53f234e306837d6a20867cd5a5ec156f68
                                            • Instruction ID: 330e21578a7f750a7eb6eb6e0fdafc9ed1cf9effdf645d708d8003fe29a13b4c
                                            • Opcode Fuzzy Hash: af2c2b998acdd1f27856021ceefded53f234e306837d6a20867cd5a5ec156f68
                                            • Instruction Fuzzy Hash: 3E211875604314BFD200DB66DC88F6BBBECEFCD755F108A29FA4593260C670A8018B76
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10020560 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 264COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: <%s>$CDLL$CDLL%d: SUCCESS <%s>$file$item$path
                                            • API String ID: 1081510541-993454956
                                            • Opcode ID: 8a807a10e9bd95508a9973be16f2272ba7c6588dbdc415f7320ed8a3e77ff47a
                                            • Instruction ID: c7bc64dd0bed5e25e55e6899bf68fb50e11df8a5a0fe87cbe62f00be78f89b9e
                                            • Opcode Fuzzy Hash: 8a807a10e9bd95508a9973be16f2272ba7c6588dbdc415f7320ed8a3e77ff47a
                                            • Instruction Fuzzy Hash: 0991FE76A083409BD720DF68D845A9FB7E6EFC8304F95492DF48857242DB71F941CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10025620 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 260COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1002580D
                                            • __itoa_s.LIBCMT ref: 1002581F
                                              • Part of subcall function 100A387C: _xtoa_s@20.LIBCMT ref: 100A389D
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ConvertCopyInitString__itoa_s_com_util::_memset_xtoa_s@20
                                            • String ID: CDEL$CDEL%d: <%s>$CDEL%d: SUCCESS NeedReboot %d$file$item$path
                                            • API String ID: 2171680423-1075552190
                                            • Opcode ID: 2d2a99472df494aef2747cccaaa23e9d531178114baea938a39ec01373f83f52
                                            • Instruction ID: 79c40c4ba827497cedf7d40c911c7075ca10cdb0132bfe9a06845e9a66942b5b
                                            • Opcode Fuzzy Hash: 2d2a99472df494aef2747cccaaa23e9d531178114baea938a39ec01373f83f52
                                            • Instruction Fuzzy Hash: 11910375608311DFC710CFA8E885A5FB7E9EF88752F900A1DF44A97241D772E880CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100252B0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 259COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1002549C
                                            • __itoa_s.LIBCMT ref: 100254AE
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ConvertCopyInitString__itoa_s_com_util::_memset
                                            • String ID: CDLOF$CDLOF%d: <%s>$CDLOF%d: SUCCESS NeedReboot %d$file$item$path
                                            • API String ID: 3559754577-1198246481
                                            • Opcode ID: 2c8141c9e9b31d22ecfb109d47c687c1cca2ae07a647283604f0d32b4bbb6204
                                            • Instruction ID: 938cdbc8daa7f8bd70e0c83e03d326736bc804c60ea14380e39c50b4be1d6c6d
                                            • Opcode Fuzzy Hash: 2c8141c9e9b31d22ecfb109d47c687c1cca2ae07a647283604f0d32b4bbb6204
                                            • Instruction Fuzzy Hash: 549100B5604710DBC710CFA8E885A5FB7E9EF88752F90091DF44A87241D772E980CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10095420 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 231COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10091BD0: RegOpenKeyExA.ADVAPI32 ref: 10091BFB
                                              • Part of subcall function 10091BD0: RegQueryValueExA.ADVAPI32(00000000,scancount,00000000,80000002,00020019,00020019), ref: 10091C1F
                                            • VariantInit.OLEAUT32(?), ref: 1009550F
                                            • VariantCopy.OLEAUT32(?,00000000), ref: 100955B2
                                            • _com_raise_error.COMSUPP ref: 100955C7
                                            • VariantClear.OLEAUT32(00000000), ref: 100955D4
                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000016), ref: 100955E4
                                            • VariantClear.OLEAUT32(?), ref: 1009563A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ChangeCopyInitOpenQueryTypeValue_com_raise_error
                                            • String ID: scan$vclnr
                                            • API String ID: 603793445-2606109390
                                            • Opcode ID: a959df14eb757379be91f7e21d02ab61d8b2d2378038c85a1b4f7ba3cd769bab
                                            • Instruction ID: 65239b4b4a4b751df1692ecddbefbf8dd6c5f04acf05db3aaf732080e6bc9b98
                                            • Opcode Fuzzy Hash: a959df14eb757379be91f7e21d02ab61d8b2d2378038c85a1b4f7ba3cd769bab
                                            • Instruction Fuzzy Hash: 82914C71E00648DFCB00CFA9C880AAEF7FAEF88301F658559E509E7261D771AE41DB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001A6F0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 217COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1001A89E
                                            • __itoa_s.LIBCMT ref: 1001A913
                                              • Part of subcall function 100A387C: _xtoa_s@20.LIBCMT ref: 100A389D
                                              • Part of subcall function 10096880: VariantInit.OLEAUT32(?), ref: 100968F6
                                              • Part of subcall function 10096880: VariantCopy.OLEAUT32(?,00000003), ref: 10096904
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(?), ref: 1009698E
                                              • Part of subcall function 10095100: _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                              • Part of subcall function 10095100: VariantClear.OLEAUT32(00000008), ref: 10095201
                                              • Part of subcall function 10096880: VariantClear.OLEAUT32(00000003), ref: 10096B80
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ConvertCopyInitString__itoa_s_com_util::_memset_xtoa_s@20
                                            • String ID: CCRP$CCRP%d: SUCCESS <%s\%s>$hive$item$key$reg
                                            • API String ID: 2171680423-1721721213
                                            • Opcode ID: 700d6a89815f2a5844fd5937944405504fa77c83a55b84ec8f1485f979d57343
                                            • Instruction ID: ac1e87c07a5136328010f18ca7e496d1949c6b6c8e8a6c094f69984d23ca655f
                                            • Opcode Fuzzy Hash: 700d6a89815f2a5844fd5937944405504fa77c83a55b84ec8f1485f979d57343
                                            • Instruction Fuzzy Hash: B57124755083509FD720EB68CC86F9AB7E8EF85354F11061CF8489B286DB75E9C0C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408BB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32 ref: 00408BE1
                                            • GetClassInfoExA.USER32(00000000,?,?), ref: 00408C22
                                            • GetClassInfoExA.USER32(00400000,?,?), ref: 00408C37
                                              • Part of subcall function 00403200: LeaveCriticalSection.KERNEL32(00000000,?,00408CF9), ref: 0040320C
                                            • LoadCursorA.USER32(?,?), ref: 00408C86
                                            • _swprintf.LIBCMT ref: 00408CB1
                                            • GetClassInfoExA.USER32(?,00000000,?), ref: 00408CD6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClassInfo$CriticalSection$CursorEnterLeaveLoad_swprintf
                                            • String ID: 0$ATL:%p
                                            • API String ID: 2028070049-2453800769
                                            • Opcode ID: a7795fcbf46993ce9c894f050a781009a1520aca4fbb5073cb2ddb9d767ccf6e
                                            • Instruction ID: 566f31740481e4783dfd124003c0f1a514760f3a3d19c12cf1636e730a7137a2
                                            • Opcode Fuzzy Hash: a7795fcbf46993ce9c894f050a781009a1520aca4fbb5073cb2ddb9d767ccf6e
                                            • Instruction Fuzzy Hash: 3541BE75205301CBEB14DF14C984AA77BB8EF84314F0041AEED449B39AEB75DD85CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100435C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32(?,9E6FDE2E,74DE9300,?,00000000,?,?,?,?,?,?,?,100CE3A0,000000FF,100457D2,?), ref: 100435ED
                                            • PathGetDriveNumberA.SHLWAPI(?,?,?,?,?,?,?,?,100CE3A0,000000FF,100457D2,?,?,?,?,00000104), ref: 100435FF
                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,100CE3A0,000000FF,100457D2,?,?,?,?), ref: 1004361F
                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,100CE3A0,000000FF,100457D2,?,?,?,?,00000104), ref: 10043638
                                              • Part of subcall function 100419C0: GetLastError.KERNEL32(9E6FDE2E,?,?,?,?,?,?,?,00000000,0000013C), ref: 100419E6
                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,?,100CE3A0,000000FF,100457D2,?,?,?), ref: 10043635
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Attributes$DeleteDriveErrorLastNumberPath
                                            • String ID: FAILED to delete <%s>$ deleted <%s>$ deleted on REBOOT <%s>
                                            • API String ID: 1487885892-1243121458
                                            • Opcode ID: b039868cf9348d75ae01e88f7d5e8007ad5ad305d3a4a53a1b33b17b61673f60
                                            • Instruction ID: 9fb563bc3b292fa35e073e1b9481f667ccad3f481e4c87ba9bfbdf50190e9e8b
                                            • Opcode Fuzzy Hash: b039868cf9348d75ae01e88f7d5e8007ad5ad305d3a4a53a1b33b17b61673f60
                                            • Instruction Fuzzy Hash: BC31C076204311ABD300DB689C81B9FB7E8EF853A0F11853CF945C3394EB34E9458BAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10077AD0 Relevance: 13.6, APIs: 9, Instructions: 95stringnetworkmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?), ref: 10077B05
                                            • CoTaskMemAlloc.OLE32(-00000005), ref: 10077B11
                                            • lstrcpynA.KERNEL32(00000000,?,-00000005), ref: 10077B24
                                            • UuidFromStringA.RPCRT4(00000000,?), ref: 10077B30
                                            • WSAStartup.WS2_32(00000002,?), ref: 10077B45
                                            • _memset.LIBCMT ref: 10077B68
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 100730EC
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 10073132
                                              • Part of subcall function 100730B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,-00000014,00000000), ref: 10073155
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 1007316E
                                              • Part of subcall function 100730B0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 10073188
                                              • Part of subcall function 100730B0: PathIsRelativeA.SHLWAPI(?), ref: 10073193
                                              • Part of subcall function 100730B0: PathFindOnPathA.SHLWAPI(?,00000000), ref: 100731A3
                                              • Part of subcall function 10072580: WSACleanup.WS2_32 ref: 10072597
                                              • Part of subcall function 10072580: WSAStartup.WS2_32(00000002,?), ref: 100725A4
                                            • WSACleanup.WS2_32 ref: 10077BDA
                                            • CoTaskMemFree.OLE32(00000000), ref: 10077BE1
                                              • Part of subcall function 10073200: CoTaskMemAlloc.OLE32(?,00000000,00000000,00000000,?,?,?), ref: 10073263
                                              • Part of subcall function 10073200: _memset.LIBCMT ref: 100732BF
                                              • Part of subcall function 10073200: lstrcmpiA.KERNEL32(?,?), ref: 100732E2
                                              • Part of subcall function 10073200: _memset.LIBCMT ref: 100732FD
                                              • Part of subcall function 10073200: WideCharToMultiByte.KERNEL32(00000000,00000000,0000004C,000000FF,?,00000104,00000000,00000000), ref: 1007331C
                                            • CoTaskMemFree.OLE32(00000000), ref: 10077BF0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$Task$Path$AllocByteCharCleanupFreeMultiStartupWide$EnvironmentExpandFindFromRelativeStringStringsUuidlstrcmpilstrcpynlstrlen
                                            • String ID:
                                            • API String ID: 1352091809-0
                                            • Opcode ID: fcdd7cf824c6b20235096e55b2dffae921731eb1011a7aa1a7080039764c64cd
                                            • Instruction ID: 61ae6bd5336a66926a6e6c260e929652713d7bf63d02afc27a79b59cf97c3a61
                                            • Opcode Fuzzy Hash: fcdd7cf824c6b20235096e55b2dffae921731eb1011a7aa1a7080039764c64cd
                                            • Instruction Fuzzy Hash: C93184752043529BD310DBA4CCD5BEF77D8FF88640F058519FDC986251EF78A84887A6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EAD0 Relevance: 13.5, APIs: 9, Instructions: 49windowsleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 0040EADB
                                            • GetTickCount.KERNEL32 ref: 0040EAE0
                                            • GetTickCount.KERNEL32 ref: 0040EAF0
                                            • PeekMessageA.USER32(?,00000000,00000016,00000016,00000001), ref: 0040EB01
                                            • PeekMessageA.USER32(?,00000000,00000011,00000011,00000001), ref: 0040EB13
                                            • ReplyMessage.USER32(00000001), ref: 0040EB1B
                                            • Sleep.KERNEL32(00000032,?,00000000), ref: 0040EB23
                                            • ReplyMessage.USER32(00000000), ref: 0040EB37
                                            • ExitProcess.KERNEL32 ref: 0040EB3F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Message$CountTick$PeekReply$ExitProcessSleep
                                            • String ID:
                                            • API String ID: 1229114799-0
                                            • Opcode ID: ec44056b9df7ec5812390a9fe87d8c9d43c1274f2656829b7f442398bde5d1ff
                                            • Instruction ID: f8e696901409ae786bb5227fb14a9146189e34f8e2bc2b2021ac478eb99b5050
                                            • Opcode Fuzzy Hash: ec44056b9df7ec5812390a9fe87d8c9d43c1274f2656829b7f442398bde5d1ff
                                            • Instruction Fuzzy Hash: F501DB323802146BD710676A9C85FEA365CAB48701F444965FB05A60D2DAF6D4009679
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A540 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 266stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00409260: InitializeCriticalSection.KERNEL32(0000001C,4121B502,0000001C,00000000,00000000,000000FE), ref: 0040929B
                                            • lstrlenA.KERNEL32(?), ref: 0040A64A
                                              • Part of subcall function 004036A0: _malloc.LIBCMT ref: 004036AE
                                            • GetModuleHandleA.KERNEL32(00000000), ref: 0040A6F8
                                            • lstrlenW.KERNEL32(?), ref: 0040A759
                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000104), ref: 0040A602
                                              • Part of subcall function 0040AA50: EnterCriticalSection.KERNEL32(?,4121B502), ref: 0040AA9B
                                              • Part of subcall function 0040AA50: lstrlenW.KERNEL32(?), ref: 0040AAB1
                                            • lstrlenA.KERNEL32(?), ref: 0040A7B6
                                              • Part of subcall function 0040C8C0: lstrlenW.KERNEL32 ref: 0040C907
                                              • Part of subcall function 0040C8C0: lstrlenW.KERNEL32(REGISTRY,-00000001,?,00000002,00000000), ref: 0040C974
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrlen$CriticalModuleSection$EnterFileHandleInitializeName_malloc
                                            • String ID: Module$Module_Raw
                                            • API String ID: 1381385757-3885325121
                                            • Opcode ID: 3f6209e50d37c53ef2ad526f671c4199dd8174b6d5e363b3251b31e4c8f6e4c4
                                            • Instruction ID: 577cfdca2c024ed90775b30e1e00d15839c09f29fe0c3f12ee0febcbd50f3c3b
                                            • Opcode Fuzzy Hash: 3f6209e50d37c53ef2ad526f671c4199dd8174b6d5e363b3251b31e4c8f6e4c4
                                            • Instruction Fuzzy Hash: 1991B472D002049BCB20EFA5DC819EEB7B8AB44304F54853FE555F7291EB39AD158B4A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100201F0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 257COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: CCFP$CCFP%d: SUCCESS <%s>$file$item$path
                                            • API String ID: 1081510541-3059505623
                                            • Opcode ID: 434912c13025ca9964886105db4df6e52214e081439565cb2fc348a11749f082
                                            • Instruction ID: 78f4dd767911c1ad09e2dbc15ac004a27704243219542fc8f8aa7f72f369c286
                                            • Opcode Fuzzy Hash: 434912c13025ca9964886105db4df6e52214e081439565cb2fc348a11749f082
                                            • Instruction Fuzzy Hash: C69123B1A04350DBD720DF68D885B9FB7E5EF89354F804A2DF58857242D731E944CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 246stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(00427D24,4121B502,?,?,?,?,?,?,?,?,0041D5F8,000000FF), ref: 00407672
                                            • GetModuleFileNameA.KERNEL32(00400000,FFFFFFFF,00000104,?,?,?,?,?,?,?,?,0041D5F8,000000FF), ref: 00407703
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,0041D5F8,000000FF), ref: 0040772F
                                            • LoadTypeLib.OLEAUT32(00000000,?), ref: 004077C4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalEnterFileLoadModuleNameSectionTypelstrlen
                                            • String ID: 4}B
                                            • API String ID: 4054831426-3730879321
                                            • Opcode ID: 429979a2064b151d6f7b2b49e4a8c87327da741ea4ba6211224921a04ae0e97e
                                            • Instruction ID: 8f4fa4a020a55449081c46844e49b8b49efc287c4d10362a8ff9ff49660230e8
                                            • Opcode Fuzzy Hash: 429979a2064b151d6f7b2b49e4a8c87327da741ea4ba6211224921a04ae0e97e
                                            • Instruction Fuzzy Hash: 7C91A171E04205DFDB10EBA9CC849AEB7B5BF88304F64842AE501B73A1D778BD45CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1007F080 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 196COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 1007EE50: _memset.LIBCMT ref: 1007EE7E
                                              • Part of subcall function 1007EE50: _memset.LIBCMT ref: 1007EE9A
                                              • Part of subcall function 1007EE50: ExpandEnvironmentStringsA.KERNEL32(00000200,?,00000200,?,00000200,7FFFFFFF,000001FF), ref: 1007EEF1
                                            • GetWindowsDirectoryA.KERNEL32(?,00000100), ref: 1007F0F5
                                            • PathAddBackslashA.SHLWAPI(?,00000000,system32\,?,00000000), ref: 1007F2B9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$BackslashDirectoryEnvironmentExpandPathStringsWindows
                                            • String ID: \??\$\systemroot$rundll32 $rundll32.exe $system32\
                                            • API String ID: 882011830-809458308
                                            • Opcode ID: 64246a95c9ec7141a90bf644b61efedb1394c6c9eaa25391c08b397b4112a961
                                            • Instruction ID: 10e0415b3ab8991730a8ee36ca4ba9b4f641b799c228606d2ef1efae0d0d405a
                                            • Opcode Fuzzy Hash: 64246a95c9ec7141a90bf644b61efedb1394c6c9eaa25391c08b397b4112a961
                                            • Instruction Fuzzy Hash: 9761A7B62083C0ABD711DB688C51FAFBBD9EBC5700F44491DF18597282EB34A904C7A7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008FBC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$CloseHandle$lstrcmpi
                                            • String ID: SeDebugPrivilege
                                            • API String ID: 3024138867-2896544425
                                            • Opcode ID: 84a7fbd9b7d77adec12c964476235be3efed88548bcb67a74475f364174ca8ae
                                            • Instruction ID: e7408215add494e63db5121414f0525cc9a08a8b5a6a55b0060c9457757f6237
                                            • Opcode Fuzzy Hash: 84a7fbd9b7d77adec12c964476235be3efed88548bcb67a74475f364174ca8ae
                                            • Instruction Fuzzy Hash: E2516FB1504351ABD320DF64CC85FABB7E8FB85750F004A1EFA999B1C1EB74A944C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10009D70 Relevance: 12.4, APIs: 8, Instructions: 371COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memmove_s$String_base::_Xlenstd::_$_memcpy_s
                                            • String ID:
                                            • API String ID: 3470545318-0
                                            • Opcode ID: 0fc517a2bf6dad731496dfa7ea8753fe2a5ecb62914e41b13022c73c1c00cccc
                                            • Instruction ID: ad3ef8872b9aca2b12652a210ef99daa344395fdb25370ed94005e5dd2022d71
                                            • Opcode Fuzzy Hash: 0fc517a2bf6dad731496dfa7ea8753fe2a5ecb62914e41b13022c73c1c00cccc
                                            • Instruction Fuzzy Hash: 0EC170707082518FEB18CF19C8D495F7BA6EFC9784B644A2DF58987359CA30ED81CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10073200 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10072450: GetProcAddress.KERNEL32(?,WSCEnumProtocols), ref: 10072462
                                            • CoTaskMemAlloc.OLE32(?,00000000,00000000,00000000,?,?,?), ref: 10073263
                                            • _memset.LIBCMT ref: 100732BF
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 100730EC
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 10073132
                                              • Part of subcall function 100730B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,-00000014,00000000), ref: 10073155
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 1007316E
                                              • Part of subcall function 100730B0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 10073188
                                              • Part of subcall function 100730B0: PathIsRelativeA.SHLWAPI(?), ref: 10073193
                                              • Part of subcall function 100730B0: PathFindOnPathA.SHLWAPI(?,00000000), ref: 100731A3
                                            • lstrcmpiA.KERNEL32(?,?), ref: 100732E2
                                            • _memset.LIBCMT ref: 100732FD
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0000004C,000000FF,?,00000104,00000000,00000000), ref: 1007331C
                                              • Part of subcall function 10072500: GetProcAddress.KERNEL32(10077B93,WSCDeinstallProvider), ref: 10072512
                                            • CoTaskMemFree.OLE32(00000000,00000000,00000000,?,?,?), ref: 10073351
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$Path$AddressByteCharMultiProcTaskWide$AllocEnvironmentExpandFindFreeRelativeStringslstrcmpi
                                            • String ID: G'
                                            • API String ID: 2103324610-1542159958
                                            • Opcode ID: d28e9971785e437b045838e01c80fcda235f76977c50ed4fea5c805e533fce12
                                            • Instruction ID: c25d97cb19f87a4e9a46e17a0f057a2b5eb2cb4382cb67700505869e69964223
                                            • Opcode Fuzzy Hash: d28e9971785e437b045838e01c80fcda235f76977c50ed4fea5c805e533fce12
                                            • Instruction Fuzzy Hash: A831A6B2508351AFE220DF64DC85DAFB7E8EB88354F018A1DF5D582141EB34DA48C766
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10052210 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • __CxxThrowException@8.LIBCMT ref: 1005225F
                                              • Part of subcall function 100A293D: RaiseException.KERNEL32(?,?,100A293C,10029968,?,?,?,?,100A293C,10029968,100E0FB0,100F3258), ref: 100A297D
                                            • __CxxThrowException@8.LIBCMT ref: 100522A2
                                            • __CxxThrowException@8.LIBCMT ref: 100522E5
                                            • __CxxThrowException@8.LIBCMT ref: 10052323
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$ExceptionRaise
                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                            • API String ID: 3476068407-1866435925
                                            • Opcode ID: a22c9200dd381b475e75c152e1f3ee05d7c3b85ad61525747b1e2fdbbb02d435
                                            • Instruction ID: 1f7de198fbd87d406a5ee1488e2c80f7713c50bc753d5c2a73cd8bd6e317848a
                                            • Opcode Fuzzy Hash: a22c9200dd381b475e75c152e1f3ee05d7c3b85ad61525747b1e2fdbbb02d435
                                            • Instruction Fuzzy Hash: 45217C79518780AFD355CB60DC52F9FB7E4EF89340F50891DF18A43292DB79A048CB22
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10084180 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100841B0
                                            • GetWindowsDirectoryA.KERNEL32(?,00000104,Start Menu), ref: 100841C2
                                            • PathAddBackslashA.SHLWAPI(?), ref: 100841CD
                                            • PathFileExistsA.SHLWAPI(?,?,00000104,?,7FFFFFFF), ref: 10084217
                                            • lstrcpynA.KERNEL32(?,?,?), ref: 1008422F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: DirectoryPath$BackslashExistsFileSystemWindowslstrcpyn
                                            • String ID: Start Menu$WScript.exe
                                            • API String ID: 1859681772-2318239605
                                            • Opcode ID: f1f61ba8cceeaa1cb0d53adf486006fefc7d2f9959de42906ebbe9272b5322f0
                                            • Instruction ID: ce709937b29fe06f31454d8b89349460fbd302ac6b32c1adff64e583c9e1bde5
                                            • Opcode Fuzzy Hash: f1f61ba8cceeaa1cb0d53adf486006fefc7d2f9959de42906ebbe9272b5322f0
                                            • Instruction Fuzzy Hash: 7B2151B6604201ABD314DB64CC85EEA77E8FBE4710F41862EFE95C6190EB74D584CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EE80 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registrytimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Acceleration Software International Corporation\WebScan,00000000,00000000,00000000,0002001F,00000000,?,00000000,0000000F), ref: 0040EEB1
                                            • RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00409BF3), ref: 0040EED9
                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00409BF3), ref: 0040EEE8
                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00409BF3), ref: 0040EF17
                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00409BF3), ref: 0040EF2C
                                            Strings
                                            • SOFTWARE\Acceleration Software International Corporation\WebScan, xrefs: 0040EEA7
                                            • CustomLastRan, xrefs: 0040EECB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CloseTime$CreateFileQuerySystemValue
                                            • String ID: CustomLastRan$SOFTWARE\Acceleration Software International Corporation\WebScan
                                            • API String ID: 2361499666-1971903048
                                            • Opcode ID: 86e81bc943370680356b5e3ed99d2c9b489a43cb0d48ad5b28f265d19c85f4b1
                                            • Instruction ID: 9c6f8479acd10f19c84808b0a58f2a5e203b4e238320a80b86e1e6449d9bba3c
                                            • Opcode Fuzzy Hash: 86e81bc943370680356b5e3ed99d2c9b489a43cb0d48ad5b28f265d19c85f4b1
                                            • Instruction Fuzzy Hash: 1F11D5755043216FD310DF5ADC84E9BBBE8EF88750F40492DF858D2291D370D9488BA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10042150 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32(?), ref: 10042170
                                            • lstrlenA.KERNEL32(?), ref: 10042182
                                            • _memset.LIBCMT ref: 10042197
                                            • lstrcpynA.KERNEL32(?,?,00000104), ref: 100421AA
                                            • PathAddBackslashA.SHLWAPI(?), ref: 100421B5
                                              • Part of subcall function 10041C80: _memset.LIBCMT ref: 10041CE7
                                              • Part of subcall function 10041C80: PathRemoveFileSpecA.SHLWAPI(?,?,00000104,7FFFFFFF,?,?,00000000), ref: 10041D2B
                                              • Part of subcall function 10041C80: FindFirstFileA.KERNEL32(?,?,?,00000000), ref: 10041D3D
                                              • Part of subcall function 10041C80: FindFirstFileA.KERNEL32(?,?,?,?,?,00000000), ref: 10041D66
                                              • Part of subcall function 10041C80: lstrcmpiA.KERNEL32(?,100D64B0), ref: 10041D85
                                              • Part of subcall function 10041C80: PathAddBackslashA.SHLWAPI(?,?,00000104,7FFFFFFF,?,00000000), ref: 10041DDC
                                            • PathFileExistsA.SHLWAPI(?), ref: 100421E3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Path$BackslashFindFirst_memset$AttributesExistsRemoveSpeclstrcmpilstrcpynlstrlen
                                            • String ID: *.*
                                            • API String ID: 2903392174-438819550
                                            • Opcode ID: 700579b4b9955cb53a0332d84a13c8fa40361659f40963a158b7ad2b37f31ff9
                                            • Instruction ID: 75fa71fe004523af4fdaf2258e115f12786e274d06b5a60263fe7c970a0c5323
                                            • Opcode Fuzzy Hash: 700579b4b9955cb53a0332d84a13c8fa40361659f40963a158b7ad2b37f31ff9
                                            • Instruction Fuzzy Hash: CC11AC75604221ABE310EB64CC86EDF77ACEFA9340F424828FF85D20A0DB74E644CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10072220 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • SHGetValueA.SHLWAPI(80000002,SOFTWARE\Acceleration Software International Corporation\WebScan,logpath,00000000,?,?,00000000,?,?,100723F2), ref: 10072245
                                            • SHGetValueA.SHLWAPI(80000002,SOFTWARE\Acceleration Software International Corporation\WebScan,InstallPath,00000000,?,?,?,?,100723F2), ref: 10072269
                                            • PathAddBackslashA.SHLWAPI(?,?,?,100723F2,?,?,?,?,?,?,?,?,?,00000000), ref: 10072273
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Value$BackslashPath
                                            • String ID: InstallPath$SOFTWARE\Acceleration Software International Corporation\WebScan$logpath$scanlog.log
                                            • API String ID: 3034482774-3171843266
                                            • Opcode ID: d7ddc0dc5c6a5c72f6432d185b9c6970be72f8fc6c32de07a0f32666b5cb44bb
                                            • Instruction ID: 39051d39881514bee1b448a37b3e2798e1dbb8bcf096f01475e4697815e5ced1
                                            • Opcode Fuzzy Hash: d7ddc0dc5c6a5c72f6432d185b9c6970be72f8fc6c32de07a0f32666b5cb44bb
                                            • Instruction Fuzzy Hash: EDF0C8A320135977D3009A19DC44DE7B78CEBC1196F11426EFA09E1111EB62E6055730
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040AF90 Relevance: 12.2, APIs: 8, Instructions: 229librarystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0041D570,000000FF), ref: 0040B009
                                            • _malloc.LIBCMT ref: 0040B068
                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000008,?,00000000,00000000,00000000), ref: 0040B09B
                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,-00000001,?,00000002,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040B0E5
                                            • FindResourceA.KERNEL32(00000000,?,?), ref: 0040B109
                                            • LoadResource.KERNEL32(00000000,00000000,?,00000002,00000000,?,?,?,?,?,?,?,?,00000000,0041D570,000000FF), ref: 0040B121
                                            • SizeofResource.KERNEL32(00000000,00000000,?,00000002,00000000,?,?,?,?,?,?,?,?,00000000,0041D570,000000FF), ref: 0040B13A
                                            • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,0041D570,000000FF), ref: 0040B1F6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$LibraryLoad$ByteCharFindFreeMultiSizeofWide_malloclstrlen
                                            • String ID:
                                            • API String ID: 2471754344-0
                                            • Opcode ID: 1026e88c20b03e61d85d6d3098f64dfba36facff69901c25f1b1b621c8f12a5d
                                            • Instruction ID: 5786b3dee80d03322bc5d9121079768eea4ec5cbec7ba102c9a0c0b912e26d9a
                                            • Opcode Fuzzy Hash: 1026e88c20b03e61d85d6d3098f64dfba36facff69901c25f1b1b621c8f12a5d
                                            • Instruction Fuzzy Hash: 03818F71900219ABCB20DF65CC85BAF77A8EB44714F10863BE915BB2C0E7789A458BDD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405DA0 Relevance: 12.2, APIs: 8, Instructions: 180comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(004205DC,00000000,00000001,0042059C,?,4121B502,?,?,?), ref: 00405E8B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CreateInstance
                                            • String ID:
                                            • API String ID: 542301482-0
                                            • Opcode ID: a0b090cb7f399714225e6233ad25cadf7b1894eb9463baf7a79d2bb3d32b38ec
                                            • Instruction ID: f11ad9d70a0943c85b4e7a47ca944ab9a7cd7eeeb729c859dfda2566515873bb
                                            • Opcode Fuzzy Hash: a0b090cb7f399714225e6233ad25cadf7b1894eb9463baf7a79d2bb3d32b38ec
                                            • Instruction Fuzzy Hash: 8D51D374208B469BD730DF18C844BA777E8EB44700F90883BF995962C1E77C9942CF9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040C6B0 Relevance: 12.1, APIs: 8, Instructions: 110registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.ADVAPI32 ref: 0040C6F5
                                            • RegCloseKey.ADVAPI32(?), ref: 0040C70A
                                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,4121B502), ref: 0040C752
                                            • RegEnumKeyExA.ADVAPI32(0002001F,00000000,?,00000000,00000000,00000000,00000000,4121B502), ref: 0040C794
                                            • RegCloseKey.ADVAPI32(?), ref: 0040C7A7
                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 0040C7BA
                                            • RegCloseKey.ADVAPI32(?), ref: 0040C7CB
                                            • RegCloseKey.ADVAPI32(?), ref: 0040C7F6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Close$Enum$DeleteOpen
                                            • String ID:
                                            • API String ID: 3743465055-0
                                            • Opcode ID: 8e65a327043b8fe8a0b056a1852f58d5de7e07bcac1e8022f48ed69a82b722e0
                                            • Instruction ID: 56ca214aaf132fccda7679a1c29e3db42f40845e8e305f3105c440160e613801
                                            • Opcode Fuzzy Hash: 8e65a327043b8fe8a0b056a1852f58d5de7e07bcac1e8022f48ed69a82b722e0
                                            • Instruction Fuzzy Hash: D2312375504302DBD724DF15DC84F6BB7E8ABC8754F044A2EF945E7280D774D9048BA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004073F0 Relevance: 12.1, APIs: 8, Instructions: 92memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(?), ref: 0040742C
                                            • SysFreeString.OLEAUT32(00000000), ref: 0040745E
                                            • SysStringLen.OLEAUT32(?), ref: 0040746F
                                            • SysStringLen.OLEAUT32(?), ref: 0040747A
                                            • CoTaskMemAlloc.OLE32(00000002), ref: 00407481
                                            • SysFreeString.OLEAUT32(?), ref: 00407493
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: String$AllocFree$Task
                                            • String ID:
                                            • API String ID: 1511711959-0
                                            • Opcode ID: 2364b8ad07e07cf549672f361c5950b6de3c7504b6e323686b2651541fe26cd7
                                            • Instruction ID: ad84660b36c3aeefd4400446d530d8207d9b08e6829cd97b5d06d22cc40c57fb
                                            • Opcode Fuzzy Hash: 2364b8ad07e07cf549672f361c5950b6de3c7504b6e323686b2651541fe26cd7
                                            • Instruction Fuzzy Hash: 3B215C766092295BD3109B599C80D6BB7ECBFC8728F10862FF944E7341C679ED018BE6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004010D0 Relevance: 12.1, APIs: 8, Instructions: 86filecommemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004010F9
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401115
                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401124
                                            • GlobalLock.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040112D
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000003,00000000), ref: 00401149
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00401157
                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0041E42C,?), ref: 00401177
                                            • CloseHandle.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040118E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: FileGlobal$Create$AllocCloseHandleLoadLockPictureReadSizeStream
                                            • String ID:
                                            • API String ID: 4253759095-0
                                            • Opcode ID: 90cc6c6700ad77220b56bd0b47b5f0061a461157046271d4573048e6e579110f
                                            • Instruction ID: 59e248d687ed549b884d3e7dc22ad4a234c4fd4d8e62386973d92b270a0d61a8
                                            • Opcode Fuzzy Hash: 90cc6c6700ad77220b56bd0b47b5f0061a461157046271d4573048e6e579110f
                                            • Instruction Fuzzy Hash: 3A21CB752443057FE3109F66EC88FA7BB9CEB88755F00853AFE00D62A1D674A909C679
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040DAC0 Relevance: 12.1, APIs: 8, Instructions: 63timewindowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00402B70: FindResourceA.KERNEL32(00400000,?,000000F0), ref: 00402BB1
                                              • Part of subcall function 00402B70: LoadResource.KERNEL32(00400000,00000000,?,?,?), ref: 00402BC3
                                              • Part of subcall function 00402B70: LockResource.KERNEL32(00000000,?,?,?), ref: 00402BD2
                                              • Part of subcall function 00402B70: SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00402C72
                                            • SetTimer.USER32(?,0000000A,0000005A,00000000), ref: 0040DAE0
                                            • GetDlgItem.USER32(?,000003F1), ref: 0040DAEF
                                            • SetWindowTextA.USER32(00000000,?), ref: 0040DB14
                                            • GetSystemMetrics.USER32(00000032), ref: 0040DB22
                                            • GetSystemMetrics.USER32(00000031), ref: 0040DB28
                                            • LoadImageA.USER32(00400000,00000081,00000001,00000000,00000000,00000000), ref: 0040DB3C
                                            • CreateSolidBrush.GDI32(00FFFFFF), ref: 0040DB4D
                                            • SendMessageA.USER32(?,00000080,00000001,?), ref: 0040DB7B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$ItemLoadMessageMetricsSendSystem$BrushCreateFindImageLockSolidTextTimerWindow
                                            • String ID:
                                            • API String ID: 1273129667-0
                                            • Opcode ID: a066066810462f53a49c47a9aa7084f9b8e9af06bfb5d8373fa756f3478d836f
                                            • Instruction ID: afa590425edaf79bde64311ce2db10c8b09edd7f7ff0bca69072ceb2731ad06b
                                            • Opcode Fuzzy Hash: a066066810462f53a49c47a9aa7084f9b8e9af06bfb5d8373fa756f3478d836f
                                            • Instruction Fuzzy Hash: 7B2130B5640704ABE7209B75CC89F97B7ACAB48B01F00892DF79A9B2D1C7B5B445CB18
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10048050 Relevance: 12.1, APIs: 8, Instructions: 57memorystringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003E9), ref: 1004805D
                                            • GetWindowTextLengthA.USER32(00000000), ref: 10048066
                                            • lstrlenA.KERNEL32(?,?,75BF6C40,75C08FB0,100486C8,Current Internet Explorer Settings -), ref: 10048073
                                            • CoTaskMemAlloc.OLE32(?,?,75BF6C40,75C08FB0,100486C8,Current Internet Explorer Settings -), ref: 1004807E
                                            • GetWindowTextA.USER32(00000000,00000000,?), ref: 1004808D
                                            • SetWindowTextA.USER32(00000000,00000000), ref: 100480C1
                                            • SendMessageA.USER32(00000000,00000115,00000007,00000000), ref: 100480D1
                                            • CoTaskMemFree.OLE32(00000000,?,75BF6C40,75C08FB0,100486C8,Current Internet Explorer Settings -), ref: 100480D8
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: TextWindow$Task$AllocFreeItemLengthMessageSendlstrlen
                                            • String ID:
                                            • API String ID: 3718305144-0
                                            • Opcode ID: eb5204801ddbd7e9e33177b00545f9afd2065951b89874c4534e0227755b2c98
                                            • Instruction ID: 94424935cc4556dd875b85e794a376b90c50c4cf7bf17cd231c81b4fb090cdc3
                                            • Opcode Fuzzy Hash: eb5204801ddbd7e9e33177b00545f9afd2065951b89874c4534e0227755b2c98
                                            • Instruction Fuzzy Hash: D6018036200221BBE2109BA18C8DFAB7BACEB86761F030614FE55D6191DF64A8498770
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100365DF Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 252COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: %d DETECT [%s] ver=%s$name$result$version
                                            • API String ID: 1081510541-3900207726
                                            • Opcode ID: edbea0013d33b8b5061385c9b3d5f39af93b3b333a90e0ba73ca021c0b1ff2df
                                            • Instruction ID: 814bebc32de92db611d45b2b2379623a20b8e7995202ad89551b6c5a0083d7ce
                                            • Opcode Fuzzy Hash: edbea0013d33b8b5061385c9b3d5f39af93b3b333a90e0ba73ca021c0b1ff2df
                                            • Instruction Fuzzy Hash: 7D911875500B42AFD315EBB0DC86F9BB3E8EF1934AF40891DF2564A142EBB4B548C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040CA80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00409260: InitializeCriticalSection.KERNEL32(0000001C,4121B502,0000001C,00000000,00000000,000000FE), ref: 0040929B
                                            • lstrlenA.KERNEL32(?), ref: 0040CB87
                                              • Part of subcall function 004036A0: _malloc.LIBCMT ref: 004036AE
                                            • GetModuleHandleA.KERNEL32(00000000), ref: 0040CC34
                                            • lstrlenW.KERNEL32(?), ref: 0040CC92
                                              • Part of subcall function 0040AA50: LeaveCriticalSection.KERNEL32(?,?,00000000,?,-00000001,?,00000002,00000000), ref: 0040AB53
                                              • Part of subcall function 0040CEC0: lstrlenW.KERNEL32(REGISTRY), ref: 0040CF01
                                              • Part of subcall function 0040CEC0: WideCharToMultiByte.KERNEL32(?,00000000,REGISTRY,000000FF,00000008,00000000,00000000,00000000), ref: 0040CF86
                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000104), ref: 0040CB3F
                                              • Part of subcall function 0040AA50: EnterCriticalSection.KERNEL32(?,4121B502), ref: 0040AA9B
                                              • Part of subcall function 0040AA50: lstrlenW.KERNEL32(?), ref: 0040AAB1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrlen$CriticalSection$Module$ByteCharEnterFileHandleInitializeLeaveMultiNameWide_malloc
                                            • String ID: Module$Module_Raw
                                            • API String ID: 2079919627-3885325121
                                            • Opcode ID: e6abef0e7e6b9f95bcdbb571dba5740c37b8fc151fc8da08fd1e09a638b8b2a1
                                            • Instruction ID: 9a6cf32ff81a8454de40e9a380290540e86324980ee49f53263c032252a22566
                                            • Opcode Fuzzy Hash: e6abef0e7e6b9f95bcdbb571dba5740c37b8fc151fc8da08fd1e09a638b8b2a1
                                            • Instruction Fuzzy Hash: 36819171D00248DBDB20EFA9DCC19ED7BB8AF44304F60463EE519B7291EB386945CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000BFA0 Relevance: 10.7, APIs: 7, Instructions: 198comfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _strcpy_s.LIBCMT ref: 1000C009
                                            • PathAppendA.SHLWAPI(?,?,?,?,00000010), ref: 1000C016
                                              • Part of subcall function 1000B840: VariantClear.OLEAUT32 ref: 1000B882
                                              • Part of subcall function 1000B840: SysAllocString.OLEAUT32(00000000), ref: 1000B926
                                              • Part of subcall function 1000B840: _com_raise_error.COMSUPP ref: 1000B949
                                            • OleLoadPictureFile.OLEAUT32 ref: 1000C05B
                                            • VariantClear.OLEAUT32(?), ref: 1000C072
                                            • GetDC.USER32(?), ref: 1000C0CB
                                            • DeleteObject.GDI32(00000000), ref: 1000C15A
                                            • ReleaseDC.USER32(?,00000000), ref: 1000C16F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClearVariant$AllocAppendDeleteFileLoadObjectPathPictureReleaseString_com_raise_error_strcpy_s
                                            • String ID:
                                            • API String ID: 1915019314-0
                                            • Opcode ID: b4d64d99df4bab9ef36de265a69b90c24502b69b34d6e2d4a194d87a7461eabd
                                            • Instruction ID: 4882b173225886d3fb14538012032fbbe92eeb67e527d9c07e024ae31c189967
                                            • Opcode Fuzzy Hash: b4d64d99df4bab9ef36de265a69b90c24502b69b34d6e2d4a194d87a7461eabd
                                            • Instruction Fuzzy Hash: 1E711AB5E00249AFDB14DFA8CC84EEEB7B9FF89300F108559E905A7355DB74AA01CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1003063E Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 174COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10082160: GetTickCount.KERNEL32 ref: 10082161
                                              • Part of subcall function 10082160: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 10082176
                                            • _memset.LIBCMT ref: 10030704
                                            • __itoa_s.LIBCMT ref: 10030719
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CountLibraryLoadTick__itoa_s_memset
                                            • String ID: DCS$file$item$path
                                            • API String ID: 2517018591-665966532
                                            • Opcode ID: c4b5e8363c6694d455251217ff6acae9bcd7191c9223bf817873d27e5560f326
                                            • Instruction ID: 37c2e3a044dd205627bdafbc8ccb63826a4d82f7d7d66e025e68f2a19020d22a
                                            • Opcode Fuzzy Hash: c4b5e8363c6694d455251217ff6acae9bcd7191c9223bf817873d27e5560f326
                                            • Instruction Fuzzy Hash: A951BB75A09305DFD768DF68C8A1A6BB7E5FB84741F00892DF9859B281DB70F840CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004178C1 Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • getSystemCP.LIBCMT ref: 004178DA
                                              • Part of subcall function 00417847: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00417854
                                              • Part of subcall function 00417847: GetOEMCP.KERNEL32(00000000,?,00414559), ref: 0041786E
                                            • setSBCS.LIBCMT ref: 004178EC
                                              • Part of subcall function 004175C4: _memset.LIBCMT ref: 004175D7
                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00422C30), ref: 00417932
                                            • GetCPInfo.KERNEL32(00000000,00417C44), ref: 00417945
                                            • _memset.LIBCMT ref: 0041795D
                                            • setSBUpLow.LIBCMT ref: 00417A30
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                                            • String ID:
                                            • API String ID: 2658552758-0
                                            • Opcode ID: f39bff5d8cd8ab2e5aad096a4dc1498c4ac98ff9cf940fde5e158a867bf52560
                                            • Instruction ID: d76f84dff0bafd2d4664822b07d016140863560c1065b2d511d3aa566a580a2d
                                            • Opcode Fuzzy Hash: f39bff5d8cd8ab2e5aad096a4dc1498c4ac98ff9cf940fde5e158a867bf52560
                                            • Instruction Fuzzy Hash: E1510570A082559BDF15DF25C8846FFBBB5EF05344F14806BE8869F242D63CDA86CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1001A4E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __itoa_s_memset
                                            • String ID: CDPR$CDPR%d: SUCCESS <%s>$item$path
                                            • API String ID: 1081510541-3480530865
                                            • Opcode ID: ca6c7dd65ea94c3c4a8aefdeb57dfe82ca9b165b78829b83b7bae9e7be9784dd
                                            • Instruction ID: c973e25c40b7679351d115f5b2ccff6d26e2bfd3890f9f4b41eed1c1620dfa30
                                            • Opcode Fuzzy Hash: ca6c7dd65ea94c3c4a8aefdeb57dfe82ca9b165b78829b83b7bae9e7be9784dd
                                            • Instruction Fuzzy Hash: 2051D175608340DBD720DF68CC81B9E77E9EF86740F050929F9499B282D775E9C0CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100040E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32(?,9E6FDE2E,?,?,?,?), ref: 10004144
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 10004175
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000,?,?), ref: 100041A2
                                            • _memset.LIBCMT ref: 100041D1
                                            • CloseHandle.KERNEL32(00000000,?,00000104,00000000), ref: 10004263
                                              • Part of subcall function 10041A40: GetLastError.KERNEL32(00000000,10004189,?,?), ref: 10041A43
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Create$AttributesCloseErrorHandleLast_memset
                                            • String ID: %2.2x
                                            • API String ID: 4135166136-341615062
                                            • Opcode ID: 77ea28570830dce3939314edd838d59e599eda4c990858a01c7e02bc24fd219d
                                            • Instruction ID: 5ca1c6c6e1fe38ff880461799a3bdc211a718dee7c23bb4a95bc4ab43f0581e9
                                            • Opcode Fuzzy Hash: 77ea28570830dce3939314edd838d59e599eda4c990858a01c7e02bc24fd219d
                                            • Instruction Fuzzy Hash: 3C51C6B1604340AFE320DB64CC85F9FB7E8EB89760F510B1DFAA5961C1EB74A5048B56
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402B70 Relevance: 10.6, APIs: 7, Instructions: 133windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceA.KERNEL32(00400000,?,000000F0), ref: 00402BB1
                                            • LoadResource.KERNEL32(00400000,00000000,?,?,?), ref: 00402BC3
                                            • LockResource.KERNEL32(00000000,?,?,?), ref: 00402BD2
                                            • lstrlenA.KERNEL32(-00000008,?,?,?), ref: 00402C25
                                            • _memcpy_s.LIBCMT ref: 00402C47
                                            • SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00402C72
                                            • SendDlgItemMessageA.USER32(?,?,00000401,00000000,?), ref: 00402CE6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$ItemMessageSend$FindLoadLock_memcpy_slstrlen
                                            • String ID:
                                            • API String ID: 3674652523-0
                                            • Opcode ID: be4058caccc3d071435f8c84e37c8d12f30fe70ca0c788d0f371cfd2694684a9
                                            • Instruction ID: ab57020299bbacd2bf273874e81dd8f1a95d00af35bc1c3801e1200379f04831
                                            • Opcode Fuzzy Hash: be4058caccc3d071435f8c84e37c8d12f30fe70ca0c788d0f371cfd2694684a9
                                            • Instruction Fuzzy Hash: 8241E2B05083019BD720DF19DD88A6FB7E8FF89314F40492EFA85A32D0D7B99D458B5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404EF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 00404F6F
                                            • GetWindowLongA.USER32(?,000000FC), ref: 00404F84
                                            • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 00404F99
                                            • GetWindowLongA.USER32(?,000000FC), ref: 00404FB4
                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00404FC6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Window$Long$CallProc
                                            • String ID: $
                                            • API String ID: 513923721-3993045852
                                            • Opcode ID: d7969cdfb9574b8832bb9dcc3269344a176cf1848945553fc7fde952a3d31627
                                            • Instruction ID: cfd35abdf42b49e3b7b41fdc25e29f5f9cbc1d561b292cf64267655d3de07aa2
                                            • Opcode Fuzzy Hash: d7969cdfb9574b8832bb9dcc3269344a176cf1848945553fc7fde952a3d31627
                                            • Instruction Fuzzy Hash: 7A4106B5608700AFC324CF5AD88085BFBF8FBC8714F108A2EF59A83690D735E9418B55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000B270 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 1000B2EF
                                            • GetWindowLongA.USER32(?,000000FC), ref: 1000B304
                                            • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 1000B319
                                            • GetWindowLongA.USER32(?,000000FC), ref: 1000B334
                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 1000B346
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Window$Long$CallProc
                                            • String ID: $
                                            • API String ID: 513923721-3993045852
                                            • Opcode ID: 6ab0349d03b1e87a6ca13edde1a203d454446cae73e8c24ac78209f394a3a60c
                                            • Instruction ID: e4735c10ff4007c861006f8e973f677e34a4efb6cc54f6372a33c08ffb51ee86
                                            • Opcode Fuzzy Hash: 6ab0349d03b1e87a6ca13edde1a203d454446cae73e8c24ac78209f394a3a60c
                                            • Instruction Fuzzy Hash: 8C4115B1608700AFD364CF59C88091BFBF8FB88750F608A1EF99A83250D731E9458F61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10003D60 Relevance: 10.6, APIs: 7, Instructions: 107fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10003DAC
                                            • CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 10003DBB
                                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000), ref: 10003DDB
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000002,00000000,00000000,00000000), ref: 10003DEC
                                            • GetFileSize.KERNEL32(?,00000000,?,00000000,00000002,00000000,00000000,00000000), ref: 10003E13
                                            • UnmapViewOfFile.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 10003EA5
                                            • CloseHandle.KERNEL32(00000000), ref: 10003EAC
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$CloseHandleView$CreateMappingSizeUnmap_memset
                                            • String ID:
                                            • API String ID: 1073432007-0
                                            • Opcode ID: 9e288cea006e70d1a105e71afe2124b465b0a5d255dec74fdb69b366f9cdd6e8
                                            • Instruction ID: 746070b28ecc05180916aa8b98839d6710bb9f6da9278d2b26de71cafbf4f0d8
                                            • Opcode Fuzzy Hash: 9e288cea006e70d1a105e71afe2124b465b0a5d255dec74fdb69b366f9cdd6e8
                                            • Instruction Fuzzy Hash: 73410EB59006159FD720CF69CC85F9BBBF8FB88710F11C56AE959E3281EA34A9408F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100730B0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 100730EC
                                              • Part of subcall function 10072490: GetProcAddress.KERNEL32(-00000014,WSCGetProviderPath), ref: 100724A2
                                            • _memset.LIBCMT ref: 10073132
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,-00000014,00000000), ref: 10073155
                                            • _memset.LIBCMT ref: 1007316E
                                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 10073188
                                            • PathIsRelativeA.SHLWAPI(?), ref: 10073193
                                            • PathFindOnPathA.SHLWAPI(?,00000000), ref: 100731A3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Path_memset$AddressByteCharEnvironmentExpandFindMultiProcRelativeStringsWide
                                            • String ID:
                                            • API String ID: 338217658-0
                                            • Opcode ID: 6e218a57c1b9316b65e4c6baa5c6a1bc043e8c544ebaf670471e4f3b34927ead
                                            • Instruction ID: b2ae172b4dca9c5420fbe301ea3848aabd1c27aa3c19d5392afebd8a636fa642
                                            • Opcode Fuzzy Hash: 6e218a57c1b9316b65e4c6baa5c6a1bc043e8c544ebaf670471e4f3b34927ead
                                            • Instruction Fuzzy Hash: 4131CBB5204344BFE320DB54DC85EEBB7DCEB98354F404A1DB99982191E734E948C766
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100AD122 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _strcpy_s.LIBCMT ref: 100AD18E
                                            • GetModuleFileNameA.KERNEL32(00000000,100F3791,00000104,?,100A28F0,00000008,10029968,00000008), ref: 100AD1BB
                                            Strings
                                            • Runtime Error!Program: , xrefs: 100AD17D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: FileModuleName_strcpy_s
                                            • String ID: Runtime Error!Program:
                                            • API String ID: 1947175964-1132096306
                                            • Opcode ID: 57694161019eacd9ae1a412c7f055bc8634319663e28d9738d54f233e0168571
                                            • Instruction ID: 96f807deec1ee144d95fdacdbd729f870ddb80d395963ff699357a51a2e44393
                                            • Opcode Fuzzy Hash: 57694161019eacd9ae1a412c7f055bc8634319663e28d9738d54f233e0168571
                                            • Instruction Fuzzy Hash: 5211C87A145314BBF740F7D48CC5BAA3798E7552A1F11022BFD06960E2DA629841D3B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000B6B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 1000B6D8
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 1000B702
                                            • MulDiv.KERNEL32(00000000), ref: 1000B709
                                            • DPtoLP.GDI32(00000000,00000001,00000001), ref: 1000B721
                                            • DPtoLP.GDI32(00000000,?,00000001), ref: 1000B733
                                            • ReleaseDC.USER32(00000000,00000000), ref: 1000B74E
                                            • CreateFontIndirectA.GDI32(?), ref: 1000B759
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                            • String ID:
                                            • API String ID: 3808545654-0
                                            • Opcode ID: 306eafb4f8cb3e5f4afdde1fae4cd3e6beea6d76bc51106853fe896524798aee
                                            • Instruction ID: d597219b45657231358d27325039d0f2462f34eb488782fc641df61499117b21
                                            • Opcode Fuzzy Hash: 306eafb4f8cb3e5f4afdde1fae4cd3e6beea6d76bc51106853fe896524798aee
                                            • Instruction Fuzzy Hash: 6F211D716083159FD700DF69C989A6BBBE8FBC8B44F010A1EF949D7250DBB4A904CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002BB20 Relevance: 10.6, APIs: 7, Instructions: 72filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1002BB48
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1002BB59
                                            • VirtualAlloc.KERNEL32(00000000,-00000001,00001000,00000004,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1002BB6D
                                            • ReadFile.KERNEL32(00000000,00000000,-00000001,?,00000000,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1002BB82
                                            • StrStrIA.SHLWAPI(00000000,?,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1002BB92
                                            • VirtualFree.KERNEL32(00000000,-00000001,00004000,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1002BBA8
                                            • CloseHandle.KERNEL32(00000000,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1002BBAF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                                            • String ID:
                                            • API String ID: 1974014688-0
                                            • Opcode ID: 84741a0ffdad666fffacbd14c8c8603bf29ed3070f2f033dbf8cec4f3ea24be8
                                            • Instruction ID: 7ce334be4603f9bc6d066ac44dde004ac88ce182b7881848daedbbef340a637e
                                            • Opcode Fuzzy Hash: 84741a0ffdad666fffacbd14c8c8603bf29ed3070f2f033dbf8cec4f3ea24be8
                                            • Instruction Fuzzy Hash: 0E1182763012187BE6218A65AC8DFB77B5CDB967A2F12412AFE4691180EFB29844C730
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039D90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10039DBE
                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000103), ref: 10039DD2
                                            • PathRemoveExtensionA.SHLWAPI(?), ref: 10039DDD
                                            • CreateFileA.KERNEL32(40000000,40000000,00000000,00000000,00000002,80000080,00000000,?,00000104,?,7FFFFFFF), ref: 10039E39
                                            • CloseHandle.KERNEL32(00000000), ref: 10039E4E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateExtensionHandleModuleNamePathRemove_memset
                                            • String ID: .dmp
                                            • API String ID: 1261017976-2921398331
                                            • Opcode ID: be686022f6885aed4ceb34538f1d1720a56d56697d5b72d6f372cdb8ae1fb852
                                            • Instruction ID: 1b30a3d54370dbd4e8ef374b8aabf95264ea2dcefa7c088cc91c56e859038b7d
                                            • Opcode Fuzzy Hash: be686022f6885aed4ceb34538f1d1720a56d56697d5b72d6f372cdb8ae1fb852
                                            • Instruction Fuzzy Hash: 89118776604310BBE320DB64CC86FDB77D8EB94710F114A2DFB94961D1EB70A548C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004012D0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetMapMode.GDI32(00000000,00000000,?,?,00000000,00000000,004010A7,?,004095B3,?,?,?,00000000), ref: 004012E2
                                            • SetMapMode.GDI32(00000000,00000003), ref: 004012FD
                                              • Part of subcall function 00401250: GetWindowExtEx.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00401306,?,004095B3,?,?,?,00000000), ref: 0040126B
                                              • Part of subcall function 00401250: GetViewportExtEx.GDI32(00000000,?,?,?,?,?,00401306,?,004095B3,?,?,?,00000000), ref: 0040127F
                                              • Part of subcall function 00401250: MulDiv.KERNEL32(?,?,?), ref: 004012A2
                                              • Part of subcall function 00401250: MulDiv.KERNEL32(?,?,?), ref: 004012BE
                                            • SetMapMode.GDI32(00000000,00000000), ref: 00401308
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401319
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401320
                                            • MulDiv.KERNEL32(00000000,00000000,000009EC), ref: 0040133B
                                            • MulDiv.KERNEL32(?,00000000,000009EC), ref: 00401349
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Mode$CapsDevice$ViewportWindow
                                            • String ID:
                                            • API String ID: 219711750-0
                                            • Opcode ID: 00e6bf4cb903aa72f3c260781b1cbc3a1f7ef6e3e97fa65edd476c6da04b39a1
                                            • Instruction ID: e633ba34e9d13ee2ef28da0e4df07c33f1df78e1d380c249c38279f46ebcb09d
                                            • Opcode Fuzzy Hash: 00e6bf4cb903aa72f3c260781b1cbc3a1f7ef6e3e97fa65edd476c6da04b39a1
                                            • Instruction Fuzzy Hash: 8B01D27630070427F22067AAACC1D3BF7ACEBC9B51B10013EFE05A3690DABA9C014228
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409870 Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 0040988A
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004098B4
                                            • MulDiv.KERNEL32(00000000), ref: 004098BB
                                            • DPtoLP.GDI32(00000000,?,00000001), ref: 004098D3
                                            • DPtoLP.GDI32(00000000,?,00000001), ref: 004098E5
                                            • ReleaseDC.USER32(00000000,00000000), ref: 004098FC
                                            • CreateFontIndirectA.GDI32(?), ref: 00409907
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                            • String ID:
                                            • API String ID: 3808545654-0
                                            • Opcode ID: 4ad4d5983bec33afeb8d9057a9073f99d0269b0ea2f54320ee177eed6715dc81
                                            • Instruction ID: 2fdcc67946629330027b84294e837794c074d2c49d5eaa2994b179bdafb87770
                                            • Opcode Fuzzy Hash: 4ad4d5983bec33afeb8d9057a9073f99d0269b0ea2f54320ee177eed6715dc81
                                            • Instruction Fuzzy Hash: 711138B1A043049FD300DF6AD849A6BBBE8FB8C704F404A2EF68897250D7B49904CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100480F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(vclnr.dll,?,?,75BF3EB0), ref: 10048119
                                            • GetModuleHandleA.KERNEL32(?,?,?,?,75BF3EB0), ref: 1004814C
                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,75BF3EB0), ref: 10048163
                                            • PathRemoveFileSpecA.SHLWAPI(?,?,75BF3EB0), ref: 1004816E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Module$FileHandle$NamePathRemoveSpec
                                            • String ID: vclnr%d.dll$vclnr.dll
                                            • API String ID: 1442317493-614187252
                                            • Opcode ID: 1652d2c767813d3fe921df6aa02ebb8026ccd8ccf550a9269a85ecce39db5898
                                            • Instruction ID: 1641f38564002eaf536cb36ab9f02e41035749fc50577e0bda971d706bbedd10
                                            • Opcode Fuzzy Hash: 1652d2c767813d3fe921df6aa02ebb8026ccd8ccf550a9269a85ecce39db5898
                                            • Instruction Fuzzy Hash: A71194B65043556BE320DBA48C85EEF779CEB98350F110E29FE58D2191DB34E505C772
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000BEF0 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetMapMode.GDI32(?,00000000,00000000,00000002,1000C0EE,?,?,?,?,?,?,?,00000010), ref: 1000BEF8
                                            • SetMapMode.GDI32(?,00000003), ref: 1000BF15
                                            • SetMapMode.GDI32(00000000,00000000), ref: 1000BF27
                                            • GetDeviceCaps.GDI32(?,00000058), ref: 1000BF3A
                                            • GetDeviceCaps.GDI32(?,0000005A), ref: 1000BF43
                                            • MulDiv.KERNEL32(00000000,00000000,000009EC), ref: 1000BF5A
                                            • MulDiv.KERNEL32(00000000,00000000,000009EC), ref: 1000BF68
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Mode$CapsDevice
                                            • String ID:
                                            • API String ID: 2207581877-0
                                            • Opcode ID: 92953961ce47beff77d6d2007dfbaf3aefec56eab787d4f1b48af18fab436ee0
                                            • Instruction ID: 8397d358bf56609b1a855024c393e041345da9790b5bb3a44d1481580af59223
                                            • Opcode Fuzzy Hash: 92953961ce47beff77d6d2007dfbaf3aefec56eab787d4f1b48af18fab436ee0
                                            • Instruction Fuzzy Hash: 740105B2704650ABE720EFA9DC84D5BB7EDAFDC711B11481AFA85C3290CA70A8018F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401860 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00402B70: FindResourceA.KERNEL32(00400000,?,000000F0), ref: 00402BB1
                                              • Part of subcall function 00402B70: LoadResource.KERNEL32(00400000,00000000,?,?,?), ref: 00402BC3
                                              • Part of subcall function 00402B70: LockResource.KERNEL32(00000000,?,?,?), ref: 00402BD2
                                              • Part of subcall function 00402B70: SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00402C72
                                            • GetDlgItem.USER32(?,000003E8), ref: 0040187F
                                            • SetWindowTextA.USER32(00000000,?), ref: 0040189B
                                            • GetSystemMetrics.USER32(00000032), ref: 004018A9
                                            • GetSystemMetrics.USER32(00000031), ref: 004018AF
                                            • LoadImageA.USER32(00400000,00000081,00000001,00000000,00000000,00000000), ref: 004018C3
                                            • CreateSolidBrush.GDI32(00FFFFFF), ref: 004018D1
                                            • SendMessageA.USER32(?,00000080,00000001,00000001), ref: 004018F6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$ItemLoadMessageMetricsSendSystem$BrushCreateFindImageLockSolidTextWindow
                                            • String ID:
                                            • API String ID: 762897242-0
                                            • Opcode ID: a526e61296efc55688080f101d0e902de015b339a26d09a37ff876799df81042
                                            • Instruction ID: d68e33b6a406aa20cf8ef0f16c10a26f916bd01efb3d9857362eeb9523d83451
                                            • Opcode Fuzzy Hash: a526e61296efc55688080f101d0e902de015b339a26d09a37ff876799df81042
                                            • Instruction Fuzzy Hash: 91116D75640704ABE3209B61CC89FA7B7EDBF48B00F008A2DF656972D0C7B4B841CB18
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E330 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00402B70: FindResourceA.KERNEL32(00400000,?,000000F0), ref: 00402BB1
                                              • Part of subcall function 00402B70: LoadResource.KERNEL32(00400000,00000000,?,?,?), ref: 00402BC3
                                              • Part of subcall function 00402B70: LockResource.KERNEL32(00000000,?,?,?), ref: 00402BD2
                                              • Part of subcall function 00402B70: SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00402C72
                                            • GetDlgItem.USER32(?,000003F0), ref: 0040E34F
                                            • SetWindowTextA.USER32(00000000,?), ref: 0040E36B
                                            • GetSystemMetrics.USER32(00000032), ref: 0040E379
                                            • GetSystemMetrics.USER32(00000031), ref: 0040E37F
                                            • LoadImageA.USER32(00400000,00000081,00000001,00000000,00000000,00000000), ref: 0040E393
                                            • CreateSolidBrush.GDI32(00FFFFFF), ref: 0040E3A1
                                            • SendMessageA.USER32(?,00000080,00000001,00000001), ref: 0040E3C6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$ItemLoadMessageMetricsSendSystem$BrushCreateFindImageLockSolidTextWindow
                                            • String ID:
                                            • API String ID: 762897242-0
                                            • Opcode ID: 0e6ab14b1d65d37d63c9ed3aa31d0e8c7fe03c91b708a057f6f0a631475e3f87
                                            • Instruction ID: b7e3e477d86f6d641783122ccc2e722c985ffe0ef4ec6010ae29e96a4a19d4ba
                                            • Opcode Fuzzy Hash: 0e6ab14b1d65d37d63c9ed3aa31d0e8c7fe03c91b708a057f6f0a631475e3f87
                                            • Instruction Fuzzy Hash: F8112B75640704ABE3249B66CC49FA7B7E9FB48B00F00892DFA56972D1C7B5B841CB18
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E790 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00402B70: FindResourceA.KERNEL32(00400000,?,000000F0), ref: 00402BB1
                                              • Part of subcall function 00402B70: LoadResource.KERNEL32(00400000,00000000,?,?,?), ref: 00402BC3
                                              • Part of subcall function 00402B70: LockResource.KERNEL32(00000000,?,?,?), ref: 00402BD2
                                              • Part of subcall function 00402B70: SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00402C72
                                            • GetDlgItem.USER32(?,000003EF), ref: 0040E7AF
                                            • SetWindowTextA.USER32(00000000,?), ref: 0040E7CB
                                            • GetSystemMetrics.USER32(00000032), ref: 0040E7D9
                                            • GetSystemMetrics.USER32(00000031), ref: 0040E7DF
                                            • LoadImageA.USER32(00400000,00000081,00000001,00000000,00000000,00000000), ref: 0040E7F3
                                            • CreateSolidBrush.GDI32(00FFFFFF), ref: 0040E801
                                            • SendMessageA.USER32(?,00000080,00000001,00000001), ref: 0040E826
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$ItemLoadMessageMetricsSendSystem$BrushCreateFindImageLockSolidTextWindow
                                            • String ID:
                                            • API String ID: 762897242-0
                                            • Opcode ID: aa42de164a4a9ed48013b1e4f11714fea3c211c3ce1bb0b69ad3d5c2b3f7f9e8
                                            • Instruction ID: 267b8ac06693ff8314e6ff6d13e9bdf55432448099649e69a1366f882fe711c0
                                            • Opcode Fuzzy Hash: aa42de164a4a9ed48013b1e4f11714fea3c211c3ce1bb0b69ad3d5c2b3f7f9e8
                                            • Instruction Fuzzy Hash: 57112B75640704ABE3249B66CC89F97B7ECBB48B00F008A2DF656972D0C7B4B841CB18
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040EDF0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43registrytimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EE0E
                                            • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Acceleration Software International Corporation\WebScan,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 0040EE42
                                            • RegSetValueExA.ADVAPI32(?,CustomLastRan,00000000,00000003,?,00000008), ref: 0040EE60
                                            • RegCloseKey.ADVAPI32(?), ref: 0040EE6F
                                            Strings
                                            • SOFTWARE\Acceleration Software International Corporation\WebScan, xrefs: 0040EE30
                                            • CustomLastRan, xrefs: 0040EE5A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Time$CloseCreateFileSystemValue
                                            • String ID: CustomLastRan$SOFTWARE\Acceleration Software International Corporation\WebScan
                                            • API String ID: 1298677607-1971903048
                                            • Opcode ID: 313b080f516768121d1bc76ecb0e7bf13a6503a52fe3ad985e5303e6344d8d80
                                            • Instruction ID: 77bd05520c018d911f57094f6ccfabf2fdfcc3841e815119bfa16fcd4ef2623c
                                            • Opcode Fuzzy Hash: 313b080f516768121d1bc76ecb0e7bf13a6503a52fe3ad985e5303e6344d8d80
                                            • Instruction Fuzzy Hash: 61011E74644301BFE350DF65DD45F5BBBE8AB88B00F50882DF688D6291E7B4E5048B5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100A1708 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 100A170F
                                            • __CxxThrowException@8.LIBCMT ref: 100A1741
                                              • Part of subcall function 100A293D: RaiseException.KERNEL32(?,?,100A293C,10029968,?,?,?,?,100A293C,10029968,100E0FB0,100F3258), ref: 100A297D
                                            • __EH_prolog3.LIBCMT ref: 100A174E
                                            • __CxxThrowException@8.LIBCMT ref: 100A1780
                                              • Part of subcall function 10002550: std::exception::exception.LIBCMT ref: 1000257E
                                            Strings
                                            • invalid string position, xrefs: 100A1714
                                            • invalid string argument, xrefs: 100A1753
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Exception@8H_prolog3Throw$ExceptionRaisestd::exception::exception
                                            • String ID: invalid string argument$invalid string position
                                            • API String ID: 260541608-3740083952
                                            • Opcode ID: b407399c33362b259a17db5d2556768028dbbe5dc194b065f37a6ec144445950
                                            • Instruction ID: f27d76c637e5077cf980a44da3798804b4382ed938e22002db5e96f38e12c61d
                                            • Opcode Fuzzy Hash: b407399c33362b259a17db5d2556768028dbbe5dc194b065f37a6ec144445950
                                            • Instruction Fuzzy Hash: 6D012CB590035DEADB14DBD4CC11EDEBB78EF18361F440429B304BA245DBB8AA44CB75
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00413AA4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(00000000,00413B19,00000000,00418C24,00000000,00000000,00000314,?,?,?,004276E8,00413789,004276E8,Microsoft Visual C++ Runtime Library,00012010), ref: 00413AB1
                                            • TlsGetValue.KERNEL32(00000006,?,?,?,004276E8,00413789,004276E8,Microsoft Visual C++ Runtime Library,00012010), ref: 00413AC8
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,004276E8,00413789,004276E8,Microsoft Visual C++ Runtime Library,00012010), ref: 00413ADD
                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00413AF8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Value$AddressHandleModuleProc
                                            • String ID: EncodePointer$KERNEL32.DLL
                                            • API String ID: 1929421221-3682587211
                                            • Opcode ID: c14f37db2024153f4fe9b8587005eba3a2260c3177e9ee4849d03dd9b04fb806
                                            • Instruction ID: 6ae772ceaf58679d68321c49ff3f04b8665b0915b960c7c320576075b4c9380a
                                            • Opcode Fuzzy Hash: c14f37db2024153f4fe9b8587005eba3a2260c3177e9ee4849d03dd9b04fb806
                                            • Instruction Fuzzy Hash: BDF06234604622AB8611AF26EC04AEB7FE8AF057927444126FC58D62B1DF38EDC1CB5D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00413B1B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(00000000,00413BB0), ref: 00413B28
                                            • TlsGetValue.KERNEL32(00000006), ref: 00413B3F
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 00413B54
                                            • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00413B6F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Value$AddressHandleModuleProc
                                            • String ID: DecodePointer$KERNEL32.DLL
                                            • API String ID: 1929421221-629428536
                                            • Opcode ID: cf0d61be8eb42e5cc3d7567e1b9ca48e621795884a50b68306bf98c265088626
                                            • Instruction ID: af024956cfef60c56ee5f4564d4adf01e3e7700bd88a218cbcd0ed68e89f3a68
                                            • Opcode Fuzzy Hash: cf0d61be8eb42e5cc3d7567e1b9ca48e621795884a50b68306bf98c265088626
                                            • Instruction Fuzzy Hash: 48F09638205522AFC6116F25EC08EDBBBE4AF047527044176FC09D32B1EB34EEC18A9D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100A982B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(100BA25E,100BA2DE,100BA25E,00000014,100ABF83,00000000,00000FA0,100ED3C8,0000000C,100ABFE2,100A28F0,?,?,100B4645,00000004,100ED568), ref: 100A9838
                                            • TlsGetValue.KERNEL32(00000005,?,100B4645,00000004,100ED568,0000000C,100A78CD,100A28F0,100A28F0,00000000,00000000,00000000,100A9AA4,00000001,00000214), ref: 100A984F
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100B4645,00000004,100ED568,0000000C,100A78CD,100A28F0,100A28F0,00000000,00000000,00000000,100A9AA4,00000001,00000214), ref: 100A9864
                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 100A987F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Value$AddressHandleModuleProc
                                            • String ID: EncodePointer$KERNEL32.DLL
                                            • API String ID: 1929421221-3682587211
                                            • Opcode ID: 78539c0242322dba888db7c0f032fe392bba93b6f0e4cdbad1c16288bcb43bca
                                            • Instruction ID: ad52de365449a21122811b2ed629dbb907de6c76e9d50ff8d5a16ccd7da08779
                                            • Opcode Fuzzy Hash: 78539c0242322dba888db7c0f032fe392bba93b6f0e4cdbad1c16288bcb43bca
                                            • Instruction Fuzzy Hash: C0F0BD38605637DBE641DBA9DC44AAA3BD5EF422A0B024175FC28D3270DF34DD41DBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100A98A2 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(80040111,100AA6D1,100A32BD,100A28F0,?,100A28F0,00000008,10029968,00000008), ref: 100A98AF
                                            • TlsGetValue.KERNEL32(00000005,?,100A28F0,00000008,10029968,00000008), ref: 100A98C6
                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100A28F0,00000008,10029968,00000008), ref: 100A98DB
                                            • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 100A98F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Value$AddressHandleModuleProc
                                            • String ID: DecodePointer$KERNEL32.DLL
                                            • API String ID: 1929421221-629428536
                                            • Opcode ID: dba82ea395e99034f6164c14ba2547cb136bcea817b72b7734b9157b3c2c0ef6
                                            • Instruction ID: c1f5381555e5c486b56810f9c47af9934fa678ec5f1d3f1944b0b1a70d740230
                                            • Opcode Fuzzy Hash: dba82ea395e99034f6164c14ba2547cb136bcea817b72b7734b9157b3c2c0ef6
                                            • Instruction Fuzzy Hash: 88F03638A0522BEBDB41DB69DD849DA3BD4EF023E0B014125FC25D2170DF20CD51DBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100B05AF Relevance: 9.2, APIs: 6, Instructions: 249COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __lseeki64
                                            • String ID:
                                            • API String ID: 1457047535-0
                                            • Opcode ID: 19cb096107ee07548805630a45f7898f396dd16d941579f3a620cc85d2748979
                                            • Instruction ID: f284fbe2b61732f0a0437290388b593edf81142fd70af88f5aac9156cd5660e8
                                            • Opcode Fuzzy Hash: 19cb096107ee07548805630a45f7898f396dd16d941579f3a620cc85d2748979
                                            • Instruction Fuzzy Hash: 0891C178E446458FEB25CB64CD80B9DB7F2EF80350F25816DE85997252EB70A941CF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10095100 Relevance: 9.2, APIs: 6, Instructions: 211COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 1000B840: VariantClear.OLEAUT32 ref: 1000B882
                                              • Part of subcall function 1000B840: SysAllocString.OLEAUT32(00000000), ref: 1000B926
                                              • Part of subcall function 1000B840: _com_raise_error.COMSUPP ref: 1000B949
                                            • _com_util::ConvertStringToBSTR.COMSUPP ref: 100951CB
                                            • VariantClear.OLEAUT32(00000008), ref: 10095201
                                            • VariantInit.OLEAUT32(?), ref: 10095271
                                            • VariantCopy.OLEAUT32(?,00000000), ref: 1009527F
                                            • VariantClear.OLEAUT32(?), ref: 100952D4
                                            • VariantClear.OLEAUT32(00000000), ref: 10095312
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$String$AllocConvertCopyInit_com_raise_error_com_util::
                                            • String ID:
                                            • API String ID: 1460198874-0
                                            • Opcode ID: b29112a6fc48da69ebd6faa733310441690b5a19dcfbcdbbdf002550e859b14b
                                            • Instruction ID: 524b331c0d06202f9c0589cc17da1e2bd3b7b21f5dd5c61ad90924a4c9c7ecd8
                                            • Opcode Fuzzy Hash: b29112a6fc48da69ebd6faa733310441690b5a19dcfbcdbbdf002550e859b14b
                                            • Instruction Fuzzy Hash: 1571A37590024AEFCB05DFA9C880A9EB7F9FF49200F15841DF50DA7241DB35AE45DBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10076030 Relevance: 9.2, APIs: 6, Instructions: 170COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 100760C3
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,74DEDFF0,00000000), ref: 100760E3
                                              • Part of subcall function 10072500: GetProcAddress.KERNEL32(10077B93,WSCDeinstallProvider), ref: 10072512
                                            • _memset.LIBCMT ref: 10076177
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,74DEDFF0,00000000), ref: 10076197
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide_memset$AddressProc
                                            • String ID:
                                            • API String ID: 892993152-0
                                            • Opcode ID: 2270597aff8fc1955e8c85520c2f8c84218854de0175480990bf3ef799b18d6b
                                            • Instruction ID: ac10dabfa48ac29a31c3ef131c788a6eca52ffb7141de774cf3c388f12276f71
                                            • Opcode Fuzzy Hash: 2270597aff8fc1955e8c85520c2f8c84218854de0175480990bf3ef799b18d6b
                                            • Instruction Fuzzy Hash: 1551CF71248301ABE364CF64CC85F9AB7E4FB88710F454A2DFA89972C1E774B944CB56
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408700 Relevance: 9.2, APIs: 6, Instructions: 158memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysStringLen.OLEAUT32 ref: 004087C4
                                            • SysFreeString.OLEAUT32(00000000), ref: 004087CF
                                            • SysAllocStringLen.OLEAUT32(00000000,?), ref: 004087E2
                                            • _memset.LIBCMT ref: 00408808
                                            • SysFreeString.OLEAUT32(00000000), ref: 0040882D
                                            • SysFreeString.OLEAUT32 ref: 0040884A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: String$Free$Alloc_memset
                                            • String ID:
                                            • API String ID: 1448862277-0
                                            • Opcode ID: d5cf1aab0ad54a6f594ec41ec6f1566feb0221c62886a902e2eb6a26d9bd67a3
                                            • Instruction ID: 46166b00c3106e808ce72220943429d31529785ed3a1ab58c85a3f159e49b76f
                                            • Opcode Fuzzy Hash: d5cf1aab0ad54a6f594ec41ec6f1566feb0221c62886a902e2eb6a26d9bd67a3
                                            • Instruction Fuzzy Hash: 705180752042069BD310DF15CD84F6BB3E8FF98704F408A2EF58497290DB78D90ACB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10076380 Relevance: 9.1, APIs: 6, Instructions: 135memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10072450: GetProcAddress.KERNEL32(?,WSCEnumProtocols), ref: 10072462
                                            • CoTaskMemAlloc.OLE32(9E6FDE2E,00000000,00000000,?,?,?,9E6FDE2E,?,00000000,00000000,00000000), ref: 100763F1
                                            • _memset.LIBCMT ref: 1007644C
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,-00000074,000000FF,?,00000104,00000000,00000000,?,?,?), ref: 10076465
                                            • _memset.LIBCMT ref: 100764A5
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?), ref: 100764BE
                                            • CoTaskMemFree.OLE32(00000000,00000000,00000000,?,?,?), ref: 100764E1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiTaskWide_memset$AddressAllocFreeProc
                                            • String ID:
                                            • API String ID: 3118521318-0
                                            • Opcode ID: 1cc9b0e7328cd7ba31a81b62769e2ab3fa7a0fd196cbc9edb8979992c646e15d
                                            • Instruction ID: 3dbf7f1af153c03c9aad8395dacf7306d9a51298157a09ac9125c7ccedd44a92
                                            • Opcode Fuzzy Hash: 1cc9b0e7328cd7ba31a81b62769e2ab3fa7a0fd196cbc9edb8979992c646e15d
                                            • Instruction Fuzzy Hash: 624182B6408310AFD310DF65DC85DABB7ECFB89754F414A2DF59993280DA35AD08CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1004A6E0 Relevance: 9.1, APIs: 6, Instructions: 130COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::exception::exception.LIBCMT ref: 1004A726
                                            • __CxxThrowException@8.LIBCMT ref: 1004A73D
                                              • Part of subcall function 100A28D3: _malloc.LIBCMT ref: 100A28EB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw_mallocstd::exception::exception
                                            • String ID:
                                            • API String ID: 4063778783-0
                                            • Opcode ID: b45dbb05a6e4d748bee6e86ef164d7e5704c30b98e889fc0f09566b96637e89a
                                            • Instruction ID: 16a4bfdd4348ca2dea668dae661167612102b9b58cb291f7dff5d356c3541d65
                                            • Opcode Fuzzy Hash: b45dbb05a6e4d748bee6e86ef164d7e5704c30b98e889fc0f09566b96637e89a
                                            • Instruction Fuzzy Hash: A031E7B49043109BC30CDFA8D951B6FB3A6EFC4610F15CA3DF45A82685EF34E958CA52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10079EA0 Relevance: 9.1, APIs: 6, Instructions: 104fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileSize.KERNEL32(?,00000000,9E6FDE2E), ref: 10079EE7
                                            • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 10079F04
                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 10079F1B
                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 10079F62
                                            • CloseHandle.KERNEL32(?), ref: 10079F71
                                            • CloseHandle.KERNEL32(?), ref: 10079FBF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                            • String ID:
                                            • API String ID: 297527592-0
                                            • Opcode ID: 31298ca4165d9b21121f95d8a950a1fc204aeffbc5aa2808c9a16321ea7b53f4
                                            • Instruction ID: f225b1d415d6b116764fff4660950eb488a58c47abc87fc19b01e458e6b2e03e
                                            • Opcode Fuzzy Hash: 31298ca4165d9b21121f95d8a950a1fc204aeffbc5aa2808c9a16321ea7b53f4
                                            • Instruction Fuzzy Hash: E6318FB5A00259AFDB00CFA9CCC8AAEBBB8FB49250F11C539FD55E3250D734A8418B64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100397B0 Relevance: 9.1, APIs: 6, Instructions: 80stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrStrIA.SHLWAPI(?,?,-00000001,74DF2EE0,00000000,1003994C,00000000,-00000001), ref: 100397CB
                                            • lstrlenA.KERNEL32(?,?), ref: 100397E3
                                            • lstrlenA.KERNEL32(00000000), ref: 100397E8
                                            • lstrlenA.KERNEL32(-00000001), ref: 100397F7
                                            • StrChrA.SHLWAPI(00000000,0000000D), ref: 10039819
                                            • StrChrA.SHLWAPI(00000000,0000000A), ref: 10039823
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID:
                                            • API String ID: 1659193697-0
                                            • Opcode ID: 76879895f905c85ca6a0c2c55b63676327563e52542f89ec9dac4b1cac42d620
                                            • Instruction ID: 60ceb27ab6c4634477e0a71a9d7f478610c2d56040833bdd2b5be7867ec6137f
                                            • Opcode Fuzzy Hash: 76879895f905c85ca6a0c2c55b63676327563e52542f89ec9dac4b1cac42d620
                                            • Instruction Fuzzy Hash: A611E6737052111FE312A7AA8C80F9B67CCDBE63A2F160426F980DB241D952DC8683B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406756 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • ClientToScreen.USER32(?,?), ref: 00406786
                                            • ClientToScreen.USER32(?,?), ref: 00406795
                                            • GetParent.USER32(?), ref: 0040679B
                                            • ScreenToClient.USER32(00000000,?), ref: 004067B4
                                            • ScreenToClient.USER32(00000000,?), ref: 004067C0
                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004067E1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClientScreen$MoveParentWindow
                                            • String ID:
                                            • API String ID: 2420994850-0
                                            • Opcode ID: 304737a08c39f96a6c6b0e969f71d2c36fd712620a0862ce9f123c9c92acf1f6
                                            • Instruction ID: b579d2b65e5556853c11b9405877cda46e3707a58ee6d75de800e12756553bb6
                                            • Opcode Fuzzy Hash: 304737a08c39f96a6c6b0e969f71d2c36fd712620a0862ce9f123c9c92acf1f6
                                            • Instruction Fuzzy Hash: C511D3B5608306AF9304CF69D884CABB7E9EF88720B04892EF95583350D730E9098B66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10029A10 Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000000,1007B1F4,?,?,?,9E6FDE2E,?,?), ref: 10029A24
                                            • CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 10029A35
                                            • _memset.LIBCMT ref: 10029A45
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 10029A56
                                            • SysAllocString.OLEAUT32(00000000), ref: 10029A5D
                                            • CoTaskMemFree.OLE32(00000000,?,?,?,?,?,?,?,00000000), ref: 10029A66
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AllocByteCharMultiTaskWide$FreeString_memset
                                            • String ID:
                                            • API String ID: 2726897130-0
                                            • Opcode ID: aad78804f434e069d475557739e08d99c06f95b4b770bb25f36aa9f61e439bec
                                            • Instruction ID: 3cca2a070fae5f30f3b9386bb2dfff4c1eedec2b823912de75c2f8721c6bd58a
                                            • Opcode Fuzzy Hash: aad78804f434e069d475557739e08d99c06f95b4b770bb25f36aa9f61e439bec
                                            • Instruction Fuzzy Hash: 0A01713764523577D21096E96C48FDBBB5CDF916F1F124232FA15D2190DA21941087F4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404940 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 00404961
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00404972
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040497B
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00404982
                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0040499B
                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 004049A9
                                              • Part of subcall function 00408AA0: __CxxThrowException@8.LIBCMT ref: 00408AB2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CapsDevice$Exception@8ReleaseThrow
                                            • String ID:
                                            • API String ID: 3795711691-0
                                            • Opcode ID: 3b8a81bc311fbe4c4122a3d53ec45e33a09636de70188edc4c53e89c1c81ae39
                                            • Instruction ID: d2dc9edc4d64c10388e7d20b9a6947466f4fa36563e65f1fd9878167c6df5b82
                                            • Opcode Fuzzy Hash: 3b8a81bc311fbe4c4122a3d53ec45e33a09636de70188edc4c53e89c1c81ae39
                                            • Instruction Fuzzy Hash: FCF081B5640715AFF200ABA2CC05F577B9CEB46351F00412EFF44A7280DBB558018BA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405760 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 00405781
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00405792
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040579B
                                            • ReleaseDC.USER32(00000000,00000000), ref: 004057A2
                                            • MulDiv.KERNEL32(?,00000000,000009EC), ref: 004057BB
                                            • MulDiv.KERNEL32(00000000,?,000009EC), ref: 004057C9
                                              • Part of subcall function 00408AA0: __CxxThrowException@8.LIBCMT ref: 00408AB2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CapsDevice$Exception@8ReleaseThrow
                                            • String ID:
                                            • API String ID: 3795711691-0
                                            • Opcode ID: e8627dd8038d60be642601f239c5d8dac2f17273ef93894a5ef10c2b670cc529
                                            • Instruction ID: c8ffc1520df54c8fed8e5a97e4b2bf9f586a309ddf3a198c39069e2afd0c6cdd
                                            • Opcode Fuzzy Hash: e8627dd8038d60be642601f239c5d8dac2f17273ef93894a5ef10c2b670cc529
                                            • Instruction Fuzzy Hash: B6F08CB5640715AFE210AB61DC45F5B7B9CEF49351F00412EFE45A7281DBB498018AA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10004470 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 28stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcmpiA.KERNEL32(Software\Microsoft\Windows\CurrentVersion\Run), ref: 10004480
                                            • lstrcmpiA.KERNEL32(Software\Microsoft\Windows\CurrentVersion\RunOnce), ref: 1000448C
                                            • lstrcmpiA.KERNEL32(Software\Microsoft\Windows\CurrentVersion\RunServices), ref: 100044A0
                                            Strings
                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10004479
                                            • Software\Microsoft\Windows\CurrentVersion\RunServices, xrefs: 1000449B
                                            • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 10004487
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrcmpi
                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunServices
                                            • API String ID: 1586166983-1774011033
                                            • Opcode ID: 5c35f66c7cadf89ed428bba4bbee3207d5076a15eea7a1e312c54d0eca709579
                                            • Instruction ID: 35bc48512b09450b14b89cbff3c0fdcc0acf65d8cce0df474b5de0daa20d4c18
                                            • Opcode Fuzzy Hash: 5c35f66c7cadf89ed428bba4bbee3207d5076a15eea7a1e312c54d0eca709579
                                            • Instruction Fuzzy Hash: 74E0EC963113163BF250A5AE6C84FD74A8CEFD15E5B134136F604D1258DF42CC865670
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100AF5D2 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __sopen_s
                                            • String ID: UNICODE$UTF-16LE$UTF-8$ccs=
                                            • API String ID: 2693426323-2506416105
                                            • Opcode ID: 6806a96066a3c0f5fa03dbb6005d75e3d9684e610c4c2af0528bcb5bcb932d64
                                            • Instruction ID: fb8b38430b18c6f0ffcda3ffe986f52a58752ada91e1c94ce91c56d3d9061ea7
                                            • Opcode Fuzzy Hash: 6806a96066a3c0f5fa03dbb6005d75e3d9684e610c4c2af0528bcb5bcb932d64
                                            • Instruction Fuzzy Hash: 5C71EF71C0824AEADB50CFE5C9457BD7BE0EF05394F21C16EE856962E1D7B88A81CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10003F30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: %2.2x
                                            • API String ID: 2102423945-341615062
                                            • Opcode ID: 322c6e4f0695f02272109f96e929f682868b273b0d8f3af39560e279c7254db1
                                            • Instruction ID: a7e1499ecc7aafb8c0aeda0750e7f701be77a7b520e67de72947feea3624c167
                                            • Opcode Fuzzy Hash: 322c6e4f0695f02272109f96e929f682868b273b0d8f3af39560e279c7254db1
                                            • Instruction Fuzzy Hash: A3414F76608340ABE370DB64CC45FEBB7E8EBC5710F40891DB69C961D2DBB4A544CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10091090 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(shlwapi.dll), ref: 100910E9
                                            • GetProcAddress.KERNEL32(00000000,PathMatchSpecExA), ref: 100910FD
                                            • PathMatchSpecA.SHLWAPI(?,?), ref: 10091183
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadMatchPathProcSpec
                                            • String ID: PathMatchSpecExA$shlwapi.dll
                                            • API String ID: 1702852530-2261437916
                                            • Opcode ID: 62ccb472e7bb10971f4521849360ce846a1528151ee8205bb6a7370e8291a8a1
                                            • Instruction ID: 48c7881cf702bbafac3b7dde2414f5e0416fc7582ebced6c2b755b0a21b8841c
                                            • Opcode Fuzzy Hash: 62ccb472e7bb10971f4521849360ce846a1528151ee8205bb6a7370e8291a8a1
                                            • Instruction Fuzzy Hash: 0231F475608351AFD700CF64CC84A9BBBE8FF85250F41492DF98A93240D735DD44CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100525A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::_Lockit::_Lockit.LIBCPMT ref: 100525CC
                                            • std::_Lockit::_Lockit.LIBCPMT ref: 100525F2
                                            • __CxxThrowException@8.LIBCMT ref: 10052686
                                            • std::locale::facet::facet_Register.LIBCPMT ref: 1005269D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::locale::facet::facet_
                                            • String ID: bad cast
                                            • API String ID: 1988240374-3145022300
                                            • Opcode ID: d79a3f5b9a493118464cbf40d6a9ed967d50ffe51acb7984b051da0c13238091
                                            • Instruction ID: f73a0209c31bd1d31de7b56f542a823f98efc214a0d5d314e4b8290b80793b28
                                            • Opcode Fuzzy Hash: d79a3f5b9a493118464cbf40d6a9ed967d50ffe51acb7984b051da0c13238091
                                            • Instruction Fuzzy Hash: 0E318976904361DFE710CF14C8A1B4AB7E0FF49360F454A29F891972A1D734E948CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002B7E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1002B80A
                                            • _memset.LIBCMT ref: 1002B826
                                            • lstrlenA.KERNEL32(?,?,00000FFA,7FFFFFFF), ref: 1002B875
                                            • OutputDebugStringA.KERNEL32(?), ref: 1002B8FC
                                              • Part of subcall function 1009747A: __vsnprintf.LIBCMT ref: 10097493
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$DebugOutputString__vsnprintflstrlen
                                            • String ID: VCLNR.DLL:
                                            • API String ID: 2827235256-303571665
                                            • Opcode ID: 7373013853189cd1ac58708a799c84b166f830b56861e8ec079447e088f53fb4
                                            • Instruction ID: 5b720ab82168a978683368e62e1eaae98c8f8d690d2211fae944d566a20ebd09
                                            • Opcode Fuzzy Hash: 7373013853189cd1ac58708a799c84b166f830b56861e8ec079447e088f53fb4
                                            • Instruction Fuzzy Hash: A9217575248381BAE334C764CC46FEB73D8EF98750F404A28BADC961C1EBB4A144D762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00409810: _memset.LIBCMT ref: 00409827
                                              • Part of subcall function 0040D510: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104), ref: 0040D535
                                            • _memset.LIBCMT ref: 0040948C
                                            • PathFileExistsA.SHLWAPI(?,?,?,?,75C04920,?,?), ref: 004094F2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File_memset$ExistsModuleNamePath
                                            • String ID: %s\%s$stops_dlg_header_tl.gif$stops_dlg_header_tm.gif
                                            • API String ID: 1900401103-3276288015
                                            • Opcode ID: 7cde63d567c67fa18ee4d740bb814ca5085a04735f2553ec47396b0c4fc99d85
                                            • Instruction ID: 5cb8ff80ac9d481aeb8a351c0bdf7d72bd342a56d327bb4122209177aca55272
                                            • Opcode Fuzzy Hash: 7cde63d567c67fa18ee4d740bb814ca5085a04735f2553ec47396b0c4fc99d85
                                            • Instruction Fuzzy Hash: FB2193726083009BD720DF65D845B9BB3E4AB88708F404D3FF989A32C2D779D949C78A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004017E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 004017FF
                                            • BeginPaint.USER32(?,?), ref: 00401810
                                              • Part of subcall function 00409550: _memset.LIBCMT ref: 0040958F
                                              • Part of subcall function 00409550: GetClientRect.USER32(?,?), ref: 004095A0
                                              • Part of subcall function 004096B0: SelectObject.GDI32(?,00000000), ref: 004096C9
                                              • Part of subcall function 004096B0: SetTextColor.GDI32(?,?), ref: 004096D8
                                              • Part of subcall function 004096B0: SetBkMode.GDI32(?,00000001), ref: 004096E5
                                              • Part of subcall function 004096B0: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00409721
                                              • Part of subcall function 004096B0: GetClientRect.USER32(00000000,?), ref: 00409748
                                              • Part of subcall function 004096B0: GetClientRect.USER32(00000000,?), ref: 0040977C
                                              • Part of subcall function 004096B0: DrawTextA.USER32(?,?,?,?,00000001), ref: 004097D5
                                            • EndPaint.USER32(?,?,00000000,?,00000000,Further Instructions,00000014), ref: 0040183F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClientRectText$Paint_memset$BeginColorDrawExtentModeObjectPoint32Select
                                            • String ID: Further Instructions$W }
                                            • API String ID: 1537444194-4137434540
                                            • Opcode ID: bc350959283a029cacac934ec8f0e5ff2d32a77d27261232e7e4f1fc25963cb8
                                            • Instruction ID: 5bd3090beb0d980b676ddaa6720a11a8c9155239ab3fd6221deba8f4431b2c36
                                            • Opcode Fuzzy Hash: bc350959283a029cacac934ec8f0e5ff2d32a77d27261232e7e4f1fc25963cb8
                                            • Instruction Fuzzy Hash: B001D6712143046FD210EB75CC46E6BB3ECDB84704F00893EBA55972D2EA75F904C7AA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10047670 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,10038FB5,?,?,?,?,?,?,?,00000000,00000103), ref: 10047680
                                            • OpenServiceA.ADVAPI32(00000000,EacCleanDrv,000F01FF,?,?,10038FB5,?,?,?,?,?,?,?,00000000,00000103), ref: 10047693
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,10038FB5,?,?,?,?,?,?,?,00000000,00000103), ref: 100476A4
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,10038FB5,?,?,?,?,?,?,?,00000000,00000103), ref: 100476A7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Service$CloseHandleOpen$Manager
                                            • String ID: EacCleanDrv
                                            • API String ID: 4196757001-2285477812
                                            • Opcode ID: af83cb6c9d82dab785a4f0993f109aa82bac2356f25230ae6228b2888fb834e7
                                            • Instruction ID: 858c3dce31fad6a55c7912b8ac61945e632582267567f3e866f3a0e061470d69
                                            • Opcode Fuzzy Hash: af83cb6c9d82dab785a4f0993f109aa82bac2356f25230ae6228b2888fb834e7
                                            • Instruction Fuzzy Hash: 74E04F3734022027E6106B766C49FDA1A59EBC5662F170024FB04DA184C96088468BB8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039B40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00000000,10039E59), ref: 10039B49
                                            • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 10039B5B
                                            • FreeLibrary.KERNEL32(00000000), ref: 10039B6A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Library$AddressFreeLoadProc
                                            • String ID: IsDebuggerPresent$kernel32.dll
                                            • API String ID: 145871493-2078679533
                                            • Opcode ID: 8484e4e77cedc6c6fc057a410f0e2cc83a531a2eaeb34cb8ec1b36db69512966
                                            • Instruction ID: b465a9ad00e2b507361f12c6d42410441583d836393a24a30deb7ba9d35c7bab
                                            • Opcode Fuzzy Hash: 8484e4e77cedc6c6fc057a410f0e2cc83a531a2eaeb34cb8ec1b36db69512966
                                            • Instruction Fuzzy Hash: 79D05E3A6026305BA25257766C48AEF6E98DEC95A23074021FE06D3300CF30CE0687B9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000C440 Relevance: 7.7, APIs: 5, Instructions: 198COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::_String_base::_Xlen.LIBCPMT ref: 1000C4CE
                                            • _memmove_s.LIBCMT ref: 1000C518
                                            • std::_String_base::_Xlen.LIBCPMT ref: 1000C53E
                                            • _memmove_s.LIBCMT ref: 1000C5D1
                                              • Part of subcall function 100A1708: __EH_prolog3.LIBCMT ref: 100A170F
                                              • Part of subcall function 100A1708: __CxxThrowException@8.LIBCMT ref: 100A1741
                                              • Part of subcall function 100A1708: __EH_prolog3.LIBCMT ref: 100A174E
                                              • Part of subcall function 100A1708: __CxxThrowException@8.LIBCMT ref: 100A1780
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Exception@8H_prolog3String_base::_ThrowXlen_memmove_sstd::_
                                            • String ID:
                                            • API String ID: 750368271-0
                                            • Opcode ID: 9d207c738584cac7299b0198110327b34121cb1f94088e1c8beafa00522d15e7
                                            • Instruction ID: 1b486ee74f8ccff5fb842204e2c5c3e7d3a7ba1cf258adcd8e9701e2ba207436
                                            • Opcode Fuzzy Hash: 9d207c738584cac7299b0198110327b34121cb1f94088e1c8beafa00522d15e7
                                            • Instruction Fuzzy Hash: A2511FB470470A9BE704DF58D980D2AB7E6FBC4681B104A2DF14183689DB30FC94CBE2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002B500 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                            Download Yara Rule
                                            APIs
                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 1002B54E
                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 1002B55E
                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 1002B56C
                                            • CoTaskMemFree.OLE32(00000000,?,00000000,-00000001), ref: 1002B5FC
                                            • CoTaskMemFree.OLE32(00000000,?,?,?), ref: 1002B6AE
                                              • Part of subcall function 100299B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,10029F2F,?), ref: 100299CD
                                              • Part of subcall function 100299B0: CoTaskMemAlloc.OLE32(00000000,?,?,?,?,10029F2F,?,?,?,1002AADE,?,?), ref: 100299D6
                                              • Part of subcall function 100299B0: _memset.LIBCMT ref: 100299E6
                                              • Part of subcall function 100299B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100299FB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ArraySafeTask$BoundByteCharFreeMultiWide$AccessAllocData_memset
                                            • String ID:
                                            • API String ID: 4280278311-0
                                            • Opcode ID: 4ac58f0a2f593115d264ba338a034c13db270a6d582db3af20f9207db73902aa
                                            • Instruction ID: ab7ade5e80e43f5e43117a1b2689345045321adc88c1f8c2a02ebb95dca91446
                                            • Opcode Fuzzy Hash: 4ac58f0a2f593115d264ba338a034c13db270a6d582db3af20f9207db73902aa
                                            • Instruction Fuzzy Hash: 225179B25087419FD304DF69C884A5BFBE5FFC8740F548A2DF58587211DA35E908CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10079720 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: String_base::_Xlen_memmove_sstd::_
                                            • String ID:
                                            • API String ID: 2295234635-0
                                            • Opcode ID: 1d000d4109325564a086fbe4a2aa3ec2b5dfd12248f886ae650ef8c3ff0499fd
                                            • Instruction ID: 1957dbd63532021d4bc00cbdb52a5f74eb74b0ce6250b9f76608cc57c62b571f
                                            • Opcode Fuzzy Hash: 1d000d4109325564a086fbe4a2aa3ec2b5dfd12248f886ae650ef8c3ff0499fd
                                            • Instruction Fuzzy Hash: DE41FE70714349CBC724DF69C98494FB7EAEB81640B508A2DE5C28B292DB38FD44C7A6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000B840 Relevance: 7.6, APIs: 5, Instructions: 119memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantClear.OLEAUT32 ref: 1000B882
                                            • lstrlenA.KERNEL32(?), ref: 1000B89C
                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,-00000001,?,00000002,00000000), ref: 1000B90C
                                            • SysAllocString.OLEAUT32(00000000), ref: 1000B926
                                            • _com_raise_error.COMSUPP ref: 1000B949
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AllocByteCharClearMultiStringVariantWide_com_raise_errorlstrlen
                                            • String ID:
                                            • API String ID: 3597017657-0
                                            • Opcode ID: b1afae2782ff7914bfbaa40788e5db33c72008413ba7c52b3d018c995246a92e
                                            • Instruction ID: 53bd275f0d0bc8044df229a8fc5939a8971bd697dcafc1bd2c84cf2b585c3dac
                                            • Opcode Fuzzy Hash: b1afae2782ff7914bfbaa40788e5db33c72008413ba7c52b3d018c995246a92e
                                            • Instruction Fuzzy Hash: FA41A576D00A16ABE710CFA8CC85BAEB7E8EF446A0F114229FD14E7244EB749D00C791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040B860 Relevance: 7.6, APIs: 6, Instructions: 118COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharNextA.USER32(?,00000000,?,?,00000000,?,0040B2DB,?,00000000,?,00000000), ref: 0040B88E
                                            • CharNextA.USER32(00000000,?,00000000,?,?,00000000,?,0040B2DB,?,00000000,?,00000000), ref: 0040B89F
                                            • CharNextA.USER32(00000000,?,00000000,?,?,00000000,?,0040B2DB,?,00000000,?,00000000), ref: 0040B8AE
                                            • CharNextA.USER32(00000000,?,00000000,?,?,00000000,?,0040B2DB,?,00000000,?,00000000), ref: 0040B8B5
                                            • CharNextA.USER32(?,?,00000000,?,?,00000000,?,0040B2DB,?,00000000,?,00000000), ref: 0040B8F8
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CharNext
                                            • String ID:
                                            • API String ID: 3213498283-0
                                            • Opcode ID: 960f955d0d6b85752cc4f06f7f5434337024bfd4eeddd762bdf4de2a34d9d485
                                            • Instruction ID: 03f4d84a8a3c9c25485b0e2a3708f5ac6abba2a0ee3554ce9e3a87c558af78ba
                                            • Opcode Fuzzy Hash: 960f955d0d6b85752cc4f06f7f5434337024bfd4eeddd762bdf4de2a34d9d485
                                            • Instruction Fuzzy Hash: DF31F8B25082819FE7229F38DC80B66BBD5EF56315F2849ABD1C1A7392D739D840C79C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404CA0 Relevance: 7.6, APIs: 5, Instructions: 116windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(?), ref: 00404CC7
                                            • GetDlgItem.USER32(?,?), ref: 00404CE3
                                            • CallWindowProcA.USER32(00000001,?,?,?,?), ref: 00404D67
                                            • GetDlgItem.USER32(?,?), ref: 00404D82
                                            • SendMessageA.USER32(?,?,?,?), ref: 00404DD2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ItemWindow$CallMessageProcSend
                                            • String ID:
                                            • API String ID: 2403035917-0
                                            • Opcode ID: 0fdd4519a111a075953cbadaf43791bd6be9a96352358a5593d681650a7b22b5
                                            • Instruction ID: 1cb64059ef7946c6cc7f337bb150a6e5f55929b3f93da83784246efdaf2d371e
                                            • Opcode Fuzzy Hash: 0fdd4519a111a075953cbadaf43791bd6be9a96352358a5593d681650a7b22b5
                                            • Instruction Fuzzy Hash: A0416EB1700200ABD724DB19C884E6BB3A9EFC5710F25853AFE45A73E1C238EC40DB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1007A000 Relevance: 7.6, APIs: 5, Instructions: 101fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileSize.KERNEL32(?,00000000,9E6FDE2E), ref: 1007A04A
                                              • Part of subcall function 10079E60: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,?,10079FDA,?,00000000), ref: 10079E76
                                              • Part of subcall function 10079E60: SetEndOfFile.KERNEL32 ref: 10079E7F
                                            • CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000), ref: 1007A07D
                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 1007A097
                                            • UnmapViewOfFile.KERNEL32(00000000,?,00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 1007A112
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 1007A123
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$View$CloseCreateHandleMappingPointerSizeUnmap
                                            • String ID:
                                            • API String ID: 2211241848-0
                                            • Opcode ID: 383ce646193890a751b9a1ec2f4d908cb5546c780bf60a5afdad3cbf5d2bc9cc
                                            • Instruction ID: 74a34bceb58a7a87639a3a7cf5b110befd3236942a82d032ba137a93ea7c67c7
                                            • Opcode Fuzzy Hash: 383ce646193890a751b9a1ec2f4d908cb5546c780bf60a5afdad3cbf5d2bc9cc
                                            • Instruction Fuzzy Hash: 2631A575A003159FDB10CFA8CC85B9EBBB4FB49710F218529FE51A73C1D735A8418BA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100AF872 Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 100AF887
                                              • Part of subcall function 100ABFC9: __mtinitlocknum.LIBCMT ref: 100ABFDD
                                              • Part of subcall function 100ABFC9: __amsg_exit.LIBCMT ref: 100ABFE9
                                              • Part of subcall function 100ABFC9: EnterCriticalSection.KERNEL32(?,?,?,100B4645,00000004,100ED568,0000000C,100A78CD,100A28F0,100A28F0,00000000,00000000,00000000,100A9AA4,00000001,00000214), ref: 100ABFF1
                                            • __mtinitlocknum.LIBCMT ref: 100AF8C7
                                            • __malloc_crt.LIBCMT ref: 100AF90B
                                            • ___crtInitCritSecAndSpinCount.LIBCMT ref: 100AF930
                                            • EnterCriticalSection.KERNEL32(009D2250,100ED488,00000010,100A40E7,100ECE40,0000000C,100A419E,?,?,00000080,00000000,?,1002D29C,?,?,100D5D8C), ref: 100AF95A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalEnterSection__mtinitlocknum$CountCritInitSpin___crt__amsg_exit__lock__malloc_crt
                                            • String ID:
                                            • API String ID: 1486408876-0
                                            • Opcode ID: afa8adb2108e803879f609925d7f5f6f5c26690b18d29ace01ce7e65b9d468a3
                                            • Instruction ID: 26a6b49ac55fe0b43530ad55ee13efc9cc3649e6205cc3f2e68b33901548d988
                                            • Opcode Fuzzy Hash: afa8adb2108e803879f609925d7f5f6f5c26690b18d29ace01ce7e65b9d468a3
                                            • Instruction Fuzzy Hash: E2319836514726EFE721DFE8C881A2AB7E5FF09320B51812DE494DB2E2CB70A841DF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406050 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,80004005,?,?,00405EB4,?,00000000,?,?), ref: 00406065
                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,-00000001,00000000,?,00000000,00000000,?,?), ref: 00406096
                                            • GetLastError.KERNEL32(?,?), ref: 004060A5
                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,-00000001,00000000,00000000,00000000,00000000,?,?), ref: 004060C5
                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,-00000001,?,00000000,00000000,00000000,?,?), ref: 004060E9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                            • String ID:
                                            • API String ID: 3322701435-0
                                            • Opcode ID: eee988aabbd6862dacf1cf346c909ae29cff3de076ad30bf7193415c6384d295
                                            • Instruction ID: 129373fedf8583baf7ff4556200a3995d27e137bde64e6988aa0571f51f33e4c
                                            • Opcode Fuzzy Hash: eee988aabbd6862dacf1cf346c909ae29cff3de076ad30bf7193415c6384d295
                                            • Instruction Fuzzy Hash: 951160753803057BE220EF65DC85F67779CEB94744F104939BA41AA2C1C5B5BC488669
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1007B2E0 Relevance: 7.6, APIs: 5, Instructions: 75memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceA.KERNEL32(00000000,00000000,?), ref: 1007B30B
                                            • LoadResource.KERNEL32(?,00000000), ref: 1007B31B
                                            • LockResource.KERNEL32(00000000,?,00000000), ref: 1007B326
                                            • SizeofResource.KERNEL32(?,00000000,?,00000000), ref: 1007B336
                                            • CoTaskMemAlloc.OLE32(00000000,?,00000000,?,00000000), ref: 1007B340
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$AllocFindLoadLockSizeofTask
                                            • String ID:
                                            • API String ID: 1721649048-0
                                            • Opcode ID: 76c9e10baeb1d861e4ea052203ae3b3f9d9c2ba0bdd66236fb36a70405b2e83d
                                            • Instruction ID: a954a61d6477d6e36dbc4a1ef015d0e7daceae713d93414fd0f0f250a2acc75b
                                            • Opcode Fuzzy Hash: 76c9e10baeb1d861e4ea052203ae3b3f9d9c2ba0bdd66236fb36a70405b2e83d
                                            • Instruction Fuzzy Hash: DC11C8777056166BD310CEE99CC8A5BB7DCEF946A2702843AFE41C7100DB25DC9497B4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100C226A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___initconout.LIBCMT ref: 100C228E
                                              • Part of subcall function 100C8087: CreateFileA.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,100C2293,00000000,?,?,100B00AB,?), ref: 100C809A
                                            • WriteConsoleW.KERNEL32(FFFFFFFE,100B00AB,00000001,?,00000000,00000000,?,?,100B00AB,?), ref: 100C22AF
                                            • GetConsoleOutputCP.KERNEL32(00000000,100B00AB,00000001,?,00000005,00000000,00000000,00000000,?,?,100B00AB,?), ref: 100C22E2
                                            • WideCharToMultiByte.KERNEL32(00000000,?,?,100B00AB,?), ref: 100C22E9
                                            • WriteConsoleA.KERNEL32(FFFFFFFE,?,00000000,?,00000000,?,?,100B00AB,?), ref: 100C2305
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Console$Write$ByteCharCreateFileMultiOutputWide___initconout
                                            • String ID:
                                            • API String ID: 1577852991-0
                                            • Opcode ID: 91acce19a65c45d74acfbec93f9fbc1f646d37fcbe135876b9228720b420a6be
                                            • Instruction ID: 0eadfcc4f414bdcff5b4fa75f32569b090cb36a4a42c33e4bce3446ecba85f82
                                            • Opcode Fuzzy Hash: 91acce19a65c45d74acfbec93f9fbc1f646d37fcbe135876b9228720b420a6be
                                            • Instruction Fuzzy Hash: 99115E79901129FBE710DBA0CD98EFE77ACEB05361F114358FA25964D0DB309A85DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10008330 Relevance: 7.6, APIs: 5, Instructions: 58threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,?,?,?), ref: 10008348
                                            • GetCurrentThreadId.KERNEL32 ref: 10008355
                                            • LeaveCriticalSection.KERNEL32(?,?,?), ref: 1000836F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalSection$CurrentEnterLeaveThread
                                            • String ID:
                                            • API String ID: 2351996187-0
                                            • Opcode ID: 0b1980a27d8277f4ceae8ca074264637c9011423872f297de15eb1a3c3b46bfd
                                            • Instruction ID: d32a293313b9594aadb1f184a344731d5c85e1c957a11e593f9793a431d83239
                                            • Opcode Fuzzy Hash: 0b1980a27d8277f4ceae8ca074264637c9011423872f297de15eb1a3c3b46bfd
                                            • Instruction Fuzzy Hash: 2601A1323056259FE310DF59E884986F3E8FF94AA5312852EED8693614CB31B981CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E9D0 Relevance: 7.6, APIs: 5, Instructions: 53filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000208,?,0040A109,?), ref: 0040E9E6
                                            • GetFileSize.KERNEL32(00000000,00000000,00000000,?,0040A109,?), ref: 0040E9F6
                                            • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,0040A109,?), ref: 0040EA08
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,0040A109), ref: 0040EA26
                                            • CloseHandle.KERNEL32(00000000,?,0040A109,?), ref: 0040EA37
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$AllocCloseCreateHandleReadSizeVirtual
                                            • String ID:
                                            • API String ID: 2717999310-0
                                            • Opcode ID: c2d1a41dfd8e50337e140c93975c9cd42f2a5527fc4d41f1828b438e627ab4a3
                                            • Instruction ID: acab56fd91b897e76a082af613b960afb37e2276ea599bf357363275227892a2
                                            • Opcode Fuzzy Hash: c2d1a41dfd8e50337e140c93975c9cd42f2a5527fc4d41f1828b438e627ab4a3
                                            • Instruction Fuzzy Hash: A001A7763012507BE2308B67AC4DF976A5CE7C9761F104539FA01961C0C7B44805C679
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406A50 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32(?,?), ref: 00406A6C
                                            • BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00406A9C
                                            • DeleteDC.GDI32(?), ref: 00406AA3
                                            • ReleaseDC.USER32(?,00000000), ref: 00406AB2
                                            • ReleaseDC.USER32(?,00000000), ref: 00406ACA
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Release$ClientDeleteRect
                                            • String ID:
                                            • API String ID: 2936606340-0
                                            • Opcode ID: 8ef23b02313f1cd6b9c78fa6e8687ad32bd6d97e6bc88d9f50f05f5ef3dc11b4
                                            • Instruction ID: 49f603e5e56cdff73747fb7972a394799628dcbdc7abe4a3489b632170b11258
                                            • Opcode Fuzzy Hash: 8ef23b02313f1cd6b9c78fa6e8687ad32bd6d97e6bc88d9f50f05f5ef3dc11b4
                                            • Instruction Fuzzy Hash: 37110979214200AFE324DB69DC58FABBBE9EB8C710F40891DF88593251D674E845CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100082C0 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 100082D2
                                            • GetCurrentThreadId.KERNEL32 ref: 100082EC
                                            • EnterCriticalSection.KERNEL32(?), ref: 100082F9
                                            • LeaveCriticalSection.KERNEL32(?), ref: 10008309
                                            • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 10008320
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalExceptionRaiseSection$CurrentEnterLeaveThread
                                            • String ID:
                                            • API String ID: 2580436124-0
                                            • Opcode ID: e42bab54fb03d760bed68d843b9824fa3104e4c1194c68e8e0691b65cf9a8b2e
                                            • Instruction ID: 0fd528b9a51109cede4ae8ea85736c8731bf025ad7feafa560c0bccbe95c5f9c
                                            • Opcode Fuzzy Hash: e42bab54fb03d760bed68d843b9824fa3104e4c1194c68e8e0691b65cf9a8b2e
                                            • Instruction Fuzzy Hash: 99F01975600321ABE7109F658DC8B8BBBE8EBA4B45F02841DFE84A7154CB7099408B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004100C4 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 004100E2
                                              • Part of subcall function 00412A16: __mtinitlocknum.LIBCMT ref: 00412A2A
                                              • Part of subcall function 00412A16: __amsg_exit.LIBCMT ref: 00412A36
                                              • Part of subcall function 00412A16: EnterCriticalSection.KERNEL32(00413CDA,00413CDA,?,0040FA4F,00000004,004227E0,0000000C,00414047,?,?,00000000,00000000,00000000,00413CE9,00000001,00000214), ref: 00412A3E
                                            • ___sbh_find_block.LIBCMT ref: 004100ED
                                            • ___sbh_free_block.LIBCMT ref: 004100FC
                                            • HeapFree.KERNEL32(00000000,00000000,004228A0,0000000C,004129F7,00000000,00422928,0000000C,00412A2F,00000000,00413CDA,?,0040FA4F,00000004,004227E0,0000000C), ref: 0041012C
                                            • GetLastError.KERNEL32(?,0040FA4F,00000004,004227E0,0000000C,00414047,?,?,00000000,00000000,00000000,00413CE9,00000001,00000214), ref: 0041013D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                            • String ID:
                                            • API String ID: 2714421763-0
                                            • Opcode ID: c89ac2e41f94e62395bb9da6f77c3b495a6c980f153308f39ba711dafe7a0d80
                                            • Instruction ID: 0f73338a941918bbb7ca8b3610432e6f1a6bff71d9ae933f89a72f256413ebc7
                                            • Opcode Fuzzy Hash: c89ac2e41f94e62395bb9da6f77c3b495a6c980f153308f39ba711dafe7a0d80
                                            • Instruction Fuzzy Hash: D1018F31904215BADB206F72A806BCE3BA4AF00764F20401FF414E61D1CBFD99C08A5D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408DE0 Relevance: 7.5, APIs: 5, Instructions: 42threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(004271CC,?,?,00408D56), ref: 00408DE9
                                            • GetCurrentThreadId.KERNEL32 ref: 00408DF9
                                            • LeaveCriticalSection.KERNEL32(004271CC,?,?,00408D56), ref: 00408E14
                                            • LeaveCriticalSection.KERNEL32(004271CC,?,?,00408D56), ref: 00408E32
                                            • LeaveCriticalSection.KERNEL32(004271CC,?,?,00408D56), ref: 00408E4A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalSection$Leave$CurrentEnterThread
                                            • String ID:
                                            • API String ID: 2905768538-0
                                            • Opcode ID: 173ff07771af3e6c2a8213868cdb56e5d1acd8030488565a75a515b5f1a8b71a
                                            • Instruction ID: 816dec624ab387e9b6ce4cdc490a595450c0cc7232f95d400585b5fb775e3f79
                                            • Opcode Fuzzy Hash: 173ff07771af3e6c2a8213868cdb56e5d1acd8030488565a75a515b5f1a8b71a
                                            • Instruction Fuzzy Hash: 9C014F397057218BCB249F66F80456A7BA19FC8721315803FEE8DD3360CA749C468AA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10072030 Relevance: 7.5, APIs: 5, Instructions: 32filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,?,10072406,00000000), ref: 10072045
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,10072406,00000000), ref: 10072059
                                            • lstrlenA.KERNEL32(?,10072406,00000000,?,10072406,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 10072067
                                            • WriteFile.KERNEL32(00000000,?,00000000,?,10072406,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 10072070
                                            • CloseHandle.KERNEL32(00000000,?,10072406,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 10072077
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandlePointerWritelstrlen
                                            • String ID:
                                            • API String ID: 3722912177-0
                                            • Opcode ID: fd8532ddd87af7731c05ddf786e0bcc634e3fcdc77f6b4deebbd78c99d166e3b
                                            • Instruction ID: 791bc035757aefa8d71bf1ea7e45942f7c3310d0b019a32ea448e062ba6be5bf
                                            • Opcode Fuzzy Hash: fd8532ddd87af7731c05ddf786e0bcc634e3fcdc77f6b4deebbd78c99d166e3b
                                            • Instruction Fuzzy Hash: 95F0E5756812207BF13057609C4FFDB2B18DB55B61F124214FF92A50D0DFA4244587BD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10077740 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 214memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoTaskMemAlloc.OLE32(?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 100777F9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AllocTask
                                            • String ID: %x_$%x__
                                            • API String ID: 277515162-3377690091
                                            • Opcode ID: abe85afa9dca4916e13ab05ef058a814439486335aca00eb2d55f866326358d7
                                            • Instruction ID: 87728dfe4940c2f788bf7cee230af3a4f38a24aaa277cba8080c24f89c777be1
                                            • Opcode Fuzzy Hash: abe85afa9dca4916e13ab05ef058a814439486335aca00eb2d55f866326358d7
                                            • Instruction Fuzzy Hash: DC81A1725083819BD324CB58C884FAFB7E8FF85750F148A1DF5C997291EB74A904CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10041490 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 100414CF
                                            • SetConsoleCtrlHandler.KERNEL32(10029650,00000001), ref: 100414DC
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F70
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F84
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F98
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039FAC
                                              • Part of subcall function 10039F50: GetLocalTime.KERNEL32 ref: 10039FB8
                                              • Part of subcall function 10039F50: wsprintfA.USER32 ref: 10039FEF
                                              • Part of subcall function 10039F50: GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003A009
                                              • Part of subcall function 10039F50: lstrcpynA.KERNEL32(?,?,00000104), ref: 1003A021
                                            • GetTickCount.KERNEL32 ref: 100415F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$CountTick$ConsoleCtrlFileHandlerLocalModuleNameTimelstrcpynwsprintf
                                            • String ID: *.cnr
                                            • API String ID: 3246313133-39468021
                                            • Opcode ID: 9bd9a093e6fbc7f68be11c72d61ab0bb350b4a21ac727dcfe7ebd4e18a49b20e
                                            • Instruction ID: acf32cfbcb5434b8d5f48b938c46cd6958c3926609d6436e849ed0f39c821ba8
                                            • Opcode Fuzzy Hash: 9bd9a093e6fbc7f68be11c72d61ab0bb350b4a21ac727dcfe7ebd4e18a49b20e
                                            • Instruction Fuzzy Hash: 1E5188B66083419FD304DF68C984A9BBBE5FBC8600F54492DF58687251DA35E948CBA3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040CD60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(REGISTRY), ref: 0040CDA1
                                            • _malloc.LIBCMT ref: 0040CDF6
                                            • WideCharToMultiByte.KERNEL32(?,00000000,REGISTRY,000000FF,00000008,00000000,00000000,00000000), ref: 0040CE26
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide_malloclstrlen
                                            • String ID: REGISTRY
                                            • API String ID: 2576735857-194740550
                                            • Opcode ID: d096c7d6de43283770b362744880b68c8f1544e6010b95214c241b53f30497a1
                                            • Instruction ID: 810c5e19a29243e313fb6582a1a879057876b0906b312596f5c573e72275da9d
                                            • Opcode Fuzzy Hash: d096c7d6de43283770b362744880b68c8f1544e6010b95214c241b53f30497a1
                                            • Instruction Fuzzy Hash: 0541C5B2A00215DBCB209B69DC86BAF77A8AB44B14F14073BB915F73C1D67C994086D9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040CEC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(REGISTRY), ref: 0040CF01
                                            • _malloc.LIBCMT ref: 0040CF56
                                            • WideCharToMultiByte.KERNEL32(?,00000000,REGISTRY,000000FF,00000008,00000000,00000000,00000000), ref: 0040CF86
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide_malloclstrlen
                                            • String ID: REGISTRY
                                            • API String ID: 2576735857-194740550
                                            • Opcode ID: 6f6089e1cad376f61aa54f4c3cc60709e3d60a022c27b8cf4d47f1c948d79988
                                            • Instruction ID: b4e4e4e900c1ce261176f161e73549ef6e3d3682a1f233af745cf136eb1acc19
                                            • Opcode Fuzzy Hash: 6f6089e1cad376f61aa54f4c3cc60709e3d60a022c27b8cf4d47f1c948d79988
                                            • Instruction Fuzzy Hash: B641D7B2E00216EBCB209B659C86B6F77A9EB44B14F14073BB911F73C1D67C994087DA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10041660 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 10041693
                                            • SetConsoleCtrlHandler.KERNEL32(10029650,00000001), ref: 100416A0
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F70
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F84
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F98
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039FAC
                                              • Part of subcall function 10039F50: GetLocalTime.KERNEL32 ref: 10039FB8
                                              • Part of subcall function 10039F50: wsprintfA.USER32 ref: 10039FEF
                                              • Part of subcall function 10039F50: GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003A009
                                              • Part of subcall function 10039F50: lstrcpynA.KERNEL32(?,?,00000104), ref: 1003A021
                                            • GetTickCount.KERNEL32 ref: 1004178B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$CountTick$ConsoleCtrlFileHandlerLocalModuleNameTimelstrcpynwsprintf
                                            • String ID: *.cnr
                                            • API String ID: 3246313133-39468021
                                            • Opcode ID: b0c89b4bde90c5569b90d0110f80754205164992c91fcb17439287e7754dc2c1
                                            • Instruction ID: dd1e54f7a1afe9bd44502848511db78d8fbee0739cb17abac53a93ce0d2ef166
                                            • Opcode Fuzzy Hash: b0c89b4bde90c5569b90d0110f80754205164992c91fcb17439287e7754dc2c1
                                            • Instruction Fuzzy Hash: F74195766083409FC304CF69C884A5BFBE4EB88700F458A2DF99187390DB75E804CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100411F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 1004122E
                                            • SetConsoleCtrlHandler.KERNEL32(10029650,00000001,?,?,?,?,?,?,?,?,00000000,100CE0B8,000000FF,1002A3C1,?,1002B004), ref: 10041237
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F70
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F84
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039F98
                                              • Part of subcall function 10039F50: _memset.LIBCMT ref: 10039FAC
                                              • Part of subcall function 10039F50: GetLocalTime.KERNEL32 ref: 10039FB8
                                              • Part of subcall function 10039F50: wsprintfA.USER32 ref: 10039FEF
                                              • Part of subcall function 10039F50: GetModuleFileNameA.KERNEL32(10000000,?,00000104), ref: 1003A009
                                              • Part of subcall function 10039F50: lstrcpynA.KERNEL32(?,?,00000104), ref: 1003A021
                                            • GetTickCount.KERNEL32 ref: 100412D6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$CountTick$ConsoleCtrlFileHandlerLocalModuleNameTimelstrcpynwsprintf
                                            • String ID: *.cnr
                                            • API String ID: 3246313133-39468021
                                            • Opcode ID: 71e0415b97ead9e8696570e481bea7871f8da3b39844eec38d1668dd81176e7d
                                            • Instruction ID: 78bcbadffa0659e064951a52c6c3143fbc990ff2a8c7648ae2848efa06ce900d
                                            • Opcode Fuzzy Hash: 71e0415b97ead9e8696570e481bea7871f8da3b39844eec38d1668dd81176e7d
                                            • Instruction Fuzzy Hash: 0F3149B55083809FD300DF69C885A5BFBE5FB88340F404A6DF59587261DB74E948CBA3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10046360 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: DriveDrivesLogicalType
                                            • String ID: :$\
                                            • API String ID: 4038169723-1166558509
                                            • Opcode ID: 6ca16f96d57ab48dc4a4db2ca78ef7f8109836beb51ad9cbdc468b774a904b3c
                                            • Instruction ID: a6eebc01f93b5c26c0c8ec853108c28470315b463917ea1c493bcfc9c1c40311
                                            • Opcode Fuzzy Hash: 6ca16f96d57ab48dc4a4db2ca78ef7f8109836beb51ad9cbdc468b774a904b3c
                                            • Instruction Fuzzy Hash: B2319C76009380DFC700CF69C880A8BFBE5EBDA750F54496EF48187212E675E909CB63
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10073380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10072450: GetProcAddress.KERNEL32(?,WSCEnumProtocols), ref: 10072462
                                            • CoTaskMemAlloc.OLE32(?,00000000,00000000,00000000,?), ref: 100733D1
                                            • CoTaskMemFree.OLE32(00000000,00000000,00000000,?,?,?), ref: 10073456
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 100730EC
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 10073132
                                              • Part of subcall function 100730B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,-00000014,00000000), ref: 10073155
                                              • Part of subcall function 100730B0: _memset.LIBCMT ref: 1007316E
                                              • Part of subcall function 100730B0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 10073188
                                              • Part of subcall function 100730B0: PathIsRelativeA.SHLWAPI(?), ref: 10073193
                                              • Part of subcall function 100730B0: PathFindOnPathA.SHLWAPI(?,00000000), ref: 100731A3
                                            • PathFileExistsA.SHLWAPI(00000000,00000000,00000104,00000000,00000000,00000000,?,?,?), ref: 10073426
                                              • Part of subcall function 10072500: GetProcAddress.KERNEL32(10077B93,WSCDeinstallProvider), ref: 10072512
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Path$_memset$AddressProcTask$AllocByteCharEnvironmentExistsExpandFileFindFreeMultiRelativeStringsWide
                                            • String ID: G'
                                            • API String ID: 109804704-1542159958
                                            • Opcode ID: 3c3001dbd3e583bbce55354122191cafff4bf7ff93a1fd21aee84a8d0be1a05d
                                            • Instruction ID: b84e672496a8fc36c7a33e18acc086e342c4cf4990eec61b0c7dd65680a7df36
                                            • Opcode Fuzzy Hash: 3c3001dbd3e583bbce55354122191cafff4bf7ff93a1fd21aee84a8d0be1a05d
                                            • Instruction Fuzzy Hash: 7321C3B25043119BE318DF68CC869DFB3E8EF98250F41CA2DF99583141E738E90887A6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004173CD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __calloc_crt
                                            • String ID: @UB$PUB
                                            • API String ID: 3494438863-3152389918
                                            • Opcode ID: 46f5070640ae21a5c5f6c0d97fca7342d37223f54840e9b8b86d0ef9d769efe0
                                            • Instruction ID: 33b8958e94b60a0bae18de1c6245221009df0336d324f231c3d9f3ecdfc4cfc0
                                            • Opcode Fuzzy Hash: 46f5070640ae21a5c5f6c0d97fca7342d37223f54840e9b8b86d0ef9d769efe0
                                            • Instruction Fuzzy Hash: 1811547131D6205AE7249A1EBC806EA2BA5FB94764BE4413FFA11CA3D4E73898C2854C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10051D90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::_Lockit::_Lockit.LIBCPMT ref: 10051DBE
                                            • __CxxThrowException@8.LIBCMT ref: 10051E35
                                              • Part of subcall function 100A293D: RaiseException.KERNEL32(?,?,100A293C,10029968,?,?,?,?,100A293C,10029968,100E0FB0,100F3258), ref: 100A297D
                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 10051E3C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow
                                            • String ID: bad locale name
                                            • API String ID: 1915927752-1405518554
                                            • Opcode ID: b0a8bed21fe458addd9c7e278aaafb5c7cf1c13eb14e2ed9603b23c985a1463b
                                            • Instruction ID: ef62adeb316eb79dd4022eb11bc99103de7d3472439e0c9d629b8a520bc46a7e
                                            • Opcode Fuzzy Hash: b0a8bed21fe458addd9c7e278aaafb5c7cf1c13eb14e2ed9603b23c985a1463b
                                            • Instruction Fuzzy Hash: 9C2109B15087809FC311CF698991A9BFBE4FB59610F84492EF59683B41D774A408CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10091BD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.ADVAPI32 ref: 10091BFB
                                            • RegQueryValueExA.ADVAPI32(00000000,scancount,00000000,80000002,00020019,00020019), ref: 10091C1F
                                            Strings
                                            • scancount, xrefs: 10091C19
                                            • SOFTWARE\Acceleration Software International Corporation\WebScan, xrefs: 10091BE1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: OpenQueryValue
                                            • String ID: SOFTWARE\Acceleration Software International Corporation\WebScan$scancount
                                            • API String ID: 4153817207-313064765
                                            • Opcode ID: 627b8a2fa25485e279c32a54105953508945cba045d402f8beeb37c56743fd32
                                            • Instruction ID: ce9fcebc8d5c3cfd1ad5749375d404c20de9acaeb81808cb2b77a4d88ae6c152
                                            • Opcode Fuzzy Hash: 627b8a2fa25485e279c32a54105953508945cba045d402f8beeb37c56743fd32
                                            • Instruction Fuzzy Hash: 36F012B5604326AFD310DF04CC84DD7BBE8FB94654F40890EFA9D92111E730D519CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100ADEA9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32,100A359F), ref: 100ADEAE
                                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 100ADEBE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: IsProcessorFeaturePresent$KERNEL32
                                            • API String ID: 1646373207-3105848591
                                            • Opcode ID: 2eab036dc4d718ec0a886805b1f448c6ff8c7fdfa0013ed4e6db54a9fc74a76d
                                            • Instruction ID: dda98244a063e893e2ccc0103a408da001b2aa2c6f286f5d02dced903a1ed153
                                            • Opcode Fuzzy Hash: 2eab036dc4d718ec0a886805b1f448c6ff8c7fdfa0013ed4e6db54a9fc74a76d
                                            • Instruction Fuzzy Hash: D2F0D034910A1AE3EB00BBE1BC496AF7BB4FB91786F820591E992F5194DF318074C361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008A2A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,SeDebugPrivilege,00000001,00000000,?,00000000,1008AC21,?,?,00000010,?,?), ref: 1008A2C5
                                            • SetPriorityClass.KERNEL32(00000000,?,?,1001B605,?,-00000020,00000080), ref: 1008A2D7
                                            • CloseHandle.KERNEL32(00000000,?,1001B605,?,-00000020,00000080), ref: 1008A2E0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClassCloseHandleOpenPriorityProcess
                                            • String ID: SeDebugPrivilege
                                            • API String ID: 835338480-2896544425
                                            • Opcode ID: 688f30dd4a3b57af675523197cf20585d37a301cf2068cfef8f9997cfefa4872
                                            • Instruction ID: 8008cc58fce31ab8040f696e0a4396a0f15b07a7c8131a8d03a5130c131e2e1b
                                            • Opcode Fuzzy Hash: 688f30dd4a3b57af675523197cf20585d37a301cf2068cfef8f9997cfefa4872
                                            • Instruction Fuzzy Hash: 93F05E366003107FE220DB989C88EBB73BCFFD9711B14451EFA0297611DA71AC458771
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008A240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00000001,00000000,00000000,?,?,SeDebugPrivilege,00000001,00000000,?,?,100900DC,?,?,00000000), ref: 1008A262
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 1008A270
                                            • CloseHandle.KERNEL32(00000000), ref: 1008A279
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Process$CloseHandleOpenTerminate
                                            • String ID: SeDebugPrivilege
                                            • API String ID: 2026632969-2896544425
                                            • Opcode ID: 0adeebaf321d59f75f0fb4735199b078debe309892b3fbe8c6ecaa89f4e2642b
                                            • Instruction ID: 10ebdb28eb7c727dd9382c59af386b3a2059ddf044a3020e3c60a278fcac05ba
                                            • Opcode Fuzzy Hash: 0adeebaf321d59f75f0fb4735199b078debe309892b3fbe8c6ecaa89f4e2642b
                                            • Instruction Fuzzy Hash: 2AF05E366013207FE2209AA88C88FAB63BCFBD5711F10411AFA4296640DAA1AC058771
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405D30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(?), ref: 00405D45
                                            • GetClassNameA.USER32(00000000,00000008,00000008), ref: 00405D53
                                            • lstrcmpA.KERNEL32(?,#32770), ref: 00405D78
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClassNameParentlstrcmp
                                            • String ID: #32770
                                            • API String ID: 3513268407-463685578
                                            • Opcode ID: fbb6a7018a49b31dd313f25aa479bde75f1fe1c1a6126963ede00844e8c4f7c1
                                            • Instruction ID: 83644126464ada0799a406842d30d066ea2c95046510836fafff76486e69b292
                                            • Opcode Fuzzy Hash: fbb6a7018a49b31dd313f25aa479bde75f1fe1c1a6126963ede00844e8c4f7c1
                                            • Instruction Fuzzy Hash: 15F030756143016BC610DB74D84AE6B77E8FB98B04F448C3AF945C7290E634D408CB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10082160 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 10082161
                                            • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 10082176
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CountLibraryLoadTick
                                            • String ID: Advapi32.dll$SeDebugPrivilege
                                            • API String ID: 2787207781-4191211643
                                            • Opcode ID: 89fe20eda60a031e5a607aa63adcb88a0fa45f5dfce013bb1ac1cd0ed4a93a41
                                            • Instruction ID: 82e338e1f1f22df89262e4054fc1a7c4aa2385edb365434495f0330fd47a612f
                                            • Opcode Fuzzy Hash: 89fe20eda60a031e5a607aa63adcb88a0fa45f5dfce013bb1ac1cd0ed4a93a41
                                            • Instruction Fuzzy Hash: DBE08635400720AFD210DB20CC48ACB77A8FF94310F014819FA8952554E734A9858B76
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041591D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(KERNEL32,0041098A), ref: 00415922
                                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00415932
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: IsProcessorFeaturePresent$KERNEL32
                                            • API String ID: 1646373207-3105848591
                                            • Opcode ID: f6fba2fbcb1f53d16b256c6cfec6dcb7887d0ba99b0ba9cd232ef986ddf6846c
                                            • Instruction ID: d719a8c7471c299b7d4f48a92e074591d0b101b896822d55565815e9aa5548d7
                                            • Opcode Fuzzy Hash: f6fba2fbcb1f53d16b256c6cfec6dcb7887d0ba99b0ba9cd232ef986ddf6846c
                                            • Instruction Fuzzy Hash: 1EC012F4384701E7ED1017A34D49BD755146B84B12F144416AC06D11C0DA58C480A02F
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100165F0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 1001666D
                                            • StrRChrIA.SHLWAPI(?,00000000,0000005C), ref: 1001669B
                                            • StrRChrIA.SHLWAPI(?,00000000,0000005C,?,00000104,7FFFFFFF), ref: 10016700
                                            • _memset.LIBCMT ref: 100167D3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID:
                                            • API String ID: 2102423945-0
                                            • Opcode ID: ab709cd1bcec8fca438eac2c632e7af93e31f6b3d8cc3a40d3763e9cc0e30001
                                            • Instruction ID: c4aa6f34bb5a6a420ab36b4c11f076ccb64a37772d06d79f41324b862d3dd644
                                            • Opcode Fuzzy Hash: ab709cd1bcec8fca438eac2c632e7af93e31f6b3d8cc3a40d3763e9cc0e30001
                                            • Instruction Fuzzy Hash: 6DA149B65483819FD721CB54CC81ADFB7E9EBC9344F004A2EF58987251DB71A988CB93
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100C31EF Relevance: 6.2, APIs: 4, Instructions: 172COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _cvtdate
                                            • String ID:
                                            • API String ID: 159983822-0
                                            • Opcode ID: 1d5bd4685ab3b60578c176100a6e7d8e9cc058af36ffc62ff489aa740c81fa2a
                                            • Instruction ID: 8a12ee72d9c15513e710166afab94cdd482c02d8e98606060689f0502429a4b4
                                            • Opcode Fuzzy Hash: 1d5bd4685ab3b60578c176100a6e7d8e9cc058af36ffc62ff489aa740c81fa2a
                                            • Instruction Fuzzy Hash: A3519FB26111A1BBE720CB969FE1B3F77ECE749691B10C066F504D1190EA34DB80EBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040ABE0 Relevance: 6.1, APIs: 4, Instructions: 123stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(?,4121B502,?,?,00000000,-00000001,?,00000002,00000000), ref: 0040AC25
                                            • lstrlenW.KERNEL32(00000000,?,?,?,00000002,00000000), ref: 0040AC63
                                            • _memcpy_s.LIBCMT ref: 0040ACCF
                                            • _memcpy_s.LIBCMT ref: 0040ACE1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memcpy_slstrlen
                                            • String ID:
                                            • API String ID: 2392212498-0
                                            • Opcode ID: 526466690fe7bcfd1ce06881b6e37ad3536636dcab4e98d2207d6151e3ab2a7e
                                            • Instruction ID: 6f3f408779725ef8d291d03d087df9bf262fb7acfbedbf8c01c12f65d78bd029
                                            • Opcode Fuzzy Hash: 526466690fe7bcfd1ce06881b6e37ad3536636dcab4e98d2207d6151e3ab2a7e
                                            • Instruction Fuzzy Hash: 2F4192B1E003099BCB10DFA5D985AAFBBF8EF48314F10453FE505B7281D6799A05CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004063C0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32(?,?), ref: 0040649A
                                            • GetClientRect.USER32(?,?), ref: 004064A5
                                            • CreateAcceleratorTableA.USER32(?,00000001), ref: 004064CA
                                            • GetParent.USER32(?), ref: 004064F0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ClientRect$AcceleratorCreateParentTable
                                            • String ID:
                                            • API String ID: 2716292469-0
                                            • Opcode ID: 70f3649aac4f234632b13060136a1fab81f6275b6b8471caf3d32a65e4dcdbd4
                                            • Instruction ID: 563f4107bc23cf76aa6612884c8f572b0e9b8d918f44a13ea04c916589c9685f
                                            • Opcode Fuzzy Hash: 70f3649aac4f234632b13060136a1fab81f6275b6b8471caf3d32a65e4dcdbd4
                                            • Instruction Fuzzy Hash: 094132752043059FD714DF24D884B6BB7E8BF88304F11882EE84AA7391D778E958CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419B15 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00419B45
                                            • __isleadbyte_l.LIBCMT ref: 00419B79
                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,FF000002,?,00000000,?,?,?,00416E1B,?,?,00000001), ref: 00419BAA
                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,00416E1B,?,?,00000001), ref: 00419C18
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                            • String ID:
                                            • API String ID: 3058430110-0
                                            • Opcode ID: be6925f441777117c68fc59a41614e0f5679679685b523d42754cbca06aef723
                                            • Instruction ID: 5078439a2bb5ec27557ff72a2a0eae660aece5a8b7e350dff01060b18dc832d9
                                            • Opcode Fuzzy Hash: be6925f441777117c68fc59a41614e0f5679679685b523d42754cbca06aef723
                                            • Instruction Fuzzy Hash: DA31E331A08256EFDB10DF64D8A19FA3BB5FF01311F1485AAE4618B291D334EEC0DB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100722A0 Relevance: 6.1, APIs: 4, Instructions: 101stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 100722D1
                                            • _memset.LIBCMT ref: 100722EB
                                            • lstrlenA.KERNEL32(?,?,00000FFA,7FFFFFFF,?,?,?,?,?,?,00000000), ref: 10072345
                                            • _memset.LIBCMT ref: 100723DC
                                              • Part of subcall function 1009747A: __vsnprintf.LIBCMT ref: 10097493
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: _memset$__vsnprintflstrlen
                                            • String ID:
                                            • API String ID: 194215378-0
                                            • Opcode ID: b447ea6c87c0459983a32860380a50b8fd4e2e81a41b182135b9c504610766cd
                                            • Instruction ID: f7a8f54163ecd6f0b970646f9d9560dcfa0eaad8c96f08a7ece95c52101924eb
                                            • Opcode Fuzzy Hash: b447ea6c87c0459983a32860380a50b8fd4e2e81a41b182135b9c504610766cd
                                            • Instruction Fuzzy Hash: A7316676144345AAD334C764CC82EEBB3DCEB98750F404A2DFBD886181DB78A545C766
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100C240D Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100C243D
                                            • __isleadbyte_l.LIBCMT ref: 100C2471
                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,FF000002,?,00000000,?,?,?,100AFFC4,?,?,00000001), ref: 100C24A2
                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,100AFFC4,?,?,00000001), ref: 100C2510
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                            • String ID:
                                            • API String ID: 3058430110-0
                                            • Opcode ID: 0958c1427faddf6b6cb718170592911851ad85cf50bcd31c143a416a47532951
                                            • Instruction ID: c5588386cd13c6bc4a9c01427fadca7ef76439a1ca598f9fb726dd2029c38ed1
                                            • Opcode Fuzzy Hash: 0958c1427faddf6b6cb718170592911851ad85cf50bcd31c143a416a47532951
                                            • Instruction Fuzzy Hash: 0D31B031A00296EFDB14CFA4C980BAD3BF5FF01251F5285E9F9589B5A1D730D980DB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A3A0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::_String_base::_Xlen.LIBCPMT ref: 0040A3B2
                                              • Part of subcall function 0040F632: __EH_prolog3.LIBCMT ref: 0040F639
                                              • Part of subcall function 0040F632: std::runtime_error::runtime_error.LIBCPMT ref: 0040F656
                                              • Part of subcall function 0040F632: __CxxThrowException@8.LIBCMT ref: 0040F66B
                                            • std::_String_base::_Xlen.LIBCPMT ref: 0040A3D5
                                            • std::_String_base::_Xlen.LIBCPMT ref: 0040A3EC
                                            • _memcpy_s.LIBCMT ref: 0040A45F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: String_base::_Xlenstd::_$Exception@8H_prolog3Throw_memcpy_sstd::runtime_error::runtime_error
                                            • String ID:
                                            • API String ID: 1039763836-0
                                            • Opcode ID: 0f696a7a5a24d99a99676b5e77eeae33a31bfc6068c4ded614e40ce640b5bfbd
                                            • Instruction ID: c0ac44a2752265f8f4d68ab81dcf46e36b68ddfd93f0ad3f2fe0adce54af789f
                                            • Opcode Fuzzy Hash: 0f696a7a5a24d99a99676b5e77eeae33a31bfc6068c4ded614e40ce640b5bfbd
                                            • Instruction Fuzzy Hash: 6031D3363007008BC720DE59EA8491BB3E5EBA1710B50493FE592977C2D7B4FC6987AB
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008F5D0 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNEL32(?,9E6FDE2E,?,00000000,-00000001,00000000), ref: 1008F611
                                            • FreeLibrary.KERNEL32(?,9E6FDE2E,?,00000000,-00000001,00000000), ref: 1008F61E
                                            • FreeLibrary.KERNEL32(?,9E6FDE2E,?,00000000,-00000001,00000000), ref: 1008F62B
                                            • CloseHandle.KERNEL32(?,9E6FDE2E,?,00000000,-00000001,00000000), ref: 1008F638
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: FreeLibrary$CloseHandle
                                            • String ID:
                                            • API String ID: 4123137172-0
                                            • Opcode ID: eb1b4e3c1bf05345ca9893205715877306cbf839f27e40fbf95247bff0800ef0
                                            • Instruction ID: 9a01284c43a969f92110fd19a1925b28c301e989177278e143680f525a17c210
                                            • Opcode Fuzzy Hash: eb1b4e3c1bf05345ca9893205715877306cbf839f27e40fbf95247bff0800ef0
                                            • Instruction Fuzzy Hash: F8214BB5900B009BC220DF6ADC80917FBEDFF98650B504A1EE59AC3A20E735F9448BA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404AC0 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFocus.USER32 ref: 00404B67
                                            • IsChild.USER32(?,00000000), ref: 00404B72
                                            • GetWindow.USER32(?,00000005), ref: 00404B82
                                            • SetFocus.USER32(00000000,?,?,?,0041D378,000000FF,00404247), ref: 00404B89
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Focus$ChildWindow
                                            • String ID:
                                            • API String ID: 501040988-0
                                            • Opcode ID: dcac8510dbe68ef00db5ebedc9510a8eb8f12b8eafa1ea4429a195a0cd329f90
                                            • Instruction ID: 2144615a42979b2182d96541cd9a8d372fc7ffaec9220cc64635c4fdc80ee5c6
                                            • Opcode Fuzzy Hash: dcac8510dbe68ef00db5ebedc9510a8eb8f12b8eafa1ea4429a195a0cd329f90
                                            • Instruction Fuzzy Hash: 9C3149B4204705AFD314DB24C848F67B7E8EB89B14F108A1DE969973A0D738F804CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002A5C0 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 100299B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,10029F2F,?), ref: 100299CD
                                              • Part of subcall function 100299B0: CoTaskMemAlloc.OLE32(00000000,?,?,?,?,10029F2F,?,?,?,1002AADE,?,?), ref: 100299D6
                                              • Part of subcall function 100299B0: _memset.LIBCMT ref: 100299E6
                                              • Part of subcall function 100299B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100299FB
                                            • _memset.LIBCMT ref: 1002A631
                                            • _memset.LIBCMT ref: 1002A64D
                                            • CoTaskMemFree.OLE32(00000000,?,?), ref: 1002A69C
                                              • Part of subcall function 10029A10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000000,1007B1F4,?,?,?,9E6FDE2E,?,?), ref: 10029A24
                                              • Part of subcall function 10029A10: CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 10029A35
                                              • Part of subcall function 10029A10: _memset.LIBCMT ref: 10029A45
                                              • Part of subcall function 10029A10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 10029A56
                                              • Part of subcall function 10029A10: SysAllocString.OLEAUT32(00000000), ref: 10029A5D
                                              • Part of subcall function 10029A10: CoTaskMemFree.OLE32(00000000,?,?,?,?,?,?,?,00000000), ref: 10029A66
                                            • CoTaskMemFree.OLE32(00000000,?,?), ref: 1002A6A7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Task$ByteCharMultiWide_memset$AllocFree$String
                                            • String ID:
                                            • API String ID: 2626109451-0
                                            • Opcode ID: 3e66b484fb78f87a403fe39ed0a617712888dfdf2ab6a3b0110e3776e4a8e4ae
                                            • Instruction ID: 956c57720eea79eb0d64e93a9816c8063513319cc7f3ad2a4cb4db8adeda75f1
                                            • Opcode Fuzzy Hash: 3e66b484fb78f87a403fe39ed0a617712888dfdf2ab6a3b0110e3776e4a8e4ae
                                            • Instruction Fuzzy Hash: 2521B275108345ABD320DFA8E885FDBB7E8EF89740F40081DFA4897241DB70A944CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002A6D0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 100299B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,10029F2F,?), ref: 100299CD
                                              • Part of subcall function 100299B0: CoTaskMemAlloc.OLE32(00000000,?,?,?,?,10029F2F,?,?,?,1002AADE,?,?), ref: 100299D6
                                              • Part of subcall function 100299B0: _memset.LIBCMT ref: 100299E6
                                              • Part of subcall function 100299B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100299FB
                                            • _memset.LIBCMT ref: 1002A731
                                            • CoTaskMemFree.OLE32(00000000), ref: 1002A76D
                                              • Part of subcall function 1003D7B0: lstrcmpiA.KERNEL32(?,?), ref: 1003D849
                                              • Part of subcall function 10029A10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000000,1007B1F4,?,?,?,9E6FDE2E,?,?), ref: 10029A24
                                              • Part of subcall function 10029A10: CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 10029A35
                                              • Part of subcall function 10029A10: _memset.LIBCMT ref: 10029A45
                                              • Part of subcall function 10029A10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 10029A56
                                              • Part of subcall function 10029A10: SysAllocString.OLEAUT32(00000000), ref: 10029A5D
                                              • Part of subcall function 10029A10: CoTaskMemFree.OLE32(00000000,?,?,?,?,?,?,?,00000000), ref: 10029A66
                                            • CoTaskMemFree.OLE32(00000000,?,?,00000000,?,00000000,?), ref: 1002A760
                                            • CoTaskMemFree.OLE32(00000000,?), ref: 1002A77E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Task$ByteCharFreeMultiWide$Alloc_memset$Stringlstrcmpi
                                            • String ID:
                                            • API String ID: 2827824634-0
                                            • Opcode ID: bb2c9e27548dbf4388e2c7ad5e4525767cf465044663a34a05cbf06f2b2c50d3
                                            • Instruction ID: 0a94b0a76c38cc5bf7ef39c4a72d0ea14b0d99c099e9435ee4a6303f4e3822a1
                                            • Opcode Fuzzy Hash: bb2c9e27548dbf4388e2c7ad5e4525767cf465044663a34a05cbf06f2b2c50d3
                                            • Instruction Fuzzy Hash: 1E1184351083519BC260DBA8EC85FDBB3E8EF89740F41091DFA8497201DB74A888CBB6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100899E0 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::exception::exception.LIBCMT ref: 10089A1F
                                            • __CxxThrowException@8.LIBCMT ref: 10089A36
                                              • Part of subcall function 100A28D3: _malloc.LIBCMT ref: 100A28EB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw_mallocstd::exception::exception
                                            • String ID:
                                            • API String ID: 4063778783-0
                                            • Opcode ID: 8052404a99216716d4c9412e1422c900076e476d69fcb800d6df9f0da45e0d41
                                            • Instruction ID: a61ad163b350c54244de276bbbe33a3306f23ebd4629ed544d851969a47d1afd
                                            • Opcode Fuzzy Hash: 8052404a99216716d4c9412e1422c900076e476d69fcb800d6df9f0da45e0d41
                                            • Instruction Fuzzy Hash: D711A7B4904310AAD70CDAA8C96665FB394FB94700F14493EF58A82180DF74DA58CA53
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1007C110 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::exception::exception.LIBCMT ref: 1007C14F
                                            • __CxxThrowException@8.LIBCMT ref: 1007C166
                                              • Part of subcall function 100A28D3: _malloc.LIBCMT ref: 100A28EB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw_mallocstd::exception::exception
                                            • String ID:
                                            • API String ID: 4063778783-0
                                            • Opcode ID: a5db18eb66f57532cb003fade3298094b7706cb3f2e6db57a18b7ca253d22271
                                            • Instruction ID: 56e8861382d7357d755a20508696a683976e8ebe08a45577a2f168d6995bd437
                                            • Opcode Fuzzy Hash: a5db18eb66f57532cb003fade3298094b7706cb3f2e6db57a18b7ca253d22271
                                            • Instruction Fuzzy Hash: 36110AB4514300ABD70CDBA4D966A5FB394FF84700F508A3EF58A821C1DB74D918CA13
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100043A0 Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: lstrlen$_memsetlstrcpyn
                                            • String ID:
                                            • API String ID: 940696854-0
                                            • Opcode ID: ac4e78dda322b0932658dd83caac069bfd6c230161e5601083b7ba7d516453b8
                                            • Instruction ID: 832987e6d2b1b3c7335318c3a59c70397f04d8696d66550875f7b677fc5aa678
                                            • Opcode Fuzzy Hash: ac4e78dda322b0932658dd83caac069bfd6c230161e5601083b7ba7d516453b8
                                            • Instruction Fuzzy Hash: 651103719043448BE320DF28DCC2BEBB3E4FB99354F02491DFAD582241DB75D8898BA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 10039CB0 Relevance: 6.1, APIs: 4, Instructions: 62threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RaiseException.KERNEL32(80000003,00000000,00000000,00000000,9E6FDE2E), ref: 10039CF7
                                            • GetCurrentThreadId.KERNEL32 ref: 10039D47
                                            • GetCurrentProcessId.KERNEL32(00000000,00000000,00000000), ref: 10039D5C
                                            • GetCurrentProcess.KERNEL32(00000000), ref: 10039D63
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Current$Process$ExceptionRaiseThread
                                            • String ID:
                                            • API String ID: 2001439942-0
                                            • Opcode ID: 93505fcf4472a9de7ed132f5a0b615dae2f12336e4d0ee0f835f41363231d7e9
                                            • Instruction ID: 694fd08d9e96abba2583ecfe4d177e9a2123e0c6e6df03dce20fa68524b120b0
                                            • Opcode Fuzzy Hash: 93505fcf4472a9de7ed132f5a0b615dae2f12336e4d0ee0f835f41363231d7e9
                                            • Instruction Fuzzy Hash: EC117C76904258AFD710DF99DC49ADFBBB8FB89621F11422AE915A3240DB351900CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1002A130 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 100299B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,10029F2F,?), ref: 100299CD
                                              • Part of subcall function 100299B0: CoTaskMemAlloc.OLE32(00000000,?,?,?,?,10029F2F,?,?,?,1002AADE,?,?), ref: 100299D6
                                              • Part of subcall function 100299B0: _memset.LIBCMT ref: 100299E6
                                              • Part of subcall function 100299B0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100299FB
                                              • Part of subcall function 1003AD50: lstrcmpiA.KERNEL32(?,00000004), ref: 1003ADD2
                                            • CoTaskMemAlloc.OLE32(00000000,?,00000000,?,?,?,?,?,?,1002ADEC,?,?,?,9E6FDE2E), ref: 1002A164
                                            • _memset.LIBCMT ref: 1002A174
                                              • Part of subcall function 1003C3D0: _memset.LIBCMT ref: 1003C44C
                                              • Part of subcall function 1003C3D0: lstrcmpiA.KERNEL32(?,?), ref: 1003C4BF
                                            • CoTaskMemFree.OLE32(00000000,?,00000000,00000000), ref: 1002A1A0
                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,?,?,?,1002ADEC,?,?,?,9E6FDE2E), ref: 1002A1AB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Task$_memset$AllocByteCharFreeMultiWidelstrcmpi
                                            • String ID:
                                            • API String ID: 614867843-0
                                            • Opcode ID: cc93e3df26fdff2429fbebdbd88c8ddf4c1eabdff17489bf6eeeb3577447755b
                                            • Instruction ID: c24c6d6d36bbbc77ec578799ace983dc96969cab13e4b0d24c96f6467183f9e7
                                            • Opcode Fuzzy Hash: cc93e3df26fdff2429fbebdbd88c8ddf4c1eabdff17489bf6eeeb3577447755b
                                            • Instruction Fuzzy Hash: 74018B756013266B9201DB65AC84E5B77ACEF826A1F014428FD4597201CF30ED94CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00412961 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • __FF_MSGBANNER.LIBCMT ref: 0041296F
                                              • Part of subcall function 00413627: _strcpy_s.LIBCMT ref: 00413693
                                              • Part of subcall function 00413627: __invoke_watson.LIBCMT ref: 004136A4
                                              • Part of subcall function 00413627: GetModuleFileNameA.KERNEL32(00000000,00427701,00000104,00000000,00000000,00000000,00413CE9,00000001,00000214), ref: 004136C0
                                              • Part of subcall function 00413627: _strcpy_s.LIBCMT ref: 004136D5
                                              • Part of subcall function 00413627: __invoke_watson.LIBCMT ref: 004136E8
                                              • Part of subcall function 00413627: __invoke_watson.LIBCMT ref: 0041372B
                                              • Part of subcall function 00411117: ___crtCorExitProcess.LIBCMT ref: 0041111B
                                              • Part of subcall function 00411117: ExitProcess.KERNEL32 ref: 00411125
                                            • __malloc_crt.LIBCMT ref: 0041299B
                                              • Part of subcall function 00413FF4: _malloc.LIBCMT ref: 00413FFC
                                              • Part of subcall function 00413FF4: Sleep.KERNEL32(00000000,00000001,00000000,004129A0,00000018,00422928,0000000C,00412A2F,00000000,00413CDA,?,0040FA4F,00000004,004227E0,0000000C,00414047), ref: 00414011
                                            • __lock.LIBCMT ref: 004129B8
                                            • ___crtInitCritSecAndSpinCount.LIBCMT ref: 004129CB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __invoke_watson$ExitProcess___crt_strcpy_s$CountCritFileInitModuleNameSleepSpin__lock__malloc_crt_malloc
                                            • String ID:
                                            • API String ID: 3293610199-0
                                            • Opcode ID: c2e2331f69ae60a5c23537ff493b848627fdd7a0ddc71da8f92b2f2a09fb87b4
                                            • Instruction ID: 757877f21d169789e16d7d9f97d96afbd82110f001acf43d7dc01c7bb63df78e
                                            • Opcode Fuzzy Hash: c2e2331f69ae60a5c23537ff493b848627fdd7a0ddc71da8f92b2f2a09fb87b4
                                            • Instruction Fuzzy Hash: BC1186B16042439EDB20BF69A9426ED77A07F41768F20012FF250AB2D1DEBC49D1DB5D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040DD30 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 0040DD70
                                            • DeleteObject.GDI32(00000000), ref: 0040DD94
                                            • LoadBitmapA.USER32(00400000,?), ref: 0040DDBC
                                            • SendDlgItemMessageA.USER32(?,000003EC,00000172,00000000,00000000), ref: 0040DDDD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: DeleteObject$BitmapItemLoadMessageSend
                                            • String ID:
                                            • API String ID: 1244536425-0
                                            • Opcode ID: c04274e13705eb85c7fbabaf24ae1154a53f5036843ca0e0bd476ffc10cb4275
                                            • Instruction ID: 3b8c69ce067a2cc6a6eccc5c11616d79331d79f7120e6650f27a7c2beb1baa40
                                            • Opcode Fuzzy Hash: c04274e13705eb85c7fbabaf24ae1154a53f5036843ca0e0bd476ffc10cb4275
                                            • Instruction Fuzzy Hash: D0112B70B047009BE7209F75DC88B63B3E8AF84701F44453E9589D3290D778E8498A2C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040B5E0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,00000000,00000000,75BF3530,0040B541,?,4121B502,00000000,?,?,00000000), ref: 0040B5E9
                                              • Part of subcall function 0040B650: lstrcmpiA.KERNEL32(?,?), ref: 0040B66E
                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE,?,00000000), ref: 0040B604
                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE,?,00000000), ref: 0040B622
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalSection$Leave$Enterlstrcmpi
                                            • String ID:
                                            • API String ID: 431788158-0
                                            • Opcode ID: 5007cafcefd95fe9c77a716c3c2a1fca263ca6b841d15e06922179c94852bf19
                                            • Instruction ID: 39b5dd71c1f8655922aee172fed93d18b4e666576a11ea171d1086990f14671a
                                            • Opcode Fuzzy Hash: 5007cafcefd95fe9c77a716c3c2a1fca263ca6b841d15e06922179c94852bf19
                                            • Instruction Fuzzy Hash: E8F0C272200215A7D6209FB59C84BC6F3ACEB54765F008D37F615E3290C771A8158BED
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401250 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowExtEx.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00401306,?,004095B3,?,?,?,00000000), ref: 0040126B
                                            • GetViewportExtEx.GDI32(00000000,?,?,?,?,?,00401306,?,004095B3,?,?,?,00000000), ref: 0040127F
                                            • MulDiv.KERNEL32(?,?,?), ref: 004012A2
                                            • MulDiv.KERNEL32(?,?,?), ref: 004012BE
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ViewportWindow
                                            • String ID:
                                            • API String ID: 1589084482-0
                                            • Opcode ID: 85ff37255550095f92daa231cb27bfcf18e2c7f34f6d4c93c5cc532de65f65c4
                                            • Instruction ID: 363ca5ae3afe4790dd47d7e808384d8689c5be480cf00164b9a7a171ce12e140
                                            • Opcode Fuzzy Hash: 85ff37255550095f92daa231cb27bfcf18e2c7f34f6d4c93c5cc532de65f65c4
                                            • Instruction Fuzzy Hash: BA011AB5614202AFD704DF6DCD8486BFBEEEBC8210B55C93DF589C3260D274E8458B62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100299B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,10029F2F,?), ref: 100299CD
                                            • CoTaskMemAlloc.OLE32(00000000,?,?,?,?,10029F2F,?,?,?,1002AADE,?,?), ref: 100299D6
                                            • _memset.LIBCMT ref: 100299E6
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100299FB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$AllocTask_memset
                                            • String ID:
                                            • API String ID: 799234904-0
                                            • Opcode ID: 55e5f6317c94f7f2db30b40f8361af07b1994c826c43ac3b42ddea1b4bdfee1f
                                            • Instruction ID: dbb910753909b42f7f70bf5f83b03a228e63ea9fbd67bb907edeef2e5d5a187e
                                            • Opcode Fuzzy Hash: 55e5f6317c94f7f2db30b40f8361af07b1994c826c43ac3b42ddea1b4bdfee1f
                                            • Instruction Fuzzy Hash: F9F0307774263672D121919E5C89F97BF5CCF92FF1F610325FB28A62C08E11984082F9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100099D5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(?,0000000D), ref: 10009A36
                                            • FlushInstructionCache.KERNEL32(00000000), ref: 10009A3D
                                            • DialogBoxParamA.USER32(10000000,00000065,?,Function_00009730,?), ref: 10009A6A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CacheCurrentDialogFlushInstructionParamProcess
                                            • String ID:
                                            • API String ID: 1084288975-0
                                            • Opcode ID: 119387736e1eff5c3acd362863be76870eaf322dee3f0ff92878b874451d76b2
                                            • Instruction ID: 4e53600ee89c8e64c18adbf45a5bcf8f0ab11092b951b01d2c3d6e29f125f30e
                                            • Opcode Fuzzy Hash: 119387736e1eff5c3acd362863be76870eaf322dee3f0ff92878b874451d76b2
                                            • Instruction Fuzzy Hash: 7D01C472204650AFF314EBB4DC59F9A7BA4EF91361F058649F9598B2E1CB30E840CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004157F2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                            • String ID:
                                            • API String ID: 3016257755-0
                                            • Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                            • Instruction ID: 3bf2ac24bb1e8ed6982a6d16e55cd7960a68bb4c9e7aa06f0f31dde3b80f5fa1
                                            • Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                            • Instruction Fuzzy Hash: 0C01403240054EFBCF126E85DC018EE3F22BB58354F58841AFE1859131D63ACAB2AB89
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000BA30 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateCompatibleDC.GDI32(?), ref: 1000BA6D
                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 1000BA87
                                            • SelectObject.GDI32(00000000,00000000), ref: 1000BA94
                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 1000BAAE
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CompatibleCreate$BitmapObjectSelectViewport
                                            • String ID:
                                            • API String ID: 1881423421-0
                                            • Opcode ID: b608655b75af1d4008ac96352225696b6fb13f446d0c9053d88d592a7895e1ad
                                            • Instruction ID: 9e319cf1c022b92a456d1f3cd32105d01b24f76774726b1acd1721f657943f48
                                            • Opcode Fuzzy Hash: b608655b75af1d4008ac96352225696b6fb13f446d0c9053d88d592a7895e1ad
                                            • Instruction Fuzzy Hash: E51160B9600B009FD364CF69C588A53BBF4EF48710B11CA1DE99A87B50D770E844CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100ADD7E Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                            • String ID:
                                            • API String ID: 3016257755-0
                                            • Opcode ID: f21a8b7f24a1b2d00343f0b603ae94f06ec36108a82eb02af9b45acdd94f1f67
                                            • Instruction ID: c297bdee62c0d30fbf180be72282719b894d86bd2621d457aad99b684eb0e136
                                            • Opcode Fuzzy Hash: f21a8b7f24a1b2d00343f0b603ae94f06ec36108a82eb02af9b45acdd94f1f67
                                            • Instruction Fuzzy Hash: 9901483640018AFBCF12AED4CC418EE3F62FF18294F598516FA1A59031D736DAB1EB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004177A3 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00413D37: __amsg_exit.LIBCMT ref: 00413D45
                                            • __amsg_exit.LIBCMT ref: 004177CF
                                            • __lock.LIBCMT ref: 004177DF
                                            • InterlockedDecrement.KERNEL32(?), ref: 004177FC
                                            • InterlockedIncrement.KERNEL32(026216B8), ref: 00417827
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                            • String ID:
                                            • API String ID: 4129207761-0
                                            • Opcode ID: 27e8cb955f3eeb9d5dd929da43d0451e6a20c375f63de09497c38fa84f18b52f
                                            • Instruction ID: eb5231042764836a565cbb85ad71825158ff827e6cfb9601a0903c875293859d
                                            • Opcode Fuzzy Hash: 27e8cb955f3eeb9d5dd929da43d0451e6a20c375f63de09497c38fa84f18b52f
                                            • Instruction Fuzzy Hash: 16016131A05A21ABCB21AB6694097DE7B707F04B24F58401BF81067691DB7C69C1CFED
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00413CC0 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,004117C5,0040F7EA,00401829,Further Instructions,00000014), ref: 00413CC2
                                              • Part of subcall function 00413B92: TlsGetValue.KERNEL32(?,00413CD5), ref: 00413B99
                                              • Part of subcall function 00413B92: TlsSetValue.KERNEL32(00000000), ref: 00413BBA
                                            • __calloc_crt.LIBCMT ref: 00413CE4
                                              • Part of subcall function 00414034: __calloc_impl.LIBCMT ref: 00414042
                                              • Part of subcall function 00414034: Sleep.KERNEL32(00000000,?,00000000,00000000,00413CE9,00000001,00000214), ref: 00414059
                                              • Part of subcall function 00413B1B: TlsGetValue.KERNEL32(00000000,00413BB0), ref: 00413B28
                                              • Part of subcall function 00413B1B: TlsGetValue.KERNEL32(00000006), ref: 00413B3F
                                              • Part of subcall function 00413C01: GetModuleHandleA.KERNEL32(KERNEL32.DLL,004229C8,0000000C,00413D12,00000000,00000000), ref: 00413C12
                                              • Part of subcall function 00413C01: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00413C46
                                              • Part of subcall function 00413C01: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00413C56
                                              • Part of subcall function 00413C01: InterlockedIncrement.KERNEL32(004257C0), ref: 00413C78
                                              • Part of subcall function 00413C01: __lock.LIBCMT ref: 00413C80
                                              • Part of subcall function 00413C01: ___addlocaleref.LIBCMT ref: 00413C9F
                                            • GetCurrentThreadId.KERNEL32 ref: 00413D14
                                            • SetLastError.KERNEL32(00000000), ref: 00413D2C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                            • String ID:
                                            • API String ID: 1081334783-0
                                            • Opcode ID: 935fb6b5a4a68f5c387af4c27a10937e2217ad0aed6bd6d5f1d96a7e732b7e0e
                                            • Instruction ID: 38c4a40654736a04560412ac05e779cd40ab864e151920000033f5fdced73bd6
                                            • Opcode Fuzzy Hash: 935fb6b5a4a68f5c387af4c27a10937e2217ad0aed6bd6d5f1d96a7e732b7e0e
                                            • Instruction Fuzzy Hash: 8AF044326016216AD2327F323C09BDA2F84DF087B2B10042FF504A61D1CF28C982879C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100A9A7B Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(8007000E,00000000,100AA238,100A9107,00000001,100A97DA,00000008,00000000,?,?,?,100A28F0,100A98EC,?,100A28F0,00000008), ref: 100A9A7D
                                              • Part of subcall function 100A9934: TlsGetValue.KERNEL32(00000000,100A9A90,?,?,100A28F0,100A98EC,?,100A28F0,00000008,10029968,00000008), ref: 100A993B
                                              • Part of subcall function 100A9934: TlsSetValue.KERNEL32(00000000,?,100A28F0,100A98EC,?,100A28F0,00000008,10029968,00000008), ref: 100A995C
                                            • __calloc_crt.LIBCMT ref: 100A9A9F
                                              • Part of subcall function 100A78BA: __calloc_impl.LIBCMT ref: 100A78C8
                                              • Part of subcall function 100A78BA: Sleep.KERNEL32(00000000,?,100A28F0,00000008,10029968,00000008), ref: 100A78DF
                                              • Part of subcall function 100A98A2: TlsGetValue.KERNEL32(80040111,100AA6D1,100A32BD,100A28F0,?,100A28F0,00000008,10029968,00000008), ref: 100A98AF
                                              • Part of subcall function 100A98A2: TlsGetValue.KERNEL32(00000005,?,100A28F0,00000008,10029968,00000008), ref: 100A98C6
                                              • Part of subcall function 100A99BC: GetModuleHandleA.KERNEL32(KERNEL32.DLL,100ED0C0,0000000C,100A9ACD,00000000,00000000,?,?,100A28F0,100A98EC,?,100A28F0,00000008,10029968,00000008), ref: 100A99CD
                                              • Part of subcall function 100A99BC: GetProcAddress.KERNEL32(?,EncodePointer), ref: 100A9A01
                                              • Part of subcall function 100A99BC: GetProcAddress.KERNEL32(?,DecodePointer), ref: 100A9A11
                                              • Part of subcall function 100A99BC: InterlockedIncrement.KERNEL32(100F22B8), ref: 100A9A33
                                              • Part of subcall function 100A99BC: __lock.LIBCMT ref: 100A9A3B
                                              • Part of subcall function 100A99BC: ___addlocaleref.LIBCMT ref: 100A9A5A
                                            • GetCurrentThreadId.KERNEL32 ref: 100A9ACF
                                            • SetLastError.KERNEL32(00000000,?,?,100A28F0,100A98EC,?,100A28F0,00000008,10029968,00000008), ref: 100A9AE7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                            • String ID:
                                            • API String ID: 1081334783-0
                                            • Opcode ID: 19432ad29bf8b1d26375571ab9067d32f92668520b73e5d6f9dddaf8fcc39079
                                            • Instruction ID: c13e2b379f72d9cac2e970511eef95809363df7cc1e68b549f3ed095655804c6
                                            • Opcode Fuzzy Hash: 19432ad29bf8b1d26375571ab9067d32f92668520b73e5d6f9dddaf8fcc39079
                                            • Instruction Fuzzy Hash: AAF0283A605232EBE631ABF95C49ACF3B90DF516F0B12451AF864D51A0DF25C841C7E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000BAC0 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: DeleteObject$Select
                                            • String ID:
                                            • API String ID: 207189511-0
                                            • Opcode ID: 1e16eaa6112a275e9a5e3d9ba0e075820782f3f1657c55f08e9545310cef7ad1
                                            • Instruction ID: 6ed3a753106b444847d1624aa5f4342830107eed37454de6ac20a099a8214b4b
                                            • Opcode Fuzzy Hash: 1e16eaa6112a275e9a5e3d9ba0e075820782f3f1657c55f08e9545310cef7ad1
                                            • Instruction Fuzzy Hash: C00196B4200A109FE764CF69DC89E67B7F9EF88640B118A1DAD86D3658DB70E8458B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1000B520 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 1000B535
                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 1000B54E
                                            • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 1000B560
                                            • InvalidateRect.USER32(?,00000000,00000000), ref: 1000B56A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: MessageSend$CallInvalidateProcRectWindow
                                            • String ID:
                                            • API String ID: 2879949391-0
                                            • Opcode ID: d14de32af296e3114505802658d4a3fdb96e3c9435d2b64510592f758586f4bd
                                            • Instruction ID: bc558c7c4a7c9099595d7485e2b00cf1c1142654fd5500b4ce3577b4800a0148
                                            • Opcode Fuzzy Hash: d14de32af296e3114505802658d4a3fdb96e3c9435d2b64510592f758586f4bd
                                            • Instruction Fuzzy Hash: 70F0F976340300ABE224DB98DD85F57B3ECAB8CB11F11490DF645972D0C6E0F8008B64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D820 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0040D82E
                                            • EnterCriticalSection.KERNEL32(004271CC), ref: 0040D83C
                                            • LeaveCriticalSection.KERNEL32(004271CC), ref: 0040D855
                                              • Part of subcall function 0040D0D0: FindResourceA.KERNEL32 ref: 0040D0F2
                                              • Part of subcall function 0040D0D0: FindResourceA.KERNEL32(00400000,00000070,000000F0), ref: 0040D105
                                              • Part of subcall function 0040D0D0: LoadResource.KERNEL32(00400000,00000000), ref: 0040D119
                                              • Part of subcall function 0040D0D0: LockResource.KERNEL32(00000000), ref: 0040D11C
                                              • Part of subcall function 0040D0D0: LoadResource.KERNEL32(00400000,00000000), ref: 0040D128
                                              • Part of subcall function 0040D0D0: LockResource.KERNEL32(00000000), ref: 0040D12F
                                              • Part of subcall function 0040D0D0: DialogBoxIndirectParamA.USER32(00400000,00000000,?,0040A490,00000000), ref: 0040D150
                                              • Part of subcall function 0040D0D0: GetLastError.KERNEL32 ref: 0040D161
                                              • Part of subcall function 0040D0D0: GlobalHandle.KERNEL32(00000000), ref: 0040D170
                                              • Part of subcall function 0040D0D0: GlobalFree.KERNEL32(00000000), ref: 0040D177
                                              • Part of subcall function 0040D0D0: SetLastError.KERNEL32(?), ref: 0040D196
                                            • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,?,0040D817,00000000), ref: 0040D882
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$CriticalErrorFindGlobalLastLoadLockSection$CurrentDialogEnterExceptionFreeHandleIndirectLeaveParamRaiseThread
                                            • String ID:
                                            • API String ID: 1480246864-0
                                            • Opcode ID: c4f835fab1fdec8af0c37fbebf2d7b7ed1e9d08eb205cf1d5e2b1e98497f3ff6
                                            • Instruction ID: 6305949cb57c3d90cd0c86cbbcba7df2c6cb01aad387a9c49cd82ec3fe9db35a
                                            • Opcode Fuzzy Hash: c4f835fab1fdec8af0c37fbebf2d7b7ed1e9d08eb205cf1d5e2b1e98497f3ff6
                                            • Instruction Fuzzy Hash: 48F03075A052119BD3209F61EC45BA67BA0AF04704F00843AFE49973A0CA749951CB5D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A160 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0040A16F
                                            • EnterCriticalSection.KERNEL32(004271CC,?,0040A12F,00000000), ref: 0040A17D
                                            • LeaveCriticalSection.KERNEL32(004271CC,?,0040A12F,00000000), ref: 0040A196
                                              • Part of subcall function 0040D0D0: FindResourceA.KERNEL32 ref: 0040D0F2
                                              • Part of subcall function 0040D0D0: FindResourceA.KERNEL32(00400000,00000070,000000F0), ref: 0040D105
                                              • Part of subcall function 0040D0D0: LoadResource.KERNEL32(00400000,00000000), ref: 0040D119
                                              • Part of subcall function 0040D0D0: LockResource.KERNEL32(00000000), ref: 0040D11C
                                              • Part of subcall function 0040D0D0: LoadResource.KERNEL32(00400000,00000000), ref: 0040D128
                                              • Part of subcall function 0040D0D0: LockResource.KERNEL32(00000000), ref: 0040D12F
                                              • Part of subcall function 0040D0D0: DialogBoxIndirectParamA.USER32(00400000,00000000,?,0040A490,00000000), ref: 0040D150
                                              • Part of subcall function 0040D0D0: GetLastError.KERNEL32 ref: 0040D161
                                              • Part of subcall function 0040D0D0: GlobalHandle.KERNEL32(00000000), ref: 0040D170
                                              • Part of subcall function 0040D0D0: GlobalFree.KERNEL32(00000000), ref: 0040D177
                                              • Part of subcall function 0040D0D0: SetLastError.KERNEL32(?), ref: 0040D196
                                            • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,?,?,0040A12F,00000000), ref: 0040A1C4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$CriticalErrorFindGlobalLastLoadLockSection$CurrentDialogEnterExceptionFreeHandleIndirectLeaveParamRaiseThread
                                            • String ID:
                                            • API String ID: 1480246864-0
                                            • Opcode ID: 6c520b84b72838b9bcdfbc693e3a21091c9f4a36aa7e02d3150d0d5713d6d137
                                            • Instruction ID: 95e066e7c135088ec458e74d085a843d338f95d73f13619aa8354efa73659908
                                            • Opcode Fuzzy Hash: 6c520b84b72838b9bcdfbc693e3a21091c9f4a36aa7e02d3150d0d5713d6d137
                                            • Instruction Fuzzy Hash: 13F06D75A01310ABE2248F61EC49B667BA4AF04714F14843EFF0A973A0CA749921CB5D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A1D0 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0040A1DF
                                            • EnterCriticalSection.KERNEL32(004271CC,?,?,0040A12F,00000000), ref: 0040A1ED
                                            • LeaveCriticalSection.KERNEL32(004271CC,?,?,0040A12F,00000000), ref: 0040A206
                                              • Part of subcall function 0040D0D0: FindResourceA.KERNEL32 ref: 0040D0F2
                                              • Part of subcall function 0040D0D0: FindResourceA.KERNEL32(00400000,00000070,000000F0), ref: 0040D105
                                              • Part of subcall function 0040D0D0: LoadResource.KERNEL32(00400000,00000000), ref: 0040D119
                                              • Part of subcall function 0040D0D0: LockResource.KERNEL32(00000000), ref: 0040D11C
                                              • Part of subcall function 0040D0D0: LoadResource.KERNEL32(00400000,00000000), ref: 0040D128
                                              • Part of subcall function 0040D0D0: LockResource.KERNEL32(00000000), ref: 0040D12F
                                              • Part of subcall function 0040D0D0: DialogBoxIndirectParamA.USER32(00400000,00000000,?,0040A490,00000000), ref: 0040D150
                                              • Part of subcall function 0040D0D0: GetLastError.KERNEL32 ref: 0040D161
                                              • Part of subcall function 0040D0D0: GlobalHandle.KERNEL32(00000000), ref: 0040D170
                                              • Part of subcall function 0040D0D0: GlobalFree.KERNEL32(00000000), ref: 0040D177
                                              • Part of subcall function 0040D0D0: SetLastError.KERNEL32(?), ref: 0040D196
                                            • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,?,?,?,0040A12F,00000000), ref: 0040A234
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$CriticalErrorFindGlobalLastLoadLockSection$CurrentDialogEnterExceptionFreeHandleIndirectLeaveParamRaiseThread
                                            • String ID:
                                            • API String ID: 1480246864-0
                                            • Opcode ID: ccbe08c791f49801390e10023328859a72c4f73faa456f9954812be6c4fee132
                                            • Instruction ID: 247247c98d9c5ae1d3c94b7c174049074c819c518d2f020c3224377b65d0105e
                                            • Opcode Fuzzy Hash: ccbe08c791f49801390e10023328859a72c4f73faa456f9954812be6c4fee132
                                            • Instruction Fuzzy Hash: 8BF09075B01311ABE2248FA1FC49B667BA4EF04714F10883EFE0A973A0CA749961CB1D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A240 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0040A24F
                                            • EnterCriticalSection.KERNEL32(004271CC,?,?,?,0040A12F,00000000), ref: 0040A25D
                                            • LeaveCriticalSection.KERNEL32(004271CC,?,?,?,0040A12F,00000000), ref: 0040A276
                                              • Part of subcall function 0040D0D0: FindResourceA.KERNEL32 ref: 0040D0F2
                                              • Part of subcall function 0040D0D0: FindResourceA.KERNEL32(00400000,00000070,000000F0), ref: 0040D105
                                              • Part of subcall function 0040D0D0: LoadResource.KERNEL32(00400000,00000000), ref: 0040D119
                                              • Part of subcall function 0040D0D0: LockResource.KERNEL32(00000000), ref: 0040D11C
                                              • Part of subcall function 0040D0D0: LoadResource.KERNEL32(00400000,00000000), ref: 0040D128
                                              • Part of subcall function 0040D0D0: LockResource.KERNEL32(00000000), ref: 0040D12F
                                              • Part of subcall function 0040D0D0: DialogBoxIndirectParamA.USER32(00400000,00000000,?,0040A490,00000000), ref: 0040D150
                                              • Part of subcall function 0040D0D0: GetLastError.KERNEL32 ref: 0040D161
                                              • Part of subcall function 0040D0D0: GlobalHandle.KERNEL32(00000000), ref: 0040D170
                                              • Part of subcall function 0040D0D0: GlobalFree.KERNEL32(00000000), ref: 0040D177
                                              • Part of subcall function 0040D0D0: SetLastError.KERNEL32(?), ref: 0040D196
                                            • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,00000008,?,?,?,0040A12F,00000000), ref: 0040A2A4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Resource$CriticalErrorFindGlobalLastLoadLockSection$CurrentDialogEnterExceptionFreeHandleIndirectLeaveParamRaiseThread
                                            • String ID:
                                            • API String ID: 1480246864-0
                                            • Opcode ID: 41ab12c4f5bd6c3d4cb0eea6bbd3a5a9affc04875d32239f0a1ff46f5cf660fd
                                            • Instruction ID: 89e62ee3a53125fd008bb4026bca7a134388a95ad86af22b30a1d754bb7fff51
                                            • Opcode Fuzzy Hash: 41ab12c4f5bd6c3d4cb0eea6bbd3a5a9affc04875d32239f0a1ff46f5cf660fd
                                            • Instruction Fuzzy Hash: 00F096B5B053109BE2248F61FC49B667BA4EF04715F10843EFE0A973A0CA749950CB1D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100A32CD Relevance: 6.0, APIs: 4, Instructions: 35memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 100A32EB
                                              • Part of subcall function 100ABFC9: __mtinitlocknum.LIBCMT ref: 100ABFDD
                                              • Part of subcall function 100ABFC9: __amsg_exit.LIBCMT ref: 100ABFE9
                                              • Part of subcall function 100ABFC9: EnterCriticalSection.KERNEL32(?,?,?,100B4645,00000004,100ED568,0000000C,100A78CD,100A28F0,100A28F0,00000000,00000000,00000000,100A9AA4,00000001,00000214), ref: 100ABFF1
                                            • ___sbh_find_block.LIBCMT ref: 100A32F6
                                            • ___sbh_free_block.LIBCMT ref: 100A3305
                                            • HeapFree.KERNEL32(00000000,100A28F0,100ECD80,0000000C,100ABFAA,00000000,100ED3C8,0000000C,100ABFE2,100A28F0,?,?,100B4645,00000004,100ED568,0000000C), ref: 100A3335
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalEnterFreeHeapSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                            • String ID:
                                            • API String ID: 403860562-0
                                            • Opcode ID: d5d2d8e318354fda1f89f91d482e53c342088672285e03cfb2c7f819fd840426
                                            • Instruction ID: 87b30c238252516560315511d0191ae2b08c433a51773ea85f82a19117465780
                                            • Opcode Fuzzy Hash: d5d2d8e318354fda1f89f91d482e53c342088672285e03cfb2c7f819fd840426
                                            • Instruction Fuzzy Hash: E3F0963680A215EEEF10DBE09C06B8E3FB4DF05360F118115F510A60D2CF74AA81DA54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408F30 Relevance: 6.0, APIs: 4, Instructions: 29threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 00408F3B
                                            • EnterCriticalSection.KERNEL32(004271CC,?,00408EBC,?,?,00408BAA,?,AXWIN UI Window,00CF0000,00000000,?), ref: 00408F49
                                            • LeaveCriticalSection.KERNEL32(004271CC,?,00408EBC,?,?,00408BAA,?,AXWIN UI Window,00CF0000,00000000,?), ref: 00408F62
                                            • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,?,00408EBC,?,?,00408BAA,?,AXWIN UI Window,00CF0000,00000000,?), ref: 00408F75
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalSection$CurrentEnterExceptionLeaveRaiseThread
                                            • String ID:
                                            • API String ID: 2662421713-0
                                            • Opcode ID: 449515244a2a540e47844b1e2f1cfb9f1a312cc434816b31281c7d6d767715b6
                                            • Instruction ID: f2ee69422408eac31f5fa4128af24cfd565a34c3aede8b0ce87ee6d11aaeec23
                                            • Opcode Fuzzy Hash: 449515244a2a540e47844b1e2f1cfb9f1a312cc434816b31281c7d6d767715b6
                                            • Instruction Fuzzy Hash: 32E0E574741712EBD7245F71AD497957EA0AF08B01F60C46FFE85967A0CBB49920CB1C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D7B0 Relevance: 6.0, APIs: 4, Instructions: 20sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EndDialog.USER32(?,00000000), ref: 0040D7BA
                                            • IsWindow.USER32(?), ref: 0040D7C4
                                            • Sleep.KERNEL32(000001F4), ref: 0040D7D3
                                            • CloseHandle.KERNEL32(?,00409E15,00000000,Uninstall,Please Wait), ref: 0040D7E4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CloseDialogHandleSleepWindow
                                            • String ID:
                                            • API String ID: 1108821328-0
                                            • Opcode ID: 5831b529038d18c155a604127031e0ce7df67058346738d5b7824ab32a3d4f85
                                            • Instruction ID: 6afa54db011b5254de36dc189bc04bad32c0e7b0ad5822a7e9570205be8106b1
                                            • Opcode Fuzzy Hash: 5831b529038d18c155a604127031e0ce7df67058346738d5b7824ab32a3d4f85
                                            • Instruction Fuzzy Hash: EAE09A786407019BD7245BB2DD8CB97B7B8AB04B01F048469AD57D36D0CB78E404CA28
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405250 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 447COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: AXWIN
                                            • API String ID: 0-1948516679
                                            • Opcode ID: 8aa1a407951680a4eae000bddda35a3645db24bd67b3025edab817457877377a
                                            • Instruction ID: 95707eb7d2344da25f95176ad65786779bf52f99ccbd0a2e2d99611767b73772
                                            • Opcode Fuzzy Hash: 8aa1a407951680a4eae000bddda35a3645db24bd67b3025edab817457877377a
                                            • Instruction Fuzzy Hash: 58020F74204B01AFC714DF69C880F6BB3EAEF89704F208A5DE5999B3A0D775E902CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008D900 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CloseHandle_memset
                                            • String ID: SeDebugPrivilege
                                            • API String ID: 900656945-2896544425
                                            • Opcode ID: c15ab4c46588e19a7f3306e0fa03baa0b9cdc15e5bbfab7f3bb0e0d264cea403
                                            • Instruction ID: cefe636c24a9c9275f6a035be215dfe1fdc95f61588be7753c6f7a1f7d8cc96b
                                            • Opcode Fuzzy Hash: c15ab4c46588e19a7f3306e0fa03baa0b9cdc15e5bbfab7f3bb0e0d264cea403
                                            • Instruction Fuzzy Hash: 2651B371A043059BC718EF68D885A6EB7E9FB84350F05462EF8499B782EB30FD45C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040B280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040B3C0: lstrlenA.KERNEL32(?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE), ref: 0040B413
                                              • Part of subcall function 0040B3C0: CoTaskMemFree.OLE32(00000000,?,4121B502,00000000,?,?,00000000,?,?,?,?,?,4121B502,0041D538,000000FF,0040B2AE), ref: 0040B456
                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040B2FD
                                            • CoTaskMemFree.OLE32(0040B1F3,?,00000000), ref: 0040B376
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: FreeTask$lstrcmpilstrlen
                                            • String ID: {
                                            • API String ID: 919842441-366298937
                                            • Opcode ID: dfdf005bdcf53bbe1cc5c589c93eb67ab1ebf49cc9bced4d27c748b1e8590a37
                                            • Instruction ID: e685d4ddb2f0364fd1eb1ef708bf2e8891c558270c70808912daf0247d0e0cbc
                                            • Opcode Fuzzy Hash: dfdf005bdcf53bbe1cc5c589c93eb67ab1ebf49cc9bced4d27c748b1e8590a37
                                            • Instruction Fuzzy Hash: 2E31A5766043459BD3219F69D840B6BB3D9EFC4704F20483EED85A7291EB78D84187EE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 1008BBD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            • __CxxThrowException@8.LIBCMT ref: 1008BC40
                                              • Part of subcall function 100A293D: RaiseException.KERNEL32(?,?,100A293C,10029968,?,?,?,?,100A293C,10029968,100E0FB0,100F3258), ref: 100A297D
                                              • Part of subcall function 100020C0: std::_String_base::_Xlen.LIBCPMT ref: 10002119
                                              • Part of subcall function 100020C0: _memcpy_s.LIBCMT ref: 10002161
                                            • __CxxThrowException@8.LIBCMT ref: 1008BCC0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$ExceptionRaiseString_base::_Xlen_memcpy_sstd::_
                                            • String ID: vector<T> too long
                                            • API String ID: 1603928964-3788999226
                                            • Opcode ID: 6415388038ab8094d68237abc846f435158bcf5d78b171e47fd1956b3d7d7e3a
                                            • Instruction ID: 56220697a046057db239f735476f78d8c42dc0cb04c6ad9484057e0f8e7a0e75
                                            • Opcode Fuzzy Hash: 6415388038ab8094d68237abc846f435158bcf5d78b171e47fd1956b3d7d7e3a
                                            • Instruction Fuzzy Hash: 48219DB5008380ABD301CB64CD41BCBBBE8FB59B54F404A1DF59996281DB78EA08CB63
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 100734E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 10073507
                                              • Part of subcall function 10072490: GetProcAddress.KERNEL32(-00000014,WSCGetProviderPath), ref: 100724A2
                                            • GetProcAddress.KERNEL32(?,WSCUpdateProvider), ref: 10073542
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1632175464.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000002.00000002.1632125648.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632922703.00000000100F0000.00000008.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632936246.00000000100F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                            • Associated: 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_10000000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AddressProc$_memset
                                            • String ID: WSCUpdateProvider
                                            • API String ID: 1444196535-3723097276
                                            • Opcode ID: e48250136a953a3b8c99220b80e198e874a9e637217991e87f070096700d51f5
                                            • Instruction ID: 9e5811e551320379844f9c01135c6aac4cb4afce6827e563952a62fb1ef8a4f2
                                            • Opcode Fuzzy Hash: e48250136a953a3b8c99220b80e198e874a9e637217991e87f070096700d51f5
                                            • Instruction Fuzzy Hash: 2E1170B6504706ABE310DF64DCC69DBB3E8EFA4310F408619B59982581EA34A648CBE2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004086A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExA.USER32(?,AtlAxWinLic80,00000000,?,?,?,?,?,?,?,00400000,00000000), ref: 004086E5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID: @cB$AtlAxWinLic80
                                            • API String ID: 716092398-3334865462
                                            • Opcode ID: a3f8feba5af6331e6a9590e5929f82718f0e6441e08dfc51ebca92617128e899
                                            • Instruction ID: bc9ad141d42d9249d4b308bee6c2fe3f6af43bd8f4decf2521f96fb5fe2d641e
                                            • Opcode Fuzzy Hash: a3f8feba5af6331e6a9590e5929f82718f0e6441e08dfc51ebca92617128e899
                                            • Instruction Fuzzy Hash: 1AF01732214220AFD304CB58DD48E67B7E8EF89710F16859EB949A7361C670FC01CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041DCE1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040D450: RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,00409A7E), ref: 0040D45D
                                            • DeleteCriticalSection.KERNEL32(00427D44), ref: 0041DD28
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalDeleteExceptionRaiseSection
                                            • String ID: 8}B$@}B
                                            • API String ID: 966263044-3471225811
                                            • Opcode ID: 80fd10760b10b81e9c4880f6da3d5d8a4c172647a95a6594a0f9177b555689b4
                                            • Instruction ID: e845e48b74d2f17df23874996504d1151a61e402dc48b289d011519535b5a275
                                            • Opcode Fuzzy Hash: 80fd10760b10b81e9c4880f6da3d5d8a4c172647a95a6594a0f9177b555689b4
                                            • Instruction Fuzzy Hash: F7E06DB576C2508FD7119F65FC953797B60AF84304FE488AEC1488A292C77C9846CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041749E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 004174BF
                                              • Part of subcall function 00412A16: __mtinitlocknum.LIBCMT ref: 00412A2A
                                              • Part of subcall function 00412A16: __amsg_exit.LIBCMT ref: 00412A36
                                              • Part of subcall function 00412A16: EnterCriticalSection.KERNEL32(00413CDA,00413CDA,?,0040FA4F,00000004,004227E0,0000000C,00414047,?,?,00000000,00000000,00000000,00413CE9,00000001,00000214), ref: 00412A3E
                                            • EnterCriticalSection.KERNEL32(?,?,0041C9D9,?,00422CF8,0000000C,00419C87,?,00422CB0,00000010,00417491), ref: 004174D2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
                                            • String ID: @UB
                                            • API String ID: 3996875869-3502628223
                                            • Opcode ID: 876d2a2284d63649d01f9b477a967cdade30b507dd1370b99eba4e7ef3856ab9
                                            • Instruction ID: 4e908b693286dc3123f2fe2f965975dfa865011131f0e52864237411c8d6c96b
                                            • Opcode Fuzzy Hash: 876d2a2284d63649d01f9b477a967cdade30b507dd1370b99eba4e7ef3856ab9
                                            • Instruction Fuzzy Hash: DAD0C2326086305B9B38263978455DEAA94DB48360797CA2FFC8AE7694D73D6CC0468C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040F0E2 Relevance: 5.1, APIs: 4, Instructions: 59memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,0000000D,?,004051F7), ref: 0040F063
                                            • HeapAlloc.KERNEL32(00000000), ref: 0040F06A
                                              • Part of subcall function 0040EF80: IsProcessorFeaturePresent.KERNEL32(0000000C,?,0040F051,?,004051F7), ref: 0040EF83
                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0040F08C
                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040F0B9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1631054714.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000002.00000002.1631043763.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631082651.0000000000425000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631093652.0000000000426000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631105872.0000000000427000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000002.00000002.1631485861.0000000000429000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_400000_EacCleaner.jbxd
                                            Similarity
                                            • API ID: AllocHeapVirtual$FeatureFreePresentProcessProcessor
                                            • String ID:
                                            • API String ID: 4058086966-0
                                            • Opcode ID: 210e0f42df9d0106504fcb4d841590197de1bd86442a8b0d70716a29154f893e
                                            • Instruction ID: 8f8f20a119dd9eaf2b72e57c0c7937f3dd1de99b46d069dbe1bf2115c1209911
                                            • Opcode Fuzzy Hash: 210e0f42df9d0106504fcb4d841590197de1bd86442a8b0d70716a29154f893e
                                            • Instruction Fuzzy Hash: AD11ED31308211BBEB311B25BC08BBA3658AF41751F548436FA01F27D1EA788C0A86AC
                                            Uniqueness

                                            Uniqueness Score: -1.00%