Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wi86CSarYC.exe

Overview

General Information

Sample name:wi86CSarYC.exe
renamed because original name is a hash value
Original sample name:d7444d0ab1742bd2fed6dfdbd47f97372843894e0c78d853761697089bb24d40.exe
Analysis ID:1573201
MD5:0897b6ab5240bdb4bbeb3adf924adb19
SHA1:542a45a470d549a1c60ddeb4839a0efb1360679b
SHA256:d7444d0ab1742bd2fed6dfdbd47f97372843894e0c78d853761697089bb24d40
Tags:193-188-22-41exeuser-JAMESWT_MHT
Infos:

Detection

DanaBot
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
AI detected suspicious sample
Contains functionality to infect the boot sector
May use the Tor software to hide its network traffic
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SGDT)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • wi86CSarYC.exe (PID: 2872 cmdline: "C:\Users\user\Desktop\wi86CSarYC.exe" MD5: 0897B6AB5240BDB4BBEB3ADF924ADB19)
    • EasePaint.exe (PID: 5772 cmdline: "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" MD5: 95D5FAC09D8DF14A4890FB72E6BA046E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social usering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 28 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libbind.dllReversingLabs: Detection: 36%
            Multi AV Scanner detection for submitted file
            Source: wi86CSarYC.exeReversingLabs: Detection: 50%
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2754272249.0000000008B3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2753267438.0000000008B3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3100571744.000000000B8CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756207632.0000000009637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3096352847.0000000009639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3097500473.000000000A238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5772, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC6BC0 lstrcpynW,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,4_2_00DC6BC0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC6D25 LocalFree,CertCloseStore,CryptMsgClose,4_2_00DC6D25
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC6F00 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,4_2_00DC6F00
            Source: wi86CSarYC.exe, 00000000.00000000.2105649818.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_98d0d646-b
            Source: wi86CSarYC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:49723 version: TLS 1.2
            Source: wi86CSarYC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: \EasePaint\2.2.1.0\temp\release-en\EasePaint_en\EasePaint_en.pdb source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: \EasePaint\comuiLib\bin\ycomuiu.pdb source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E26440 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E26440
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E40610 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E40610
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E42890 FindFirstFileW,_wcsstr,FindNextFileW,FindClose,4_2_00E42890
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E40B60 MultiByteToWideChar,MultiByteToWideChar,FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E40B60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E2AEA0 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E2AEA0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E25740 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E25740
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E2D720 FindFirstFileW,DeleteFileW,FindNextFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E2D720
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: global trafficHTTP traffic detected: GET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
            Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
            Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
            Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
            Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DF96D0 MultiByteToWideChar,MultiByteToWideChar,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,4_2_00DF96D0
            Source: global trafficHTTP traffic detected: GET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ldlg_regkillfocusoptLoginType_AccountoptLoginType_SMSbtnGobackLoginbtnGobackRegistbtnRegistbtnLogin_SMSbtnSendCaptchabtnForgetPassbtnFacebookbtnTwitterbtnGoogleedtUserName_LoginedtUserNameimgOKimgNORegDlgTitle1RegDlgTitle2layLoginTypelayThirdLoginedtPasswordedtPasswordOKOnRegisteredtPassword_LoginOnLoginedtCaptchaedtMobilenameerrMsgedtMobile_SubmitedtEmail_SubmitByMobileByEmailfacebooktwittergooglehttps://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%s equals www.twitter.com (Twitter)
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ldlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.facebook.com (Facebook)
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ldlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.linkedin.com (Linkedin)
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ldlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.twitter.com (Twitter)
            Source: EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: dlg_regkillfocusoptLoginType_AccountoptLoginType_SMSbtnGobackLoginbtnGobackRegistbtnRegistbtnLogin_SMSbtnSendCaptchabtnForgetPassbtnFacebookbtnTwitterbtnGoogleedtUserName_LoginedtUserNameimgOKimgNORegDlgTitle1RegDlgTitle2layLoginTypelayThirdLoginedtPasswordedtPasswordOKOnRegisteredtPassword_LoginOnLoginedtCaptchaedtMobilenameerrMsgedtMobile_SubmitedtEmail_SubmitByMobileByEmailfacebooktwittergooglehttps://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%s equals www.twitter.com (Twitter)
            Source: EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: dlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.facebook.com (Facebook)
            Source: EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: dlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.linkedin.com (Linkedin)
            Source: EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: dlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.twitter.com (Twitter)
            Source: global trafficDNS traffic detected: DNS query: vip.bitwarsoft.com
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.jpg
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://action.ashxCodeValueTimesModeUsernameLogsevent.ashxContenterror.ashxContactsuggest.ashxerrorf
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687484315.0000000002383000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0.
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687484315.0000000002383000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687484315.0000000002383000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quoteunquoteapps.com)
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quoteunquoteapps.comhttp://basicrecipe.comCopyright
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://scripts.sil.org/OFL
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://scripts.sil.org/OFLCopyright
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
            Source: EasePaint.exeString found in binary or memory: http://u.bitwar.net/ep/EasePaintSetup.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://u.bitwar.net/ep/EasePaintSetup.exehttp://u.bitwar.net/ep/newversion.htmhttp://u.bitwar.net/ep
            Source: EasePaint.exe, 00000004.00000002.3352125405.0000000001645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://u.bitwar.net/ep/EasePaintSetup.exetWaterj:v
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://u.bitwar.net/ep/cd.cab
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://u.bitwar.net/ep/newversion.htm
            Source: EasePaint.exeString found in binary or memory: http://u.bitwar.net/ep/patch.dll.cab
            Source: EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://u.bitwar.net/ep/patch.dll.cabn:v
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://u.bitwar.net/ep/patchversion.htm
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://vip.deliocr.cn/ep/parse_video/parse.php?url=%s&time=%d&s=%svideo_urlimg_urlEmptyVideoUrl%s
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.brynosaurus.com/cachedir/
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
            Source: EasePaint.exe, 00000004.00000003.3099676146.00000000FEAF0000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3098158963.00000000FD700000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3098875690.00000000FDBA0000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3097587725.00000000FDD70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
            Source: EasePaint.exe, 00000004.00000003.3096540065.00000000FDCF0000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3098158963.00000000FD700000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3097587725.00000000FDD70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
            Source: EasePaint.exe, 00000004.00000003.3096540065.00000000FDCF0000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3098158963.00000000FD700000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3097587725.00000000FDD70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cairographics.org))
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/V
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
            Source: wi86CSarYC.exe, 00000000.00000000.2105649818.0000000000D6F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
            Source: wi86CSarYC.exe, 00000000.00000000.2105649818.0000000000D6F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
            Source: wi86CSarYC.exe, 00000000.00000000.2105649818.0000000000D6F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/0install/0install-win0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: EasePaint.exeString found in binary or memory: https://tw.easepaint.com/video-watermark-removal-support.html
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/checkrechargecode.php?code=%s&lc=%s&product_id=%d&uid=%s&username=%s
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%s
            Source: EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%sh:v
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3352125405.0000000001645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/getuserinfo.php?lc=%s&password=%s&product_id=%d&reg_type=%d&uid=%s&u
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/login_authorized/check.php?lc=%s&product_id=%d&scene_id=%s&uid=%s&ve
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/modify.php?by_pass=%d&email=%s&lc=%s&mobile=%s&newpass=%s&password=%
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%s
            Source: EasePaint.exe, 00000004.00000002.3352125405.0000000001645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%sf
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/pay/create.php?adid=%s&business=%d&fee_id=%d&lc=%s&mon=%d&partner_id
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/register.php?adid=%s&lc=%s&partner_id=%s&password=%s&product_id=%d&r
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/sendcaptcha.php?by_mobile=%d&email=%s&lc=%s&mobile=%s&product_id=%d&
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/share/check.php?lc=%s&product_id=%d&uid=%s&username=%s&version=%d&s=
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%s
            Source: EasePaint.exe, 00000004.00000002.3352125405.0000000001645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%sg
            Source: EasePaint.exe, 00000004.00000003.2719885210.000000000352B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfe
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/tutu/addtotal.php?count=1&lc=%s&product_id=%d&username=%s&version=%d
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitwarsoft.com/
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitwarsoft.com/chat/
            Source: EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitwarsoft.com/chat/er
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.html
            Source: EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.htmlH;~
            Source: EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitwarsoft.com/share/ep/5times-en/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/share/ep/5times-tw/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/tutorials
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://www.bitwarsoft.com/tutorialsChangeWindowMessageFilteruser32.dllLable_ScrollBarBg
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%s
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%d
            Source: EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%dR:v
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/uninstallfeedback?lang=tw&product_id=%d
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easepaint.com/0
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:49723 version: TLS 1.2
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_d72abcfc-6
            Source: C:\Users\user\Desktop\wi86CSarYC.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dllJump to behavior
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_ab855f90-b
            Source: Yara matchFile source: Process Memory Space: wi86CSarYC.exe PID: 2872, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2754272249.0000000008B3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2753267438.0000000008B3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3100571744.000000000B8CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756207632.0000000009637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3096352847.0000000009639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3097500473.000000000A238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5772, type: MEMORYSTR

            System Summary

            barindex
            PE file has a writeable .text section
            Source: ToolkitPro1513vc60.dll.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDE7E0 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,_strncat,CloseHandle,FreeLibrary,4_2_00DDE7E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDF2C0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,4_2_00DDF2C0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDFD90 NtMapViewOfSection,NtUnmapViewOfSection,4_2_00DDFD90
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDEBF0: GetVersionExW,CreateFileA,DeviceIoControl,_strncat,CloseHandle,4_2_00DDEBF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDE7E04_2_00DDE7E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E980C44_2_00E980C4
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E1A2204_2_00E1A220
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DF83E04_2_00DF83E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E0A5804_2_00E0A580
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E987BC4_2_00E987BC
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E007004_2_00E00700
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC68F04_2_00DC68F0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E1E9F04_2_00E1E9F0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E849834_2_00E84983
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DF69004_2_00DF6900
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E10AF04_2_00E10AF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E0EAF64_2_00E0EAF6
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E98A194_2_00E98A19
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC2C704_2_00DC2C70
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC4D504_2_00DC4D50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E98EE24_2_00E98EE2
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E28E604_2_00E28E60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC31E04_2_00DC31E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00EBD14F4_2_00EBD14F
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E832704_2_00E83270
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E232504_2_00E23250
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDF2104_2_00DDF210
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E293704_2_00E29370
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E0B4E04_2_00E0B4E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DFB4E04_2_00DFB4E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC76204_2_00DC7620
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E297A04_2_00E297A0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC37B04_2_00DC37B0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DFB7B04_2_00DFB7B0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E137104_2_00E13710
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00ED58AC4_2_00ED58AC
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC19904_2_00DC1990
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E97A2C4_2_00E97A2C
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E19BA04_2_00E19BA0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC5B804_2_00DC5B80
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC7B504_2_00DC7B50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC3B304_2_00DC3B30
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E97C5B4_2_00E97C5B
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E13DD04_2_00E13DD0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E1DD504_2_00E1DD50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00EADD304_2_00EADD30
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E0DEFA4_2_00E0DEFA
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC3EB04_2_00DC3EB0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E09E104_2_00E09E10
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe 6E2DE2230A751EC89BB757595C466B846B5AC6EFB8F17C67E5AF78C98B60B798
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libcurl.dll B2204979FDCFBEDE97AC011416D65685EDF4BF8C4F93345D249FDA5A45027553
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00DE80C0 appears 46 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00E42660 appears 53 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00E635AD appears 83 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00DD62B0 appears 111 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00E02180 appears 31 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00DE9660 appears 47 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00DD6590 appears 95 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00DF4980 appears 60 times
            Source: EasePaint.exe.0.drStatic PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=store
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZeroInstall.Store.dll: vs wi86CSarYC.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcurl.dllB vs wi86CSarYC.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshost.dllR vs wi86CSarYC.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolkitPro.dll vs wi86CSarYC.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEasePaint.exe4 vs wi86CSarYC.exe
            Source: wi86CSarYC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@3/28@1/5
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC8B60 GetLastError,FormatMessageW,OutputDebugStringW,LocalFree,4_2_00DC8B60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DFB4E0 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,GetShellWindow,GetWindowThreadProcessId,OpenProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,LoadLibraryW,GetProcAddress,FreeLibrary,GetLastError,CloseHandle,CloseHandle,CloseHandle,4_2_00DFB4E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E1F930 CoCreateInstance,4_2_00E1F930
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DF6040 LoadResource,LockResource,SizeofResource,4_2_00DF6040
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeMutant created: \Sessions\1\BaseNamedObjects\65243982
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Temp\s27s.0.icsJump to behavior
            Source: wi86CSarYC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: EasePaint.exe, 00000004.00000003.3137688077.000000000AEA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: wi86CSarYC.exeReversingLabs: Detection: 50%
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/tutu/addtotal.php?count=1&lc=%s&product_id=%d&username=%s&version=%d&s=%s
            Source: EasePaint.exeString found in binary or memory: /install
            Source: unknownProcess created: C:\Users\user\Desktop\wi86CSarYC.exe "C:\Users\user\Desktop\wi86CSarYC.exe"
            Source: C:\Users\user\Desktop\wi86CSarYC.exeProcess created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
            Source: C:\Users\user\Desktop\wi86CSarYC.exeProcess created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" Jump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: opengl32.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: dinput8.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: xinput1_4.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: inputhost.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: appxdeploymentclient.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ycomuiu.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: libbind.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: vcomp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: libcurl.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: shost.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: toolkitpro1513vc60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mfc42.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: opengl32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netprofm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: wi86CSarYC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: wi86CSarYC.exeStatic file information: File size 20092696 > 1048576
            Source: wi86CSarYC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4dd200
            Source: wi86CSarYC.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x148800
            Source: wi86CSarYC.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xcc7800
            Source: wi86CSarYC.exeStatic PE information: More than 200 imports for KERNEL32.dll
            Source: wi86CSarYC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: \EasePaint\2.2.1.0\temp\release-en\EasePaint_en\EasePaint_en.pdb source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: \EasePaint\comuiLib\bin\ycomuiu.pdb source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDE7E0 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,_strncat,CloseHandle,FreeLibrary,4_2_00DDE7E0
            Source: ycomuiu.dll.0.drStatic PE information: real checksum: 0x2f147d should be: 0x2f3e04
            Source: libcurl.dll.0.drStatic PE information: real checksum: 0x858cf should be: 0x83117
            Source: shost.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x463e87
            Source: ToolkitPro1513vc60.dll.0.drStatic PE information: real checksum: 0x76cdbd should be: 0x774dbd
            Source: ycomuiu.dll.0.drStatic PE information: section name: _RDATA
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_00CE3B1A push ecx; ret 0_2_00CE3B2D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DCE008 push dword ptr [ebx+ecx*2-75h]; iretd 4_2_00DCE00E
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DCE1A5 push dword ptr [ebp+edx*2-75h]; iretd 4_2_00DCE1B4
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E12650 push ecx; mov dword ptr [esp], 3F800000h4_2_00E1273D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E64A46 push ecx; ret 4_2_00E64A59
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00EDADAC push ecx; ret 4_2_00EDADBF
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E133F0 push ecx; mov dword ptr [esp], 3F800000h4_2_00E135EB

            Persistence and Installation Behavior

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetVersionExW,CreateFileA,DeviceIoControl,_strncat,CloseHandle, \\.\PhysicalDrive%d4_2_00DDEBF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,DeviceIoControl,_strncat,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d4_2_00DDFA50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: CreateFileA,DeviceIoControl,_strncat,CloseHandle, \\.\PhysicalDrive%d4_2_00DDFC80
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ycomuiu.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\shost.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ToolkitPro1513vc60.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libbind.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libcurl.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile created: C:\Users\user\AppData\Local\Temp\s4gc.1Jump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile created: C:\Users\user\AppData\Local\Temp\s4gc.2Jump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E04140 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,4_2_00E04140
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E462A0 GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,4_2_00E462A0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E40310 GetModuleFileNameW,PathRemoveFileSpecW,GetPrivateProfileIntW,SHSetValueW,WritePrivateProfileStringW,SHGetValueW,4_2_00E40310
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E567A0 SHGetValueW,GetPrivateProfileStringW,4_2_00E567A0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E57A20 GetPrivateProfileIntW,PathFileExistsW,4_2_00E57A20
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E57BD0 GetPrivateProfileIntW,4_2_00E57BD0

            Boot Survival

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetVersionExW,CreateFileA,DeviceIoControl,_strncat,CloseHandle, \\.\PhysicalDrive%d4_2_00DDEBF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,DeviceIoControl,_strncat,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d4_2_00DDFA50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: CreateFileA,DeviceIoControl,_strncat,CloseHandle, \\.\PhysicalDrive%d4_2_00DDFC80

            Hooking and other Techniques for Hiding and Protection

            barindex
            May use the Tor software to hide its network traffic
            Source: EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: torConnect
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E23DF0 __set_se_translator,SetUnhandledExceptionFilter,FindWindowW,SetForegroundWindow,IsIconic,ShowWindow,CoInitialize,DefWindowProcW,InitCommonControlsEx,SHGetValueW,PathFileExistsW,SHSetValueW,EnterCriticalSection,DestroyWindow,LeaveCriticalSection,CoUninitialize,__Init_thread_footer,__Init_thread_footer,4_2_00E23DF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E39230 ?OnSize@WindowImplBase@DuiLib@@UAEJIIJAAH@Z,IsIconic,?SetControlWidth@WindowImplBase@DuiLib@@QAEXPB_WH@Z,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,?GetCurSel@CTabLayoutUI@DuiLib@@QBEHXZ,?PostMessageW@CWindowWnd@DuiLib@@QAEJIIJ@Z,IsWindow,MoveWindow,4_2_00E39230
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E34FA0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,4_2_00E34FA0
            Source: C:\Users\user\Desktop\wi86CSarYC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDE620 sgdt fword ptr [ebp-18h]4_2_00DDE620
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetAdaptersInfo,GetAdaptersInfo,SHGetValueA,_strncat,4_2_00DDED80
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWindow / User API: threadDelayed 738Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeAPI coverage: 2.8 %
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 6796Thread sleep time: -75075s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 3268Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 1600Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E26440 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E26440
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E40610 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E40610
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E42890 FindFirstFileW,_wcsstr,FindNextFileW,FindClose,4_2_00E42890
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E40B60 MultiByteToWideChar,MultiByteToWideChar,FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E40B60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E2AEA0 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E2AEA0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E25740 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E25740
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E2D720 FindFirstFileW,DeleteFileW,FindNextFileW,DeleteFileW,FindNextFileW,FindClose,4_2_00E2D720
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeThread delayed: delay time: 75075Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: wi86CSarYC.exe, 00000000.00000002.2701924646.00000000022F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
            Source: wi86CSarYC.exe, 00000000.00000002.2701924646.000000000233E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: wi86CSarYC.exe, 00000000.00000002.2701924646.000000000233E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
            Source: EasePaint.exe, 00000004.00000002.3352125405.000000000155E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_00CF6CB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CF6CB7
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC8B60 GetLastError,FormatMessageW,OutputDebugStringW,LocalFree,4_2_00DC8B60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDE7E0 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,_strncat,CloseHandle,FreeLibrary,4_2_00DDE7E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E65452 mov esi, dword ptr fs:[00000030h]4_2_00E65452
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00EBB618 mov eax, dword ptr fs:[00000030h]4_2_00EBB618
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDE020 GetProcessHeap,MultiByteToWideChar,HeapAlloc,SetLastError,MultiByteToWideChar,GetLastError,HeapFree,SetLastError,SetLastError,4_2_00DDE020
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_00CE33BF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CE33BF
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_00CF6CB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CF6CB7
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E23DF0 __set_se_translator,SetUnhandledExceptionFilter,FindWindowW,SetForegroundWindow,IsIconic,ShowWindow,CoInitialize,DefWindowProcW,InitCommonControlsEx,SHGetValueW,PathFileExistsW,SHSetValueW,EnterCriticalSection,DestroyWindow,LeaveCriticalSection,CoUninitialize,__Init_thread_footer,__Init_thread_footer,4_2_00E23DF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E635C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00E635C2
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00E9F55F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00E9F55F
            Source: C:\Users\user\Desktop\wi86CSarYC.exeProcess created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DC8F20 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileW,InternetReadFile,WriteFile,CloseHandle,4_2_00DC8F20
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
            Source: EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
            Source: wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TaskbarCreatedTrayClockWClassTrayNotifyWndShell_TrayWndCXTPSpinButtonCtrlTOOLBARBUTTONSPINARROWSHORIZONTALTOOLBARBUTTONSPINARROWGLYPHSTOOLBARBUTTONSPINARROWSVERTICALCXTPSplitterWndExCXTPSplitterWndSplitterFrameSplitterFrameTabSplitterFaceSplitterFaceTabCXTPCaptionCXTPCaptionPopupWndXTPCaptionPopupWndCXTPHyperLinkCXTPSearchOptionsViewCXTPSearchOptionsCtrlCXTPExcelTabCtrlCXTPMDIWndTab...CXTPTabCtrlCXTPTabViewSysTabControl32CXTPTreeCtrlCXTPTreeViewUserPreferencesMaskControl Panel\DesktopCOMBOBOXXtreme Toolkit v%d.%02d%d.%02dSoftwareHKLMHKCU%i,%i%ld,%ld%i,%i,%i,%i%ld,%ld,%ld,%ldCXTButtonCXTButtonThemeFactoryCXTComboBoxExComboBoxEx32CXTMonthCalCtrlCXTDateTimeCtrlSysDateTimePick32SysMonthCal32CXTFlatEditCXTFlatComboBoxCXTFlatEditThemeFactoryCXTFlatComboBoxThemeFactory
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDEB40 cpuid 4_2_00DDEB40
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00ED09C4
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,4_2_00ED0B93
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: EnumSystemLocalesW,4_2_00ED0CA5
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: EnumSystemLocalesW,4_2_00ED0C3C
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00ED0DCD
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: EnumSystemLocalesW,4_2_00ED0D40
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: EnumSystemLocalesW,4_2_00EC10B7
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,4_2_00ED101D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00ED1146
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,4_2_00ED124D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00ED131A
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,4_2_00EC1B07
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\__db.s27s.3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\__db.s27s.3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s27s.3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\TMPCF27.tmp VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_00CE3E2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00CE3E2C
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00EC4634 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00EC4634
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 4_2_00DDE7E0 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,_strncat,CloseHandle,FreeLibrary,4_2_00DDE7E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2754272249.0000000008B3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2753267438.0000000008B3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3100571744.000000000B8CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756207632.0000000009637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3096352847.0000000009639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3097500473.000000000A238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5772, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: Yara matchFile source: 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2754272249.0000000008B3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2753267438.0000000008B3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3100571744.000000000B8CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756207632.0000000009637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3096352847.0000000009639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3097500473.000000000A238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5772, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2754272249.0000000008B3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2753267438.0000000008B3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3100571744.000000000B8CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2756207632.0000000009637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3096352847.0000000009639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3097500473.000000000A238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5772, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Bootkit            		1
            Access Token Manipulation            		2
            Obfuscated Files or Information            		31
            Input Capture            		3
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		Logon Script (Windows)12
            Process Injection            		1
            DLL Side-Loading            		Security Account Manager85
            System Information Discovery            		SMB/Windows Admin Shares31
            Input Capture            		1
            Multi-hop Proxy            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Masquerading            		NTDS251
            Security Software Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script151
            Virtualization/Sandbox Evasion            		LSA Secrets1
            Process Discovery            		SSHKeylogging3
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Access Token Manipulation            		Cached Domain Credentials151
            Virtualization/Sandbox Evasion            		VNCGUI Input Capture1
            Proxy            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Process Injection            		DCSync11
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Bootkit            		Proc Filesystem2
            System Owner/User Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            wi86CSarYC.exe50%ReversingLabsWin32.Trojan.Leonem

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ToolkitPro1513vc60.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libbind.dll37%ReversingLabsWin32.Trojan.Generic
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libcurl.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\shost.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ycomuiu.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%s0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfe0%Avira URL Cloudsafe
            https://tw.easepaint.com/video-watermark-removal-support.html0%Avira URL Cloudsafe
            https://cairographics.org))0%Avira URL Cloudsafe
            http://quoteunquoteapps.comhttp://basicrecipe.comCopyright0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/tutorialsChangeWindowMessageFilteruser32.dllLable_ScrollBarBg0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/check.php?lc=%s&product_id=%d&uid=%s&username=%s&version=%d&s=0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.htmlH;~0%Avira URL Cloudsafe
            http://action.ashxCodeValueTimesModeUsernameLogsevent.ashxContenterror.ashxContactsuggest.ashxerrorf0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%dR:v0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/patchversion.htm0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%d0%Avira URL Cloudsafe
            https://www.easepaint.com/00%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee60325858050%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%sg0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/chat/er0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/register.php?adid=%s&lc=%s&partner_id=%s&password=%s&product_id=%d&r0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee60325858050%Avira URL Cloudsafe
            http://u.bitwar.net/ep/EasePaintSetup.exe0%Avira URL Cloudsafe
            http://vip.deliocr.cn/ep/parse_video/parse.php?url=%s&time=%d&s=%svideo_urlimg_urlEmptyVideoUrl%s0%Avira URL Cloudsafe
            http://scripts.sil.org/OFLCopyright0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/patch.dll.cabn:v0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/login_authorized/check.php?lc=%s&product_id=%d&scene_id=%s&uid=%s&ve0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%sf0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%s0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/newversion.htm0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%sh:v0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/uninstallfeedback?lang=tw&product_id=%d0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/checkrechargecode.php?code=%s&lc=%s&product_id=%d&uid=%s&username=%s0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/patch.dll.cab0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/EasePaintSetup.exetWaterj:v0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/tutu/addtotal.php?count=1&lc=%s&product_id=%d&username=%s&version=%d0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/share/ep/5times-en/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/getuserinfo.php?lc=%s&password=%s&product_id=%d&reg_type=%d&uid=%s&u0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%s0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/cd.cab0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/pay/create.php?adid=%s&business=%d&fee_id=%d&lc=%s&mon=%d&partner_id0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/tutorials0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/chat/0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/sendcaptcha.php?by_mobile=%d&email=%s&lc=%s&mobile=%s&product_id=%d&0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/share/ep/5times-tw/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_0%Avira URL Cloudsafe
            http://quoteunquoteapps.com)0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.html0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%s0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/modify.php?by_pass=%d&email=%s&lc=%s&mobile=%s&newpass=%s&password=%0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/EasePaintSetup.exehttp://u.bitwar.net/ep/newversion.htmhttp://u.bitwar.net/ep0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vip.bitwarsoft.com
            		47.251.36.78
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805false
              • Avira URL Cloud: safe
              		unknown
              https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://html4/loose.dtdwi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfeEasePaint.exe, 00000004.00000003.2719885210.000000000352B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.bitwarsoft.com/tutorialsChangeWindowMessageFilteruser32.dllLable_ScrollBarBgwi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://ocsp.sectigo.com0wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.openssl.org/VEasePaint.exe, 00000004.00000003.3099676146.00000000FEAF0000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3098158963.00000000FD700000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3098875690.00000000FDBA0000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3097587725.00000000FDD70000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://cairographics.org))wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://quoteunquoteapps.comhttp://basicrecipe.comCopyrightwi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%dR:vEasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%sEasePaint.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.htmlH;~EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://tw.easepaint.com/video-watermark-removal-support.htmlEasePaint.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://vip.bitwarsoft.com/v1.0/share/check.php?lc=%s&product_id=%d&uid=%s&username=%s&version=%d&s=EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://action.ashxCodeValueTimesModeUsernameLogsevent.ashxContenterror.ashxContactsuggest.ashxerrorfwi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://u.bitwar.net/ep/patchversion.htmEasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://.csswi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://curl.haxx.se/docs/http-cookies.htmlwi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%dEasePaint.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.easepaint.com/0wi86CSarYC.exe, 00000000.00000003.2687404961.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687295666.0000000002361000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2688004715.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687359216.0000000002379000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.000000000237A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2687608576.0000000002363000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.openssl.org/support/faq.htmlEasePaint.exe, 00000004.00000003.3096540065.00000000FDCF0000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3098158963.00000000FD700000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3097587725.00000000FDD70000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://www.bitwarsoft.com/chat/erEasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://vip.bitwarsoft.com/v1.0/register.php?adid=%s&lc=%s&partner_id=%s&password=%s&product_id=%d&rEasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://curl.se/docs/hsts.htmlwi86CSarYC.exe, 00000000.00000000.2105649818.0000000000D6F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpfalse
                                		high
                                https://www.bitwarsoft.com/EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%sgEasePaint.exe, 00000004.00000002.3352125405.0000000001645000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://u.bitwar.net/ep/EasePaintSetup.exeEasePaint.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://curl.haxx.se/docs/copyright.htmlDwi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://curl.haxx.se/Vwi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.brynosaurus.com/cachedir/wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://vip.deliocr.cn/ep/parse_video/parse.php?url=%s&time=%d&s=%svideo_urlimg_urlEmptyVideoUrl%swi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://scripts.sil.org/OFLCopyrightwi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://u.bitwar.net/ep/patch.dll.cabn:vEasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://.jpgwi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://vip.bitwarsoft.com/v1.0/login_authorized/check.php?lc=%s&product_id=%d&scene_id=%s&uid=%s&veEasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.bitwarsoft.com/uninstallfeedback?lang=tw&product_id=%dEasePaint.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%swi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://u.bitwar.net/ep/newversion.htmEasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%sfEasePaint.exe, 00000004.00000002.3352125405.0000000001645000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://sectigo.com/CPS0wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%sh:vEasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://curl.se/docs/http-cookies.htmlwi86CSarYC.exe, 00000000.00000000.2105649818.0000000000D6F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpfalse
                                            		high
                                            https://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Freewi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpfalse
                                              		high
                                              https://vip.bitwarsoft.com/v1.0/checkrechargecode.php?code=%s&lc=%s&product_id=%d&uid=%s&username=%sEasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://u.bitwar.net/ep/patch.dll.cabEasePaint.exefalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://vip.bitwarsoft.com/v1.0/tutu/addtotal.php?count=1&lc=%s&product_id=%d&username=%s&version=%dEasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://u.bitwar.net/ep/EasePaintSetup.exetWaterj:vEasePaint.exe, 00000004.00000002.3352125405.0000000001645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.bitwarsoft.com/share/ep/5times-en/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://u.bitwar.net/ep/cd.cabEasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://curl.se/docs/alt-svc.htmlwi86CSarYC.exe, 00000000.00000000.2105649818.0000000000D6F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  https://vip.bitwarsoft.com/v1.0/getuserinfo.php?lc=%s&password=%s&product_id=%d&reg_type=%d&uid=%s&uEasePaint.exe, EasePaint.exe, 00000004.00000002.3352125405.0000000001645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%sEasePaint.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://vip.bitwarsoft.com/v1.0/pay/create.php?adid=%s&business=%d&fee_id=%d&lc=%s&mon=%d&partner_idEasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.bitwarsoft.com/tutorialsEasePaint.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0twi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.openssl.org/support/faq.htmlRANDEasePaint.exe, 00000004.00000003.3096540065.00000000FDCF0000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3098158963.00000000FD700000.00000004.00001000.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000003.3097587725.00000000FDD70000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.bitwarsoft.com/chat/EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ywi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://vip.bitwarsoft.com/v1.0/sendcaptcha.php?by_mobile=%d&email=%s&lc=%s&mobile=%s&product_id=%d&EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.htmlEasePaint.exefalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#wi86CSarYC.exe, 00000000.00000003.2683236182.0000000006529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.bitwarsoft.com/share/ep/5times-tw/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_EasePaint.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://github.com/0install/0install-win0wi86CSarYC.exe, 00000000.00000003.2683236182.00000000058DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%sEasePaint.exefalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://quoteunquoteapps.com)wi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://scripts.sil.org/OFLwi86CSarYC.exe, 00000000.00000003.2683236182.0000000005A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://vip.bitwarsoft.com/v1.0/modify.php?by_pass=%d&email=%s&lc=%s&mobile=%s&newpass=%s&password=%EasePaint.exe, EasePaint.exe, 00000004.00000002.3353493592.0000000003A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://u.bitwar.net/ep/EasePaintSetup.exehttp://u.bitwar.net/ep/newversion.htmhttp://u.bitwar.net/epwi86CSarYC.exe, 00000000.00000003.2683236182.0000000005121000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000004.00000000.2690525873.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              89.116.191.177
                                                              		unknownLithuania
                                                              		15419LRTC-ASLTfalse
                                                              213.210.13.4
                                                              		unknownUnited Kingdom
                                                              		8851EDGEtaGCIComGBfalse
                                                              193.188.22.40
                                                              		unknownRussian Federation
                                                              		49558LIVECOMM-ASRespublikanskayastr3k6RUfalse
                                                              193.188.22.41
                                                              		unknownRussian Federation
                                                              		49558LIVECOMM-ASRespublikanskayastr3k6RUfalse
                                                              47.251.36.78
                                                              		vip.bitwarsoft.comUnited States
                                                              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1573201
                                                              Start date and time:2024-12-11 16:28:06 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 7m 18s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:6
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:wi86CSarYC.exe
                                                              renamed because original name is a hash value
                                                              Original Sample Name:d7444d0ab1742bd2fed6dfdbd47f97372843894e0c78d853761697089bb24d40.exe
                                                              Detection:MAL
                                                              Classification:mal88.troj.spyw.evad.winEXE@3/28@1/5
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • VT rate limit hit for: wi86CSarYC.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              10:30:32API Interceptor69x Sleep call for process: EasePaint.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              89.116.191.177UFh7A8CImG.exeGet hashmaliciousDanaBotBrowse
                                                                nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                  cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                    zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                                      213.210.13.4UFh7A8CImG.exeGet hashmaliciousDanaBotBrowse
                                                                        nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                          cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                            zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                                              193.188.22.40UFh7A8CImG.exeGet hashmaliciousDanaBotBrowse
                                                                                nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                                  cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                                    zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                                                      193.188.22.41nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                                        cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                                          47.251.36.78CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                                            CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                                              BitwarSetup.exeGet hashmaliciousUnknownBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                vip.bitwarsoft.comCEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                                                • 47.251.36.78
                                                                                                CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                                                • 47.251.36.78
                                                                                                BitwarSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                • 47.251.36.78

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                LIVECOMM-ASRespublikanskayastr3k6RUUFh7A8CImG.exeGet hashmaliciousDanaBotBrowse
                                                                                                • 193.188.22.40
                                                                                                nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                                                • 193.188.22.41
                                                                                                cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                                                • 193.188.22.41
                                                                                                zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                                                                • 193.188.22.40
                                                                                                http://winningwriters.comGet hashmaliciousUnknownBrowse
                                                                                                • 193.188.22.73
                                                                                                f6ffg1sZS2.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                • 92.246.89.93
                                                                                                cHZiG7fsJb.exeGet hashmaliciousMetasploitBrowse
                                                                                                • 212.192.213.56
                                                                                                tsnsd8pOvn.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                • 92.246.89.93
                                                                                                C0XWmZAnYk.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                • 92.246.89.93
                                                                                                LRTC-ASLTUFh7A8CImG.exeGet hashmaliciousDanaBotBrowse
                                                                                                • 89.116.191.177
                                                                                                nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                                                • 89.116.191.177
                                                                                                cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                                                • 89.116.191.177
                                                                                                zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                                                                • 89.116.191.177
                                                                                                jew.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                • 89.117.100.57
                                                                                                ET5.exeGet hashmaliciousUnknownBrowse
                                                                                                • 89.117.55.228
                                                                                                b1.exeGet hashmaliciousPureCrypter, MicroClipBrowse
                                                                                                • 89.117.79.31
                                                                                                b1.exeGet hashmaliciousPureCrypter, MicroClipBrowse
                                                                                                • 89.117.79.31
                                                                                                mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                • 84.46.252.91
                                                                                                aeI0ukq9TD.exeGet hashmaliciousUnknownBrowse
                                                                                                • 89.117.72.231
                                                                                                EDGEtaGCIComGBUFh7A8CImG.exeGet hashmaliciousDanaBotBrowse
                                                                                                • 213.210.13.4
                                                                                                nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                                                • 213.210.13.4
                                                                                                cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                                                • 213.210.13.4
                                                                                                zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                                                                • 213.210.13.4
                                                                                                Support.Client (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                • 185.49.126.73
                                                                                                Support.Client (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                • 185.49.126.73
                                                                                                la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                • 213.210.9.89
                                                                                                la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                • 77.107.70.202
                                                                                                fvIqrxcfuL.exeGet hashmaliciousQuasarBrowse
                                                                                                • 89.213.56.109
                                                                                                la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                • 89.213.146.12

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                3b5074b1b5d032e5620f69f9f700ff0ehttps://t.ly/me-ZSGet hashmaliciousUnknownBrowse
                                                                                                • 47.251.36.78
                                                                                                Cj3OWJHzls.lnkGet hashmaliciousDucktailBrowse
                                                                                                • 47.251.36.78
                                                                                                MdmRznA6gx.lnkGet hashmaliciousDucktailBrowse
                                                                                                • 47.251.36.78
                                                                                                3y37oMIUy6.lnkGet hashmaliciousDucktailBrowse
                                                                                                • 47.251.36.78
                                                                                                m9c7iq9nzP.lnkGet hashmaliciousDucktailBrowse
                                                                                                • 47.251.36.78
                                                                                                WXahq3ZEss.lnkGet hashmaliciousDucktailBrowse
                                                                                                • 47.251.36.78
                                                                                                0A3NB8ot11.lnkGet hashmaliciousDucktailBrowse
                                                                                                • 47.251.36.78
                                                                                                rRtGI3L0ca.lnkGet hashmaliciousDucktailBrowse
                                                                                                • 47.251.36.78

                                                                                                Dropped Files

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libcurl.dllCEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                                                  CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                                                    C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                                                      CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):2410320
                                                                                                        Entropy (8bit):6.889985120272385
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:49152:sZFK7uHTpF43FAhsB8tyXfV0ZWErm5UPGV9T/iOrjH/6z:s7z/mO7mGPQLrM
                                                                                                        MD5:95D5FAC09D8DF14A4890FB72E6BA046E
                                                                                                        SHA1:C04BD301260B8229E2929AD21B1A2EB5DCAADE5C
                                                                                                        SHA-256:6E2DE2230A751EC89BB757595C466B846B5AC6EFB8F17C67E5AF78C98B60B798
                                                                                                        SHA-512:2D2414A67FACB92E0317B67CEC12413DB7D46D08DE490CA21ACA897CAB6F7E17DC26ED758A394D741FA5885F0092F7924E36AB5B130F6482B4154C0C7F71FDC4
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: CEjWMdiJnR.exe, Detection: malicious, Browse
                                                                                                        • Filename: CEjWMdiJnR.exe, Detection: malicious, Browse
                                                                                                        Reputation:low
                                                                                                        Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......o.HC+.&.+.&.+.&..n..1.&..n....&..n..4.&...'.).&."...*.&..R../.&.y.#.b.&.y."...&.y.%.2.&."...).&.".....&.+.'.~.&..."./.&...#.l.&.....*.&.+..*.&...$.*.&.Rich+.&.........................PE..L...t..d.........."......F...........E.......`....@..........................@%...../4%...@..........................................0...............t$.PS....$.x-......T...........................8...@............`...............................text...bD.......F.................. ..`.rdata.......`.......J..............@..@.data........P...6...0..............@....rsrc........0.......f..............@..@.reloc..x-....$......F#.............@..B................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\Expense.dat

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):5708898
                                                                                                        Entropy (8bit):7.999817474035384
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:98304:4uSUpCVmIEpd+mWeTSQLybH+u0aqQ0vsPb+e5MPd4C7O3Rsc8IaM:43AC8I6+mWI4GaqT0Pb+EC7U/8ZM
                                                                                                        MD5:047F3A06561E6F55DB635A603F92F021
                                                                                                        SHA1:C7BEB5E73D4948CD25698D7DAB13372DC01ED185
                                                                                                        SHA-256:F910097C00C7E382ECAD8353B4FF115BCDCE67FF60B5038ED0E5D7665BC6AD3D
                                                                                                        SHA-512:ED77789AACBAE69D5CD21C451A8EA19ED0F38A6D67633C4213948566F7AA1D0EFA302978B6990972104D2CF798C1E2538CFAFB2F7D34267C5812F8C991A79CC4
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:.......?+v..2......................................1012546698.?=<>8! #nDF.BK++*--/.Q.VRUU_VYXnjlomnxuGBEDFFIH.OMLNFqpsD@FCE@@I.}|..a`c.`dggihkjklon....x.....................e......................W........................6.............................................................../210;354.........4033=476PVO_OR^R/ #"$$'&.-+*,$/.Qdbfdfo`mW[Z]]_^A.FBEEOFIH"$9)= ..crutvvyx..}|xva`c^edgfihk{mlon...f.................................................................r................l..................................|.q.b.D.i.}.h.e...............032.4G6K8T:Z<M>@ N"A$F&](J*.,s.$P R:T9V<X/Z.\+^ @0B.D_FIHKJML7Kqpsrutwoyx{b}|..d`ccodgf$+.......................................................................................Q...............................dbcgdqr.`},h............."...<w=P...wU.R....[..X.....ac......Mi..`d..a`HYX[B]\_.D@CCgDGF...+%..!.=25..<:.6>B.J.48.VW...7.&tjmlwn.......................................................1.................

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\Gallery.wav

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                                                        Category:dropped
                                                                                                        Size (bytes):5016910
                                                                                                        Entropy (8bit):7.480590135173546
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:98304:M/5DCbiskOaOhu69skGR4vHDgsHbPbn8gU4xH7U+bTb3gGQf+nYqjUp3Oj:MlUkVuuuK473bPbn8YbTsfWnYmU36
                                                                                                        MD5:466DD2E741CB161BC1ED68B7C6CCB50B
                                                                                                        SHA1:A1AA1E2E1941BC10A983AB698609BCBD5F367CB6
                                                                                                        SHA-256:46919A2E0BFE9535C4D2496180278FE2C956055F5AC4873A72C4A7A4F20FB3D8
                                                                                                        SHA-512:51E875164CA54C8EEAB048AEEE9801731EA989FA410E0CBC5414172AC63589D53A0AC718ADA2585F6E936B2881809780280796474BE073EA335FB0CDE7FACCB5
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:RIFFF.L.WAVEfmt ........D...........LIST....INFOISFT....Lavf57.83.100.data..L.................................................................................................................................................................................................................................................................................................................(.(............././.'.'.:.:.....'.'.............................................................b.b.o.o.............................................l.l.........,.,.....-.-.....2.2.....%.%.....*.*.".".............................................................?.?.,.,.4.4././.....+.+.#.#.,.,.0.0.1.1.<.<.3.3.........................................................>.>.H.H.=.=.C.C.=.=.L.L.@.@.N.N.?.?.N.N.J.J.V.V.H.H.*.*.........H H @ @ E E H H 9 9 A A @ @ K K 8 8 ; ; ....................................................i.i.............................................=.=.v.v.Z.Z.......................................

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\Lab.db

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):5709053
                                                                                                        Entropy (8bit):7.999817536801621
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:98304:6uSUpCVmIEpd+mWeTSQLybH+u0aqQ0vsPb+e5MPd4C7O3Rsc8IaU:63AC8I6+mWI4GaqT0Pb+EC7U/8ZU
                                                                                                        MD5:4A1609AD2A40E27ED70ACBCB92A72A8E
                                                                                                        SHA1:13AA82AEF41E81CC2485D07B6ECC3BD804B4B59F
                                                                                                        SHA-256:3C32BC2E7D02348FEE8577C31EE8E2E7606A4BE6B147A0AE5C71399D3CBFC2D9
                                                                                                        SHA-512:178FEFA7B25219D4C22695B3D34DDBFC6E9CFB373504DED16B4F1718609FCBE2E05619E30915F0ACEA281C09D13F8998B38CD61F8BC6BAF645E285D1093C0176
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:.+>......0.m.-....$.................................1012546698.?=<>8! #nDF.BK++*--/.Q.VRUU_VYXnjlomnxuGBEDFFIH.OMLNFqpsD@FCE@@I.}|..a`c.`dggihkjklon....x.....................e......................W........................6.............................................................../210;354.........4033=476PVO_OR^R/ #"$$'&.-+*,$/.Qdbfdfo`mW[Z]]_^A.FBEEOFIH"$9)= ..crutvvyx..}|xva`c^edgfihk{mlon...f.................................................................r................l..................................|.q.b.D.i.}.h.e...............032.4G6K8T:Z<M>@ N"A$F&](J*.,s.$P R:T9V<X/Z.\+^ @0B.D_FIHKJML7Kqpsrutwoyx{b}|..d`ccodgf$+.......................................................................................Q...............................dbcgdqr.`},h............."...<w=P...wU.R....[..X.....ac......Mi..`d..a`HYX[B]\_.D@CCgDGF...+%..!.=25..<:.6>B.J.48.VW...7.&tjmlwn.......................................................1.................

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ToolkitPro1513vc60.dll

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):7759360
                                                                                                        Entropy (8bit):6.722542083267176
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:98304:hfs3PJEPfNDXjFHKwftlnWAj9WF6HOSKXu:hfsUlNKL6HOJ+
                                                                                                        MD5:52093B930D74D157517D68D464E490EC
                                                                                                        SHA1:43D5BA4A773FE5EF0D259212DBF2DB6CC86E9A79
                                                                                                        SHA-256:1FCDAFA131810A276F5E1D934C55FF69B58ADFA32887DACF09B796CACC4D866E
                                                                                                        SHA-512:716EA1C83DEDD9E7FEF9E9B3529E17B0C1649C844BFDE822C0A48BFD9BC2C8E81836ABA4154CF227E4D0E56839CBE0280240BBB85D2A4D576010EF6E021DA8A0
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Reputation:low
                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........,..B..B..B.(....B...I..B...Q...B..B..B...Q...B...I..B.h.L..B...H..B...F..B..C...B..F..B..H..B..I...B.,.D..B...F..B.Rich.B.................PE..L......N...........!......E..`1.......@.......E....g.........................pv.......v...............................O.X....jO.@.....m..V...........@v..&....q.......................................................E..............................text...:.D.......E................. ....rdata...`&...E..p&...E.............@..@.data...\.....k.......k.............@....rsrc....V....m..`...pm.............@..@.reloc..8l....q..p....p.............@..B........................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libbind.dll

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):7286480
                                                                                                        Entropy (8bit):6.699794092464677
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:98304:jB3tOH2AjkkDqYsKc7b+UTBl9JuONaaSGUe5Mo9itNgKybC1:5tVAjTfspb+c/uONa65kvgfbC1
                                                                                                        MD5:486E6FBE70C67D89FEC40B1B2BC04715
                                                                                                        SHA1:A2D0F2934B2538D01FCD9685A35F0336DB18B5D4
                                                                                                        SHA-256:AFBD2282D74C32ADD3A65FF7840A64EB7B9EAFE71C8096D03BE60FFD8BBE133B
                                                                                                        SHA-512:E452C3A81B4C7DE69324FA7017E3470379892D0962CBA5AF721A76BEE9DB97B6EDA00999138172AB8834C3DC5A88684E3943A67741A4A31B58CC1BD73996A81B
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 37%
                                                                                                        Reputation:low
                                                                                                        Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........+..]J.W]J.W]J.W.2.V.J.W.2.VvJ.WM..V_J.WM.1WPJ.WM..V@J.WM..VHJ.WM..V.J.W.2.V.J.WN..V\J.W]J.WqJ.W...V.J.W...VEJ.WK..VGJ.WK..V.J.W...V.J.W...VUJ.W.2.VHJ.W]J.W.K.W...V\J.W...V\J.W..3W\J.W...V\J.WRich]J.W........PE..L......g...........!...)..T...........J.......T...............................o......o...@..........................+e.D....Ee.......m...............o.......m..S..p"d.8...................."d......!d.@.............T..............................text.....T.......T................. ..`.rdata..,p....T..r....T.............@..@.data...`....pe..P...Ve.............@....rsrc.........m.......l.............@..@.reloc...S....m..T....l.............@..B........................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libcurl.dll

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                        Category:modified
                                                                                                        Size (bytes):482808
                                                                                                        Entropy (8bit):6.571174585397808
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:p+roGaFQD+sgDLUr/cPCwMXHxQNXs0w63NKfIAygN5XwEBqHeZSCxlon4O298m5H:4Z8YDR98m5VX9jTn
                                                                                                        MD5:457DC112A88076C71724DC22A3F4D90F
                                                                                                        SHA1:7D69FD4F50B3B50B4954B1C5FCC2FD40CECCCCAA
                                                                                                        SHA-256:B2204979FDCFBEDE97AC011416D65685EDF4BF8C4F93345D249FDA5A45027553
                                                                                                        SHA-512:D30ABE00D5C4CD488651AEB835F207BEA05A13E0C44FD51C506A337241967A59DAA7C8658C1DF0B07EC4E028CE4C3D7207754B2072AF3CFC48BB887046C4D3EB
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: CEjWMdiJnR.exe, Detection: malicious, Browse
                                                                                                        • Filename: CEjWMdiJnR.exe, Detection: malicious, Browse
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S#..2M..2M..2M...3..2M...#..2M...0..2M.O=...2M..2L.*2M.O=...2M... ..3M...7..2M...1..2M...5..2M.Rich.2M.................PE..L...~..Y...........!.....@...........V.......P...............................@.......X...............................Q......$F..x........B........... ...=.......8..................................h?..@............P...............................text....7.......@.................. ..`.rdata.......P.......P..............@..@.data...$2...`... ...`..............@....rsrc....B.......P..................@..@.reloc...@.......P..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\shost.dll

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):4572160
                                                                                                        Entropy (8bit):6.808220761823103
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:98304:yp05Qj7e+pfZ64Khic8Vl7J24kL00TmUuazmoHWhCxDesui8DgMetO:K0g7ecYHhic8Vl7J24kL00TmUuazmoHX
                                                                                                        MD5:FE0A6C37438E85E7304DFAB539443EA1
                                                                                                        SHA1:57CFAF6D0754D1FCCE97B4437B82FB0C9D32FE95
                                                                                                        SHA-256:CDFAC37C3C704B89EE8363EA8DDBAE12A893589E98B541BC485A3BE66E37DBF9
                                                                                                        SHA-512:F57444C924C78CDC94C2B050F74007E6F32C1892C2AD05AD4D0E27309C902408A814270B2832E5CC720F51A1A4FEEA92FC22A45D49EDDED4A92CD80F8F79054A
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......4 ..pA..pA..pA..;9..@A..;9...A..`.W.|A..`..lA..`..cA..`..!A..c..qA..8...A..8..eA..f..qA..f...A......A.....rA..;9..UA..;9..aA..pA...@..8..qA..8..qA..8.U.qA..8..qA..RichpA..........................PE..L......g...........!...)..4...........+.......4...............................F...........@..........................-C.,....GC.......D.`l...................0E.... .A.8.....................A.....`.A.@.............4.l............................text.....4.......4................. ..`.rdata..*u....4..v....4.............@..@.data....D...pC..r...ZC.............@....rsrc...`l....D..n....C.............@..@.reloc......0E......:D.............@..B........................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ycomuiu.dll

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3071824
                                                                                                        Entropy (8bit):6.7286878204550264
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:49152:6v7Mg/YnxxeILSBKiUd3/xMlg3zZvQbTIe4MpHcO9IfUO8v6w5mX8w5M6usJKT4:e7eeIB1Q54b504
                                                                                                        MD5:4190DC53968245E1AE10749DF8879848
                                                                                                        SHA1:74F045D0A150AABCFB8001D237A2150DCE27973F
                                                                                                        SHA-256:DADF20CAAC74C8DEE10C8A875452B904AF1F799A5F445FE2A5DECDFF57B16548
                                                                                                        SHA-512:F3310EBCDD6EF25BF3A3BF6F61FBD55DF25B77E46590A517030669D36709E6028E6E7D9BC373F27A8269C633CBC184BCC64DC3F89566BD0C984C07C125328075
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5`..[3..[3..[3.a.3..[3.a.3..[3.a.3..[3...3..[33].3..[3..^2..[3.._2..[3..X2..[3...3..[3...3..[3..Z3z.[3..S2..[3..[2..[3...3..[3..Y2..[3Rich..[3........PE..L....G.d.........."!...... .........+........0 .............................../.....}./...@..........................r'....../,.......-.0...............PS....-.....P.$.p...................`.$.......$.@............0 ..............................text..... ....... ................. ..`.rdata...)...0 ..*.... .............@..@.data........`,..P...D,.............@..._RDATA..0.....,.......,.............@..@.rsrc...0.....-.......,.............@..@.reloc........-.......,.............@..B........................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Aeweodfryuuet

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):20480
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:DAA100DF6E6711906B61C9AB5AA16032
                                                                                                        SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                                                                                        SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                                                                                        SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Drytdfiot

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):20480
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:DAA100DF6E6711906B61C9AB5AA16032
                                                                                                        SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                                                                                        SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                                                                                        SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Fawyoq

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):106496
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                                                                        SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                                                                        SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                                                                        SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Hhruowu

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):40960
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:AB893875D697A3145AF5EED5309BEE26
                                                                                                        SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                                                                                        SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                                                                                        SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Ipstdriheuy

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):51200
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:BF235F22DF3E004EDE21041978C24F2E
                                                                                                        SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                                                                                        SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                                                                                        SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Rttehwhs

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:modified
                                                                                                        Size (bytes):98304
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:0A9156C4E3C48EF827980639C4D1E263
                                                                                                        SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                                                                                        SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                                                                                        SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Rttehwhs-shm

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):32768
                                                                                                        Entropy (8bit):0.017262956703125623
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                        MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                        SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                        SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                        SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                        Malicious:false
                                                                                                        Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\TMPCF27.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:7-zip archive data, version 0.4
                                                                                                        Category:dropped
                                                                                                        Size (bytes):13290781
                                                                                                        Entropy (8bit):7.999979953857841
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:196608:sromIOmmlfLu+TwfaYfIx26ye9vcqB13YiUeLQrQVxn5GHX5sjavB0cWQklxxniv:OymdK++/fQWBqB1R6QXw35s2aHJip/O+
                                                                                                        MD5:04F0198F443995D1696722CA9E7E3210
                                                                                                        SHA1:C4DDA5FB1EB43F310538B961D7673A489643B747
                                                                                                        SHA-256:69BB7ED51139CA1872C30D57EE7E8459A9C12D6B8A5A60EECB979E56EAD7E987
                                                                                                        SHA-512:B1C3D467ABD501ECDA9B8917AB24D83A79986477FA27B0D2443B8D80432DAE83B531045A7908BCBE84447CFCD20CF355F648087BFD78F5AF2433A7C00AB87924
                                                                                                        Malicious:false
                                                                                                        Preview:7z..'.....z.........%.......Gc.u....]...sN>....7/.8...Hi.k.C.5.p...h....S.\(.ASmsq.....=.Y...-...$....A......deu.2B...U.....m|v@A../b..&.+6(.,.$p8..q.........r...u[....!G.J8P=.2|.tv._c..a.#9.......l.z..6n...E.9...[4.B......Y..j.XKr.l...S*(.6.T.-.g%...'(.../Z.;<`b<...m.2..o.n..........-V..v.. ...h..2:(......."...5.o+....+.?`Q.....14"..<.x.c.-n..D...3...[...@..Ps.~.......LC.c..^. Q..I2..a..v.......g.._@..!g6b......zy....$.....,D2$..jm^...DD..!..}Lv.;.`-.B.s......T..f'.3.qP.............`.x`..R~.F.5...l.j...w4!.CS/W..GO...|....I..!.5%. .. ....na.1F.....9W|..`....(..i.[.:..........q.fI...y.x.}.ou..M......W<..>..).{......I.$......of.~.......O`%K....&..z.k@....5..k.G1.]3;...K....U.s"......H...9<E.K2.....(..:a...6....`a.I..:0..e.Ac.Sp....^..q...... ..w...O4D.H..R!.M.TI..Jy.w\.}.!.5..[<`...S5.....?.T..#.zK..L)3@...u..x..PQa^....`...L.9.)..v.Z.m2_IqG.1..f.\.u.DtZmW...F.....L.@m.......7..1..F.'w..>..'...4....I....s.. ...).J.K&.?.6..n.....a.

                                                                                                        C:\Users\user\AppData\Local\Temp\Urisyietpu

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):106496
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                                                                        SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                                                                        SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                                                                        SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Yrrehaheh

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):106496
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                                                                        SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                                                                        SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                                                                        SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\Yweuieuwd

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):196608
                                                                                                        Entropy (8bit):0.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3::
                                                                                                        MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                                                                                        SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                                                                                        SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                                                                                        SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                                                                                        Malicious:false
                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\__db.s27s.3

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:Berkeley DB (Btree, version 9, native byte-order)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):16384
                                                                                                        Entropy (8bit):0.030191689390222036
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:0lBCtNl1lzvEp/l1XldlE/l9ltlBttklzvEp/l1XldlE/l:c2Ag91LCAg
                                                                                                        MD5:CA395AD943E0D50C0F39CD8C37FF872D
                                                                                                        SHA1:0214DCFE4BB2A4214544D471B12B06D0890AF998
                                                                                                        SHA-256:45C608AFBF113AE1DD8BE8F16DAC9F448AE62F9AD62B0A7B24A339F17410F80C
                                                                                                        SHA-512:C9BAC6A9E1A1126BDD557D9718590763BADF3920C4D3310274CA9854B28F14517128799531B268D5ACC772071DBE61300D0A93FFA6C44679EF13E6A6B70D5995
                                                                                                        Malicious:false
                                                                                                        Preview:............b1....... ..............................?.......;.^..................... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\s27s.0.ics

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):34
                                                                                                        Entropy (8bit):4.057476076289931
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:6xyX5DIRsQl5:6ydIFD
                                                                                                        MD5:555D001CC8A1181362E88A6936FFBAB2
                                                                                                        SHA1:B855B4CC5EE285491E9F1703C868650F10AF5276
                                                                                                        SHA-256:B29358737EE9A231651C5ED8CD511F2DE3B7AA1BABBC8589C46F914653E37BEC
                                                                                                        SHA-512:ED67D751AC8977E27A7FA691A520B3E1D92AA2F67ACA9DA9AE3D53982B194A08FA0954FA9EB05B557C299B7C94017F068E5EB202A3C9A4C899AD10DEBFC13D26
                                                                                                        Malicious:false
                                                                                                        Preview:..ics_version.2.0.filename.s27s.0.

                                                                                                        C:\Users\user\AppData\Local\Temp\s27s.1.ics

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):34
                                                                                                        Entropy (8bit):4.116299605701696
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:6xyX5DIRsQlq:6ydIF8
                                                                                                        MD5:96B4352D4C9FD424FF24FA47F3B411F5
                                                                                                        SHA1:1A5CADE884998129733AC4513A6AF4E3BFC6AD94
                                                                                                        SHA-256:FC12B9BAD2A5C15477C58D05C1980C7DC9EE13C035F89152451435B0042E1CE3
                                                                                                        SHA-512:2E8FE0623A72E589646E7D7826A0BF8519E5200BAD3E46D849AB400F76774CEDAEB29D1B66374B29E2120C1923E4572C947506DE924030F5B9ECB195123F0F0D
                                                                                                        Malicious:false
                                                                                                        Preview:..ics_version.2.0.filename.s27s.1.

                                                                                                        C:\Users\user\AppData\Local\Temp\s27s.2

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):35
                                                                                                        Entropy (8bit):2.258492676514824
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:XVl6EcxvVKM:kp7
                                                                                                        MD5:D880A299052F9E9DFE0A27A82BCB75A9
                                                                                                        SHA1:7A94DB3C9AA1C526F2B09516AECDC647830A7DB9
                                                                                                        SHA-256:08D23E43FF2E59F5AA84828E4C05A3D61AE6E8C7319318EA57F7A2E91A5FEF2B
                                                                                                        SHA-512:DF2B90AF64C031980FFC6B49D2CFB20EDD79FF31030747689100BD4F916798629D526C4AE84F3E1AD1E530D857CB767DA321CA8EC5376E2FEEB679BBA132AFBD
                                                                                                        Malicious:false
                                                                                                        Preview:0 0 0..1 0 0..1 1 1..0 1 0..0 0 1..

                                                                                                        C:\Users\user\AppData\Local\Temp\s27s.3

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                        File Type:Berkeley DB (Btree, version 9, native byte-order)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):16384
                                                                                                        Entropy (8bit):0.04605058557444765
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:0lBCtNl1lzvEp/l1XldlE/l9ltl76VlelzvEp/l1XldlE/lggPlLB:c2Ag91+P6Agge/
                                                                                                        MD5:82CA01F2C40A529FFA36770CFC53D578
                                                                                                        SHA1:53EDE65298219D0E25287DF64FF8FCF1368F457D
                                                                                                        SHA-256:255536FDAC49F9B25611BFCA0E9CE97324779CCF20EEA09C98FDA3D3AC614EBD
                                                                                                        SHA-512:D498B12631C14E849BC69A6B049B9BDA01084EDE4D33781FFD26C9AFE3853D2C39103DCF8BD41DE502FA144922CC4CA4A5F3395521DBEF424CAD8310943AFC8B
                                                                                                        Malicious:false
                                                                                                        Preview:............b1....... ..............................?.......;.^..................... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\s4gc.0

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:PNG image data, 600 x 400, 8-bit/color RGBA, non-interlaced
                                                                                                        Category:dropped
                                                                                                        Size (bytes):41369
                                                                                                        Entropy (8bit):7.972428113572902
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:768:8flNJeU+jFSF4HVXYmq8d66O80hoYoEJqOugiG3Y4bssP2ZNT3SAmriBeknZ:ilann1pq8o6Oh7o+1o4bssO7S+DnZ
                                                                                                        MD5:F09B635DA0C14490820F64D28CAD94EE
                                                                                                        SHA1:03CA314C663165297A8E2CC74F16612612D69CA7
                                                                                                        SHA-256:AF77061FC257538C87B854D2BCF2DE601CBDF884C315CD2C9240DCD757DDFE73
                                                                                                        SHA-512:00B0072A9463276D41CE35309901630C4274C2B73E70CE8E3A3060D490B57B1EB29AC37538807B062E325C2B7D661D8D8D366FC57A0C46DA93005191029B291D
                                                                                                        Malicious:false
                                                                                                        Preview:.PNG........IHDR...X.........r5.... .IDATx...wT.g.?~vg./ew..DP...+..b.k..Qc..........D.Q.{.`G, U...X.;..?.~~|}bb.A..u...I...3....f6........c...........................................................................................................................................................................j .C...q.L&..d..L&:.N7U|.......,....S4..H.t:fYY.uVV.....?...L.w..J..m2.h.-..,..x.@U^^n...k._~.e....Z..-..{.}.v..j...../.###..d2!EQ...j)..*4....T...).".Z-........bcc.....X.`i.m.D").....t..l6_.z.kVV.G.../....=|.0, .$I#Z...X...6Pi4.Nqq........-ruu-.7o....".H.b.t.AP4..\94Q.E.|.rWoo.l...t.^.].xq.....Q.F..p8..,..,..:...F#..j...../^....]...1g..-[.|,..e..To...............G.F...'>>..P(..$I.[.@....S.J..p...\.;.s.%.CBB^.5kuhhh.@ .3.L......X....h$JJJ......^.......-C....(....T.E.Z..UZZj.....z..YB.P6`..cYYY>.}.........w....77.|>..b2... >.6.$IRNNN....'O..n..j......5.*X.P....l...f..h$.j5777....1+V...c.S.N..I..vvv.....o*T..]............}..=.......^..!....@..T

                                                                                                        C:\Users\user\AppData\Local\Temp\s4gc.1

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:PDF document, version 1.7
                                                                                                        Category:dropped
                                                                                                        Size (bytes):955
                                                                                                        Entropy (8bit):6.467741785599371
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:AEkhE93XVAnJniM+Er9Ow+BLu+8rftsSOPfAxgd3SL:AVhE9nVAJAEhKd8rftsSOPYWJSL
                                                                                                        MD5:2736493DAD4F8C752754B94BBDF74998
                                                                                                        SHA1:CF826BA3B76E76D17A2454BE3A10D4ED35440E06
                                                                                                        SHA-256:943EDDE34C49E5078A1887D19392EA852E6B8802135432B4FAA0D445026F165F
                                                                                                        SHA-512:D564ECC0A92CD29640F63A176409011B59F0859C0DC4B218DCD74B82FCEE2DC580F6EAB586D89404712936FF583EC676E0BD79097EF8E2D9E27F5A15BC4AF7E4
                                                                                                        Malicious:false
                                                                                                        Preview:%PDF-1.7.%....4 0 obj.<< /Length 5 0 R. /Filter /FlateDecode.>>.stream.x.3T0.B]C aab....U.....- ...endstream.endobj.5 0 obj. 27.endobj.3 0 obj.<<.>>.endobj.7 0 obj.<< /Type /ObjStm. /Length 8 0 R. /N 1. /First 4. /Filter /FlateDecode.>>.stream.x.3S0.......8.].endstream.endobj.8 0 obj. 16.endobj.9 0 obj.<< /Type /ObjStm. /Length 12 0 R. /N 4. /First 23. /Filter /FlateDecode.>>.stream.x.U..j.0.D.....:..Z.I09.PJ.$....,.C..$...+.qJ.i......"b.Y.A9EDX?gQQ }...i-Ze#..k.X|......z..(....f.. ..3...&a./..v...m......6.j5.c.p..+...j.......|...G.V.._,<x._..B..l.o...A....|.c..{..y.Ev......E..<{LtAgO......u./pfT.TzU..;.N.C.>s.'e.h..X.=.~Q.9..W.W..N|...._.V.~..un..endstream.endobj.12 0 obj. 278.endobj.13 0 obj.<< /Type /XRef. /Length 58. /Filter /FlateDecode. /Size 14. /W [1 2 2]. /Root 11 0 R. /Info 10 0 R.>>.stream.x.c``........D012.0002...r..;...H0*....:F....t.(.t........endstream.endobj.startxref.729.%%EOF.

                                                                                                        C:\Users\user\AppData\Local\Temp\s4gc.2

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                        File Type:PDF document, version 1.7
                                                                                                        Category:dropped
                                                                                                        Size (bytes):955
                                                                                                        Entropy (8bit):6.467741785599371
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:AEkhE93XVAnJniM+Er9Ow+BLu+8rftsSOPfAxgd3SL:AVhE9nVAJAEhKd8rftsSOPYWJSL
                                                                                                        MD5:2736493DAD4F8C752754B94BBDF74998
                                                                                                        SHA1:CF826BA3B76E76D17A2454BE3A10D4ED35440E06
                                                                                                        SHA-256:943EDDE34C49E5078A1887D19392EA852E6B8802135432B4FAA0D445026F165F
                                                                                                        SHA-512:D564ECC0A92CD29640F63A176409011B59F0859C0DC4B218DCD74B82FCEE2DC580F6EAB586D89404712936FF583EC676E0BD79097EF8E2D9E27F5A15BC4AF7E4
                                                                                                        Malicious:false
                                                                                                        Preview:%PDF-1.7.%....4 0 obj.<< /Length 5 0 R. /Filter /FlateDecode.>>.stream.x.3T0.B]C aab....U.....- ...endstream.endobj.5 0 obj. 27.endobj.3 0 obj.<<.>>.endobj.7 0 obj.<< /Type /ObjStm. /Length 8 0 R. /N 1. /First 4. /Filter /FlateDecode.>>.stream.x.3S0.......8.].endstream.endobj.8 0 obj. 16.endobj.9 0 obj.<< /Type /ObjStm. /Length 12 0 R. /N 4. /First 23. /Filter /FlateDecode.>>.stream.x.U..j.0.D.....:..Z.I09.PJ.$....,.C..$...+.qJ.i......"b.Y.A9EDX?gQQ }...i-Ze#..k.X|......z..(....f.. ..3...&a./..v...m......6.j5.c.p..+...j.......|...G.V.._,<x._..B..l.o...A....|.c..{..y.Ev......E..<{LtAgO......u./pfT.TzU..;.N.C.>s.'e.h..X.=.~Q.9..W.W..N|...._.V.~..un..endstream.endobj.12 0 obj. 278.endobj.13 0 obj.<< /Type /XRef. /Length 58. /Filter /FlateDecode. /Size 14. /W [1 2 2]. /Root 11 0 R. /Info 10 0 R.>>.stream.x.c``........D012.0002...r..;...H0*....:F....t.(.t........endstream.endobj.startxref.729.%%EOF.

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Entropy (8bit):7.781966871820781
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                        File name:wi86CSarYC.exe
                                                                                                        File size:20'092'696 bytes
                                                                                                        MD5:0897b6ab5240bdb4bbeb3adf924adb19
                                                                                                        SHA1:542a45a470d549a1c60ddeb4839a0efb1360679b
                                                                                                        SHA256:d7444d0ab1742bd2fed6dfdbd47f97372843894e0c78d853761697089bb24d40
                                                                                                        SHA512:cc709348df9cda2680037c33a6da44ed1c1ac382790418cb39e734de576b7916bcb1e28203322022df77f4daa454f27417a917849d9eae1998cc07b8680c47d7
                                                                                                        SSDEEP:393216:mZt39EfBgymdK++/fQWBqB1R6QXw35s2aHJip/O:yt3ea/dCnQHPJw35EH4p/
                                                                                                        TLSH:BE170102FFC385B1DE82017111BAA77B4D3A55484320E5E3A7D46DA8F8627E15B3FB98
                                                                                                        File Content Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........1l$.P.w.P.w.P.w.(.v.P.w.(.vhP.w.(.v.P.w...w.P.w...v.P.w...v.P.w...v.P.wE..v.P.w...v.P.w...v.Q.w...v.P.w...v0P.w.P.w.P.wE..vkS.

                                                                                                        File Icon

                                                                                                        Icon Hash:186c4c4c4c4c6967

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x852eac
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:true
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0x6707F36C [Thu Oct 10 15:31:56 2024 UTC]
                                                                                                        TLS Callbacks:0x8525b6, 0x852b7a
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:6
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:6
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:6
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:6c1291fac96906d97a48010bbceb4bcb

                                                                                                        Authenticode Signature

                                                                                                        Signature Valid:
                                                                                                        Signature Issuer:
                                                                                                        Signature Validation Error:
                                                                                                        Error Number:
                                                                                                        Not Before, Not After
                                                                                                          Subject Chain
                                                                                                            Version:
                                                                                                            Thumbprint MD5:
                                                                                                            Thumbprint SHA-1:
                                                                                                            Thumbprint SHA-256:
                                                                                                            Serial:

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            call 00007F0E6C85B87Dh
                                                                                                            jmp 00007F0E6C85A72Fh
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            int3
                                                                                                            cmp cl, 00000040h
                                                                                                            jnc 00007F0E6C85A8C7h
                                                                                                            cmp cl, 00000020h
                                                                                                            jnc 00007F0E6C85A8B8h
                                                                                                            shld edx, eax, cl
                                                                                                            shl eax, cl
                                                                                                            ret
                                                                                                            mov edx, eax
                                                                                                            xor eax, eax
                                                                                                            and cl, 0000001Fh
                                                                                                            shl edx, cl
                                                                                                            ret
                                                                                                            xor eax, eax
                                                                                                            xor edx, edx
                                                                                                            ret
                                                                                                            int3
                                                                                                            cmp cl, 00000040h
                                                                                                            jnc 00007F0E6C85A8C7h
                                                                                                            cmp cl, 00000020h
                                                                                                            jnc 00007F0E6C85A8B8h
                                                                                                            shrd eax, edx, cl
                                                                                                            shr edx, cl
                                                                                                            ret
                                                                                                            mov eax, edx
                                                                                                            xor edx, edx
                                                                                                            and cl, 0000001Fh
                                                                                                            shr eax, cl
                                                                                                            ret
                                                                                                            xor eax, eax
                                                                                                            xor edx, edx
                                                                                                            ret
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            and dword ptr [00A74798h], 00000000h
                                                                                                            sub esp, 28h
                                                                                                            or dword ptr [00A31998h], 01h
                                                                                                            push 0000000Ah
                                                                                                            call dword ptr [008DF398h]
                                                                                                            test eax, eax
                                                                                                            je 00007F0E6C85ABBBh
                                                                                                            push ebx
                                                                                                            push esi
                                                                                                            push edi
                                                                                                            xor eax, eax
                                                                                                            lea edi, dword ptr [ebp-28h]
                                                                                                            xor ecx, ecx
                                                                                                            push ebx
                                                                                                            cpuid
                                                                                                            mov esi, ebx
                                                                                                            pop ebx
                                                                                                            nop
                                                                                                            mov dword ptr [edi], eax
                                                                                                            mov dword ptr [edi+04h], esi
                                                                                                            mov dword ptr [edi+08h], ecx
                                                                                                            xor ecx, ecx
                                                                                                            mov dword ptr [edi+0Ch], edx
                                                                                                            mov eax, dword ptr [ebp-28h]
                                                                                                            mov edi, dword ptr [ebp-24h]
                                                                                                            mov dword ptr [ebp-04h], eax
                                                                                                            xor edi, 756E6547h
                                                                                                            mov eax, dword ptr [ebp-1Ch]
                                                                                                            xor eax, 49656E69h
                                                                                                            mov dword ptr [ebp-18h], eax
                                                                                                            mov eax, dword ptr [ebp-20h]
                                                                                                            xor eax, 6C65746Eh
                                                                                                            mov dword ptr [ebp-14h], eax
                                                                                                            xor eax, eax
                                                                                                            inc eax
                                                                                                            push ebx
                                                                                                            cpuid
                                                                                                            mov esi, ebx
                                                                                                            pop ebx
                                                                                                            nop
                                                                                                            lea ebx, dword ptr [ebp-28h]

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6253f00xdc.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6770000xcc77c3.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x13274000x2718.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x133f0000x2a000.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x6178400x18.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6177300x40.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x4df0000x664.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000x4dd1b40x4dd2009d262aa805e3ce2beedcd36cf6f125f3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0x4df0000x14874c0x148800be5e9c5e9decb08b17ab0a7449429d90False0.3670358875570776data5.971856139356924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .data0x6280000x4e7bc0xfa00bed801ea8bb518344ed91d6f6be423c1False0.406171875data5.635325263974467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x6770000xcc77c30xcc7800f86c582c81f7a178c1468cecdc6bcfd9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x133f0000x2a0000x2a00015f3d34c3fc65723d90702546b874ddaFalse0.5995047433035714data6.635714661940469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0x6772a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 756 x 756 px/m0.1879432624113475
                                                                                                            RT_ICON0x6777080x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1134 x 1134 px/m0.1413934426229508
                                                                                                            RT_ICON0x6780900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1512 x 1512 px/m0.09427767354596622
                                                                                                            RT_ICON0x6791380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2268 x 2268 px/m0.06742738589211618
                                                                                                            RT_ICON0x67b6e00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3024 x 3024 px/m0.052491733585262164
                                                                                                            RT_ICON0x67f9080x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 6047 x 6047 px/m0.032148349698331954
                                                                                                            RT_ICON0x6901300x12e2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9290442697558957
                                                                                                            RT_RCDATA0x6914140xcacd1ddata1.0003108978271484
                                                                                                            RT_GROUP_ICON0x133e1340x68data0.75
                                                                                                            RT_VERSION0x133e19c0x3a6data0.41862955032119914
                                                                                                            RT_MANIFEST0x133e5440x27fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5633802816901409

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            KERNEL32.dllSetThreadContext, CreateIoCompletionPort, FormatMessageA, GetTempFileNameW, SleepEx, lstrcpyW, WideCharToMultiByte, CreateEventA, DeleteCriticalSection, LocalFree, QueueUserAPC, FindResourceW, LoadResource, CloseHandle, GlobalAlloc, LockResource, TerminateThread, SetEvent, GetLastError, FormatMessageW, GetThreadContext, RemoveDirectoryW, GlobalMemoryStatusEx, WriteConsoleW, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, CreateEventW, PostQueuedCompletionStatus, WaitForSingleObject, FindClose, GetTempPathW, EnumResourceNamesW, GetEnvironmentVariableW, GetQueuedCompletionStatus, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, WaitForMultipleObjects, EnumResourceTypesW, CreateWaitableTimerW, lstrlenW, EnterCriticalSection, SetLastError, SetWaitableTimer, FindFirstFileW, SizeofResource, CreateDirectoryW, GetFileAttributesW, CreateFile2, MultiByteToWideChar, IsValidCodePage, GetACP, GetOEMCP, CreateFileA, CreateFileW, GetFileAttributesA, GetFileInformationByHandle, GetFileType, GetFullPathNameW, ReadFile, WriteFile, PeekNamedPipe, GetExitCodeProcess, Sleep, GetStdHandle, SearchPathA, DuplicateHandle, SetHandleInformation, CreatePipe, GetCurrentProcess, CreateProcessA, OpenProcess, GetProcAddress, LoadLibraryA, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, InitializeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, GetCurrentThread, GetThreadGroupAffinity, InitOnceBeginInitialize, InitOnceComplete, GetModuleHandleW, WakeConditionVariable, InitializeCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, QueryPerformanceCounter, QueryPerformanceFrequency, VerSetConditionMask, GetModuleHandleExW, FreeLibrary, GetStartupInfoW, GlobalUnlock, GlobalLock, GlobalFree, SetThreadExecutionState, ReleaseSRWLockShared, AcquireSRWLockShared, GetCurrentThreadId, ReleaseSemaphore, GetExitCodeThread, CreateSemaphoreA, GetSystemInfo, VirtualFree, GetCurrentProcessId, GetSystemTimeAsFileTime, GetSystemTime, SystemTimeToFileTime, GetSystemDirectoryA, LoadLibraryW, FindNextFileW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, GetTickCount, InitializeCriticalSectionEx, GetSystemDirectoryW, GetModuleHandleA, MoveFileExW, WaitForSingleObjectEx, GetEnvironmentVariableA, VerifyVersionInfoW, GetFileSizeEx, PulseEvent, GetDiskFreeSpaceW, SetFilePointer, GetVersion, GetVersionExW, FlushFileBuffers, DeleteFileW, MoveFileW, CreateFileMappingW, OpenFileMappingW, MapViewOfFile, UnmapViewOfFile, SetEndOfFile, SignalObjectAndWait, ResetEvent, ReleaseMutex, CreateMutexW, CreateThread, LockFile, LockFileEx, UnlockFile, GetShortPathNameW, GetModuleFileNameW, GetHandleInformation, GetQueuedCompletionStatusEx, InitOnceExecuteOnce, GetTickCount64, SetFileCompletionNotificationModes, RaiseException, GetLocaleInfoEx, GetStringTypeW, TryAcquireSRWLockExclusive, GetCurrentDirectoryW, FindFirstFileExW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, InitializeSListHead, IsDebuggerPresent, RtlUnwind, InterlockedPushEntrySList, LoadLibraryExW, ExitProcess, ExitThread, FreeLibraryAndExitThread, SetConsoleCtrlHandler, SetStdHandle, SetFilePointerEx, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetTimeZoneInformation, GetConsoleOutputCP, HeapReAlloc, HeapSize, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetCommandLineA
                                                                                                            USER32.dllCreateWindowExW, DestroyWindow, ShowWindow, ToUnicode, MapVirtualKeyW, DestroyIcon, GetDC, ReleaseDC, ChangeDisplaySettingsExW, EnumDisplaySettingsW, EnumDisplaySettingsExW, EnumDisplayDevicesW, GetMonitorInfoW, EnumDisplayMonitors, TrackMouseEvent, GetMessageTime, SendMessageW, PostMessageW, WaitMessage, GetLayeredWindowAttributes, SetLayeredWindowAttributes, FlashWindow, MoveWindow, SetWindowPos, GetWindowPlacement, SetWindowPlacement, IsWindowVisible, IsIconic, BringWindowToTop, IsZoomed, OpenClipboard, CloseClipboard, SetClipboardData, GetClipboardData, EmptyClipboard, SetFocus, GetActiveWindow, GetKeyState, SetCapture, ReleaseCapture, MsgWaitForMultipleObjects, SetForegroundWindow, SetPropW, GetPropW, RemovePropW, SetWindowTextW, GetClientRect, GetWindowRect, AdjustWindowRectEx, SetCursorPos, SetCursor, ClientToScreen, ScreenToClient, WindowFromPoint, ClipCursor, SetRect, OffsetRect, PtInRect, GetWindowLongW, SetWindowLongW, GetClassLongW, RegisterClassExW, LoadImageW, CreateIconIndirect, SystemParametersInfoW, MonitorFromWindow, GetRawInputData, RegisterRawInputDevices, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetProcessWindowStation, GetUserObjectInformationW, MessageBoxW, GetCursorPos, GetSystemMetrics, TranslateMessage, DispatchMessageW, PeekMessageW, RegisterDeviceNotificationW, UnregisterDeviceNotification, DefWindowProcW, UnregisterClassW, LoadCursorW
                                                                                                            SHELL32.dllDragQueryFileW, ShellExecuteW, DragAcceptFiles, DragFinish, DragQueryPoint
                                                                                                            OPENGL32.dllglClear, glEnable
                                                                                                            WS2_32.dllinet_ntop, inet_pton, WSAWaitForMultipleEvents, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, sendto, recvfrom, getpeername, shutdown, socket, setsockopt, listen, connect, closesocket, bind, accept, send, recv, WSASetLastError, WSAIoctl, getservbyport, gethostbyaddr, inet_ntoa, getaddrinfo, freeaddrinfo, gethostname, WSARecv, inet_addr, htons, htonl, WSAGetLastError, gethostbyname, select, ntohs, getsockopt, getsockname, ioctlsocket, WSACleanup, WSAStartup, WSASend, ntohl, WSASendTo, WSARecvFrom, getservbyname, __WSAFDIsSet
                                                                                                            bcrypt.dllBCryptGenRandom
                                                                                                            SHLWAPI.dllPathFileExistsW
                                                                                                            CRYPT32.dllCertCloseStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenSystemStoreW, CryptStringToBinaryW, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringW, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertOpenStore
                                                                                                            GDI32.dllCreateDCW, DeleteDC, GetDeviceCaps, GetDeviceGammaRamp, SetDeviceGammaRamp, CreateBitmap, CreateRectRgn, DeleteObject, CreateDIBSection, ChoosePixelFormat, DescribePixelFormat, SetPixelFormat, SwapBuffers
                                                                                                            ADVAPI32.dllInitializeSecurityDescriptor, SetSecurityDescriptorDacl, CryptEncrypt, CryptImportKey, CryptHashData, CryptGetHashParam, CryptEnumProvidersW, CryptSignHashW, CryptDestroyHash, CryptCreateHash, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptAcquireContextW, ReportEventW, RegisterEventSourceW, DeregisterEventSource, CryptReleaseContext, CryptGenRandom

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 11, 2024 16:29:55.320842028 CET49722443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:55.320895910 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:55.320974112 CET49722443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:55.812871933 CET49722443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:55.812913895 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.184915066 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.184999943 CET49722443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:57.187381983 CET49722443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:57.187402964 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.187962055 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.194657087 CET49722443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:57.235343933 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.687782049 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.687872887 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.688024044 CET49722443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:57.690233946 CET49722443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:57.690267086 CET4434972247.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.714221001 CET49723443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:57.714286089 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:57.714345932 CET49723443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:57.715353966 CET49723443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:57.715368986 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:59.276499987 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:59.276664019 CET49723443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:59.278008938 CET49723443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:59.278022051 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:59.278346062 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:59.278841972 CET49723443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:59.323335886 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:59.786884069 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:59.786983013 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:29:59.787033081 CET49723443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:59.787408113 CET49723443192.168.2.647.251.36.78
                                                                                                            Dec 11, 2024 16:29:59.787430048 CET4434972347.251.36.78192.168.2.6
                                                                                                            Dec 11, 2024 16:30:36.779341936 CET49724443192.168.2.6193.188.22.41
                                                                                                            Dec 11, 2024 16:30:36.779376984 CET44349724193.188.22.41192.168.2.6
                                                                                                            Dec 11, 2024 16:30:36.779638052 CET49724443192.168.2.6193.188.22.41
                                                                                                            Dec 11, 2024 16:30:36.829752922 CET49724443192.168.2.6193.188.22.41
                                                                                                            Dec 11, 2024 16:30:36.829768896 CET44349724193.188.22.41192.168.2.6
                                                                                                            Dec 11, 2024 16:30:36.829864025 CET49724443192.168.2.6193.188.22.41
                                                                                                            Dec 11, 2024 16:30:36.829869032 CET44349724193.188.22.41192.168.2.6
                                                                                                            Dec 11, 2024 16:30:36.830056906 CET44349724193.188.22.41192.168.2.6
                                                                                                            Dec 11, 2024 16:30:37.919814110 CET49725443192.168.2.689.116.191.177
                                                                                                            Dec 11, 2024 16:30:37.919868946 CET4434972589.116.191.177192.168.2.6
                                                                                                            Dec 11, 2024 16:30:37.920072079 CET49725443192.168.2.689.116.191.177
                                                                                                            Dec 11, 2024 16:30:37.983318090 CET49725443192.168.2.689.116.191.177
                                                                                                            Dec 11, 2024 16:30:37.983335018 CET4434972589.116.191.177192.168.2.6
                                                                                                            Dec 11, 2024 16:30:37.983377934 CET49725443192.168.2.689.116.191.177
                                                                                                            Dec 11, 2024 16:30:37.983382940 CET4434972589.116.191.177192.168.2.6
                                                                                                            Dec 11, 2024 16:30:37.983409882 CET4434972589.116.191.177192.168.2.6
                                                                                                            Dec 11, 2024 16:30:38.996534109 CET49726443192.168.2.6213.210.13.4
                                                                                                            Dec 11, 2024 16:30:38.996634960 CET44349726213.210.13.4192.168.2.6
                                                                                                            Dec 11, 2024 16:30:38.996726990 CET49726443192.168.2.6213.210.13.4
                                                                                                            Dec 11, 2024 16:30:39.045515060 CET49726443192.168.2.6213.210.13.4
                                                                                                            Dec 11, 2024 16:30:39.045598984 CET44349726213.210.13.4192.168.2.6
                                                                                                            Dec 11, 2024 16:30:39.045658112 CET49726443192.168.2.6213.210.13.4
                                                                                                            Dec 11, 2024 16:30:39.045672894 CET44349726213.210.13.4192.168.2.6
                                                                                                            Dec 11, 2024 16:30:39.045731068 CET44349726213.210.13.4192.168.2.6
                                                                                                            Dec 11, 2024 16:30:40.065777063 CET49727443192.168.2.6193.188.22.40
                                                                                                            Dec 11, 2024 16:30:40.065821886 CET44349727193.188.22.40192.168.2.6
                                                                                                            Dec 11, 2024 16:30:40.065965891 CET49727443192.168.2.6193.188.22.40
                                                                                                            Dec 11, 2024 16:30:40.140701056 CET49727443192.168.2.6193.188.22.40
                                                                                                            Dec 11, 2024 16:30:40.140722990 CET44349727193.188.22.40192.168.2.6
                                                                                                            Dec 11, 2024 16:30:40.140765905 CET49727443192.168.2.6193.188.22.40
                                                                                                            Dec 11, 2024 16:30:40.140772104 CET44349727193.188.22.40192.168.2.6
                                                                                                            Dec 11, 2024 16:30:40.140809059 CET44349727193.188.22.40192.168.2.6

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 11, 2024 16:29:55.006067991 CET5061253192.168.2.61.1.1.1
                                                                                                            Dec 11, 2024 16:29:55.238390923 CET53506121.1.1.1192.168.2.6

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 11, 2024 16:29:55.006067991 CET192.168.2.61.1.1.10xc7beStandard query (0)vip.bitwarsoft.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 11, 2024 16:29:55.238390923 CET1.1.1.1192.168.2.60xc7beNo error (0)vip.bitwarsoft.com47.251.36.78A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • vip.bitwarsoft.com

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.64972247.251.36.784435772C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-11 15:29:57 UTC187OUTGET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1
                                                                                                            Host: vip.bitwarsoft.com
                                                                                                            Authorization: Basic cm9vdDpwYXNz
                                                                                                            Accept: */*
                                                                                                            2024-12-11 15:29:57 UTC421INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Wed, 11 Dec 2024 15:29:57 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: PHPSESSID=c95psacm4ke8s10s7f8g29t2s0; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                            Pragma: no-cache
                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                            2024-12-11 15:29:57 UTC34INData Raw: 31 37 0d 0a 7b 22 72 65 73 75 6c 74 22 3a 31 2c 22 6f 70 65 6e 22 3a 22 31 22 7d 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 17{"result":1,"open":"1"}0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.64972347.251.36.784435772C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-11 15:29:59 UTC183OUTGET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1
                                                                                                            Host: vip.bitwarsoft.com
                                                                                                            Authorization: Basic cm9vdDpwYXNz
                                                                                                            Accept: */*
                                                                                                            2024-12-11 15:29:59 UTC421INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Wed, 11 Dec 2024 15:29:59 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: PHPSESSID=ttvsr8ehkee4pi2p0mknsilkv7; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                            Pragma: no-cache
                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                            2024-12-11 15:29:59 UTC779INData Raw: 32 66 66 0d 0a 7b 22 66 65 65 5f 63 6f 6e 66 69 67 22 3a 5b 7b 22 69 64 22 3a 22 31 37 22 2c 22 66 65 65 5f 6d 6f 6e 22 3a 22 39 22 2c 22 66 65 65 5f 6d 6f 6e 33 22 3a 22 30 22 2c 22 66 65 65 5f 6d 6f 6e 36 22 3a 22 30 22 2c 22 66 65 65 5f 79 65 61 72 22 3a 22 31 39 22 2c 22 66 65 65 5f 79 65 61 72 33 22 3a 22 30 22 2c 22 66 65 65 5f 6c 69 66 65 74 69 6d 65 22 3a 22 33 39 22 2c 22 70 72 6f 64 75 63 74 5f 69 64 22 3a 22 31 30 33 31 22 2c 22 70 61 72 74 6e 65 72 5f 69 64 22 3a 22 30 22 2c 22 6f 70 65 6e 22 3a 22 31 22 2c 22 6c 65 76 65 6c 22 3a 22 30 22 2c 22 6c 69 6d 69 74 5f 63 6f 75 6e 74 22 3a 22 30 22 2c 22 75 69 64 5f 63 6f 75 6e 74 22 3a 22 33 22 2c 22 63 72 65 61 74 65 54 69 6d 65 22 3a 22 31 35 39 38 34 39 32 35 39 31 22 2c 22 6c 69 6d 69 74 5f 73
                                                                                                            Data Ascii: 2ff{"fee_config":[{"id":"17","fee_mon":"9","fee_mon3":"0","fee_mon6":"0","fee_year":"19","fee_year3":"0","fee_lifetime":"39","product_id":"1031","partner_id":"0","open":"1","level":"0","limit_count":"0","uid_count":"3","createTime":"1598492591","limit_s


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:10:28:54
                                                                                                            Start date:11/12/2024
                                                                                                            Path:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\wi86CSarYC.exe"
                                                                                                            Imagebase:0x890000
                                                                                                            File size:20'092'696 bytes
                                                                                                            MD5 hash:0897B6AB5240BDB4BBEB3ADF924ADB19
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:10:29:53
                                                                                                            Start date:11/12/2024
                                                                                                            Path:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
                                                                                                            Imagebase:0xdc0000
                                                                                                            File size:2'410'320 bytes
                                                                                                            MD5 hash:95D5FAC09D8DF14A4890FB72E6BA046E
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:Borland Delphi
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.3095303205.0000000009632000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2755673376.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2756840430.0000000009BBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2755000868.000000000963E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2760032698.0000000009631000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.3095835148.000000000A239000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2754272249.0000000008B3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2754272249.0000000008B3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2753267438.0000000008B3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2753267438.0000000008B3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.3100571744.000000000B8CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.3100571744.000000000B8CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2745503914.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2756207632.0000000009637000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2756207632.0000000009637000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2746065027.00000000090BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.3096352847.0000000009639000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.3096352847.0000000009639000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.2747485119.00000000085B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.3097500473.000000000A238000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.3097500473.000000000A238000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:13%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:1.6%
                                                                                                              Total number of Nodes:122
                                                                                                              Total number of Limit Nodes:12
                                                                                                              execution_graph 1261 ce2eac 1264 ce3e79 1261->1264 1263 ce2eb1 1263->1263 1265 ce3e8f 1264->1265 1267 ce3e98 1265->1267 1268 ce3e2c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1265->1268 1267->1263 1268->1267 1269 cf63ec 1270 cf63f8 1269->1270 1273 cf646b 1270->1273 1276 d07891 LeaveCriticalSection 1273->1276 1275 cf645d 1276->1275 1277 d65740 1278 ce2646 _ValidateLocalCookies 5 API calls 1277->1278 1279 d65753 1278->1279 1115 cefee6 1116 cefef2 1115->1116 1117 cefef9 GetLastError ExitThread 1116->1117 1118 ceff06 1116->1118 1125 d0e061 1118->1125 1121 ceff22 1129 cf00c5 1121->1129 1126 ceff16 1125->1126 1127 d0e071 1125->1127 1126->1121 1132 d0ffc9 1126->1132 1127->1126 1135 d0fad2 1127->1135 1142 ceff9b 1129->1142 1133 d0fa0d GetProcAddress 1132->1133 1134 d0ffe5 1133->1134 1134->1121 1138 d0fa0d 1135->1138 1137 d0faee 1137->1126 1139 d0fa3d 1138->1139 1141 d0fa39 1138->1141 1140 d0fa57 GetProcAddress 1139->1140 1139->1141 1140->1141 1141->1137 1144 ceffa6 1142->1144 1143 ceffe8 ExitThread 1144->1143 1145 ceffbf 1144->1145 1150 d10004 1144->1150 1147 ceffd2 1145->1147 1148 ceffcb CloseHandle 1145->1148 1147->1143 1149 ceffde FreeLibraryAndExitThread 1147->1149 1148->1147 1149->1143 1151 d0fa0d GetProcAddress 1150->1151 1152 d1001d 1151->1152 1152->1145 1153 d1011a 1155 d10156 1153->1155 1156 d10128 1153->1156 1154 d10143 RtlAllocateHeap 1154->1155 1154->1156 1156->1154 1156->1155 1157 cef3e2 1160 cef252 1157->1160 1161 cef27f 1160->1161 1162 cef291 1160->1162 1185 ce3d80 GetModuleHandleW 1161->1185 1172 cef0e3 1162->1172 1166 cef2ce 1171 cef2e3 1173 cef0ef 1172->1173 1193 cef16a 1173->1193 1175 cef106 1197 cef124 1175->1197 1178 cef2e9 1223 cef31a 1178->1223 1180 cef2f3 1181 cef307 1180->1181 1182 cef2f7 GetCurrentProcess TerminateProcess 1180->1182 1183 cef333 3 API calls 1181->1183 1182->1181 1184 cef30f ExitProcess 1183->1184 1186 ce3d8c 1185->1186 1186->1162 1187 cef333 GetModuleHandleExW 1186->1187 1188 cef372 GetProcAddress 1187->1188 1189 cef393 1187->1189 1188->1189 1192 cef386 1188->1192 1190 cef399 FreeLibrary 1189->1190 1191 cef290 1189->1191 1190->1191 1191->1162 1192->1189 1195 cef176 1193->1195 1194 cef1da 1194->1175 1195->1194 1200 d0a235 1195->1200 1222 d07891 LeaveCriticalSection 1197->1222 1199 cef112 1199->1166 1199->1178 1201 d0a241 __EH_prolog3 1200->1201 1204 d09f8d 1201->1204 1203 d0a268 1203->1194 1205 d09f99 1204->1205 1210 d0a145 1205->1210 1211 d0a164 1210->1211 1212 d09fb4 1210->1212 1211->1212 1217 d0f3e4 1211->1217 1214 d09fdc 1212->1214 1221 d07891 LeaveCriticalSection 1214->1221 1216 d09fc5 1216->1203 1218 d0f3ef RtlFreeHeap 1217->1218 1220 d0f411 __dosmaperr 1217->1220 1219 d0f404 GetLastError 1218->1219 1218->1220 1219->1220 1220->1212 1221->1216 1222->1199 1226 d0e09b 1223->1226 1225 cef31f 1225->1180 1227 d0e0aa 1226->1227 1228 d0e0b7 1227->1228 1230 d0fa92 1227->1230 1228->1225 1231 d0fa0d GetProcAddress 1230->1231 1232 d0faae 1231->1232 1232->1228 1233 ce4370 1234 ce438e 1233->1234 1249 ce4330 1234->1249 1236 ce440e 1238 ce443d 1236->1238 1239 ce4330 _ValidateLocalCookies 5 API calls 1236->1239 1237 ce43ac ___except_validate_context_record 1237->1236 1237->1238 1243 ce444a __IsNonwritableInCurrentImage 1237->1243 1239->1238 1240 ce8530 RtlUnwind 1241 ce4497 1240->1241 1242 ce4330 _ValidateLocalCookies 5 API calls 1241->1242 1245 ce44bd 1242->1245 1243->1240 1244 ce451e 1245->1244 1246 ce4508 1245->1246 1247 d0379f 35 API calls 1245->1247 1248 cf5db9 RtlFreeHeap GetLastError 1246->1248 1247->1246 1248->1244 1250 ce434f 1249->1250 1251 ce4342 1249->1251 1253 ce2646 1251->1253 1254 ce264e 1253->1254 1255 ce264f IsProcessorFeaturePresent 1253->1255 1254->1250 1257 ce33fc 1255->1257 1260 ce33bf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1257->1260 1259 ce34df 1259->1250 1260->1259

                                                                                                              Callgraph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              • Opacity -> Relevance
                                                                                                              • Disassembly available
                                                                                                              callgraph 0 Function_00D0FAD2 85 Function_00D0FA0D 0->85 1 Function_00CEF6CA 37 Function_00D0EF8D 1->37 2 Function_00CF00C5 35 Function_00CEFF9B 2->35 3 Function_00D09FDC 24 Function_00D07891 3->24 4 Function_00CF7AC3 76 Function_00D1011A 4->76 5 Function_00CEF0C0 6 Function_00CF64DC 7 Function_00D0FFC9 7->85 8 Function_00CF63EC 14 Function_00CE3BE0 8->14 62 Function_00CF646B 8->62 9 Function_00CEF2E9 80 Function_00CEF31A 9->80 101 Function_00CEF333 9->101 10 Function_00CEFEE6 10->2 10->7 10->14 65 Function_00D0E061 10->65 70 Function_00D0966C 10->70 11 Function_00CEF3E2 57 Function_00CEF252 11->57 12 Function_00CEF0E3 12->14 61 Function_00CEF16A 12->61 93 Function_00CEF124 12->93 13 Function_00D6BDFB 50 Function_00CE2646 13->50 15 Function_00CEF0E0 16 Function_00CF63E0 16->24 17 Function_00CF6EE0 44 Function_00CF6CB7 17->44 18 Function_00CF6DFF 52 Function_00CEF55A 18->52 84 Function_00CEF512 18->84 100 Function_00CF6E36 18->100 19 Function_00D0F3E4 91 Function_00CF6F2A 19->91 20 Function_00D095E9 72 Function_00D09615 20->72 21 Function_00D0A4EB 22 Function_00CE84F0 23 Function_00D0EA90 23->24 25 Function_00CF6C8E 26 Function_00D0FA92 26->85 27 Function_00CF6384 27->14 27->16 28 Function_00D0E09B 28->26 58 Function_00D0E04E 28->58 29 Function_00CF7A84 29->4 63 Function_00CF7A6A 29->63 30 Function_00CE3D80 31 Function_00D0FC9F 31->85 32 Function_00D0379F 47 Function_00CF6EB3 32->47 33 Function_00CE839C 34 Function_00CF649A 81 Function_00D10004 35->81 36 Function_00D65280 55 Function_00D65340 36->55 92 Function_00D65230 36->92 37->19 37->31 41 Function_00D0EBB6 37->41 64 Function_00D0FC60 37->64 68 Function_00D0F268 37->68 38 Function_00D09F8D 38->3 38->14 53 Function_00D0A145 38->53 39 Function_00D11C8F 40 Function_00CE2EAC 67 Function_00CE3E79 40->67 51 Function_00D0EB5C 41->51 56 Function_00D0EA4A 41->56 42 Function_00CE33BF 43 Function_00CF5DB9 43->19 48 Function_00CE4DB0 44->48 44->50 94 Function_00CE3E24 44->94 45 Function_00D0EBAA 45->24 46 Function_00CF6FB4 47->18 49 Function_00CEF14B 50->42 51->14 51->45 86 Function_00CEF710 52->86 53->19 54 Function_00D65740 54->50 56->14 56->23 57->9 57->12 57->30 57->101 59 Function_00CE8550 78 Function_00CE8400 59->78 60 Function_00CF6F6D 60->46 60->91 61->14 61->21 90 Function_00D0A235 61->90 62->24 63->19 64->85 65->0 65->58 66 Function_00CF657B 66->6 66->11 66->14 66->24 66->34 66->46 66->47 66->49 75 Function_00CF6705 66->75 66->76 77 Function_00CF6504 66->77 82 Function_00CF6915 66->82 102 Function_00CE4830 66->102 88 Function_00CE3E2C 67->88 68->20 69 Function_00D0BC6B 68->69 71 Function_00CE4370 71->22 71->32 71->33 71->36 71->43 71->59 74 Function_00D65613 71->74 83 Function_00CF6F14 71->83 87 Function_00CE8510 71->87 103 Function_00CE4330 71->103 104 Function_00CE8530 71->104 72->14 73 Function_00951950 75->24 76->20 76->69 78->5 78->15 79 Function_00CE3B1A 80->28 95 Function_00D0E03C 80->95 81->85 82->24 85->49 86->1 89 Function_00D0EA34 86->89 96 Function_00CF753E 86->96 87->5 90->38 90->79 97 Function_00CE3B3D 90->97 93->24 96->11 96->29 96->44 96->60 96->63 96->66 98 Function_00D11D27 96->98 99 Function_00CF6536 96->99 98->39 99->27 100->1 100->17 100->18 100->25 103->50

                                                                                                              Executed Functions

                                                                                                              Function 00CEFF9B Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CloseHandle.KERNEL32(?,?,?,00CF00D2,?,?,00CEFF44,00000000), ref: 00CEFFCC
                                                                                                              • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00CF00D2,?,?,00CEFF44,00000000), ref: 00CEFFE2
                                                                                                              • ExitThread.KERNEL32 ref: 00CEFFEB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2692119300.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2692086399.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693434073.0000000000EB8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693583542.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693879727.0000000000EC3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000EC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.000000000191A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_890000_wi86CSarYC.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExitThread$CloseFreeHandleLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 2705336791-0
                                                                                                              • Opcode ID: 85764afd8a17dc724b995087be38a76e7b9d35ebde29e7a5c8fbad33637d511f
                                                                                                              • Instruction ID: 6539d7541903cf0dcef2c9bda98c68bfc979de9a6cd24cf83c12b8c2486d4849
                                                                                                              • Opcode Fuzzy Hash: 85764afd8a17dc724b995087be38a76e7b9d35ebde29e7a5c8fbad33637d511f
                                                                                                              • Instruction Fuzzy Hash: 46F05E704047806BCB216BE6D808A5A3AD9AF02370B194638F835D22E0CB71DE42C6B0
                                                                                                              Function 00CEF2E9 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000002,?,00CEF2E3,00CF7581,00CF7581,?,00000002,75B0545B,00CF7581,00000002), ref: 00CEF2FA
                                                                                                              • TerminateProcess.KERNEL32(00000000,?,00CEF2E3,00CF7581,00CF7581,?,00000002,75B0545B,00CF7581,00000002), ref: 00CEF301
                                                                                                              • ExitProcess.KERNEL32 ref: 00CEF313
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2692119300.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2692086399.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693434073.0000000000EB8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693583542.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693879727.0000000000EC3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000EC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.000000000191A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_890000_wi86CSarYC.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 1703294689-0
                                                                                                              • Opcode ID: 81ee24d7157679ec11fe9da7e9a61ac610177e57597a79f499f35d31137ad523
                                                                                                              • Instruction ID: 157cb054f3fde72865d3322d37ca3a88187e6f87c243a1c090a0f3373e16845c
                                                                                                              • Opcode Fuzzy Hash: 81ee24d7157679ec11fe9da7e9a61ac610177e57597a79f499f35d31137ad523
                                                                                                              • Instruction Fuzzy Hash: 65D09E32000648AFCF117F62ED0D9593F25EF54341B444038F955C9231CFB59953AAA0
                                                                                                              Function 00CEFEE6 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00EB3860,0000000C), ref: 00CEFEF9
                                                                                                              • ExitThread.KERNEL32 ref: 00CEFF00
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2692119300.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2692086399.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693434073.0000000000EB8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693583542.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693879727.0000000000EC3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000EC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.000000000191A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_890000_wi86CSarYC.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorExitLastThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1611280651-0
                                                                                                              • Opcode ID: 0aab146901b04037cea2f7eabec674e911c7e3875773492d1c94f09e0b5074ec
                                                                                                              • Instruction ID: 5c4ada2cee9da9a6fd193e200535b4738d5b15e2e2fb58445da8113b4889cb1e
                                                                                                              • Opcode Fuzzy Hash: 0aab146901b04037cea2f7eabec674e911c7e3875773492d1c94f09e0b5074ec
                                                                                                              • Instruction Fuzzy Hash: 74F0C2B09007049FDB04BFB1D80AB6E3B74FF05710F200459F506972A2CBB59A41DBB1
                                                                                                              Function 00D0F3E4 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 40 d0f3e4-d0f3ed 41 d0f41c-d0f41d 40->41 42 d0f3ef-d0f402 RtlFreeHeap 40->42 42->41 43 d0f404-d0f41b GetLastError call cf6f2a call cf6fc7 42->43 43->41
                                                                                                              APIs
                                                                                                              • RtlFreeHeap.NTDLL(00000000,00000000,?,00D0EE27,00000000,00000000,00F04E8C,00000000,?,00000006,000000FF,?,00CEFF0B,00EB3860,0000000C), ref: 00D0F3FA
                                                                                                              • GetLastError.KERNEL32(00000000,?,00D0EE27,00000000,00000000,00F04E8C,00000000,?,00000006,000000FF,?,00CEFF0B,00EB3860,0000000C), ref: 00D0F405
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2692119300.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2692086399.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693434073.0000000000EB8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693583542.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693879727.0000000000EC3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000EC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.000000000191A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_890000_wi86CSarYC.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 485612231-0
                                                                                                              • Opcode ID: dedb871b284315a84e31f0befeea2dcb6eccd21b42e417a9103fd217c708fe89
                                                                                                              • Instruction ID: 144458ec9c3917266b53e0710b4e1329fe7f1ea4e6f38e97a599f75f57e462bc
                                                                                                              • Opcode Fuzzy Hash: dedb871b284315a84e31f0befeea2dcb6eccd21b42e417a9103fd217c708fe89
                                                                                                              • Instruction Fuzzy Hash: 15E04632100608ABCB212BE0FC08B9A3E58AB007A5F244030FB0CC65A2DA74C9809AA4
                                                                                                              Function 00D1011A Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 48 d1011a-d10126 49 d10158-d10163 call cf6fc7 48->49 50 d10128-d1012a 48->50 57 d10165-d10167 49->57 52 d10143-d10154 RtlAllocateHeap 50->52 53 d1012c-d1012d 50->53 54 d10156 52->54 55 d1012f-d10136 call d0bc6b 52->55 53->52 54->57 55->49 60 d10138-d10141 call d095e9 55->60 60->49 60->52
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(00000000,00CF760C,?,?,00CF7AD0,?,?,00CF7AA3,?,00000000,?,?,?,?,00CF760C,00D0EE42), ref: 00D1014C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2692119300.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2692086399.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693434073.0000000000EB8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693583542.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693879727.0000000000EC3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000EC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.000000000191A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_890000_wi86CSarYC.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: 2c1068d51eca983e6b2a4fac023d5db6f76f126490051fa0bf687789d25b48e0
                                                                                                              • Instruction ID: aeaece6979e5bef90abfad34b66158ee34e412a4fb07a5a5863bb00a1346378f
                                                                                                              • Opcode Fuzzy Hash: 2c1068d51eca983e6b2a4fac023d5db6f76f126490051fa0bf687789d25b48e0
                                                                                                              • Instruction Fuzzy Hash: 79E039211417657AE6213665BC15B9A7E489B427A1F190125BD48EA2A1CFE8CDC081B5

                                                                                                              Non-executed Functions

                                                                                                              Function 00CF6CB7 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CF6DAF
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CF6DB9
                                                                                                              • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00CF6DC6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2692119300.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2692086399.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693434073.0000000000EB8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693583542.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693879727.0000000000EC3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000EC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.000000000191A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_890000_wi86CSarYC.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                              • String ID:
                                                                                                              • API String ID: 3906539128-0
                                                                                                              • Opcode ID: 9878b2c6b655742d9771f7650fc2cedc3acc3203d1503e7d273f60921a13ec49
                                                                                                              • Instruction ID: 26ad6a5f16e49d343c4aaaa67b124b8192061fc64b6d5c2291d1e6a565d3af96
                                                                                                              • Opcode Fuzzy Hash: 9878b2c6b655742d9771f7650fc2cedc3acc3203d1503e7d273f60921a13ec49
                                                                                                              • Instruction Fuzzy Hash: 9D31D07490122CABCB21DF29D888BDDBBB8BF08310F5042EAE41CA7250E7709F858F55
                                                                                                              Function 00CE4370 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 134 ce4370-ce43c1 call d65613 call ce4330 call ce839c 141 ce441d-ce4420 134->141 142 ce43c3-ce43d5 134->142 144 ce4440-ce4449 141->144 145 ce4422-ce442f call ce8550 141->145 143 ce43d7-ce43ee 142->143 142->144 147 ce4404 143->147 148 ce43f0-ce43fe call ce84f0 143->148 149 ce4434-ce443d call ce4330 145->149 151 ce4407-ce440c 147->151 156 ce4414-ce441b 148->156 157 ce4400 148->157 149->144 151->143 154 ce440e-ce4410 151->154 154->144 158 ce4412 154->158 156->149 159 ce444a-ce4453 157->159 160 ce4402 157->160 158->149 161 ce448d-ce449d call ce8530 159->161 162 ce4455-ce445c 159->162 160->151 167 ce449f-ce44ae call ce8550 161->167 168 ce44b1-ce44d9 call ce4330 call ce8510 161->168 162->161 164 ce445e-ce446d call d65280 162->164 172 ce446f-ce4487 164->172 173 ce448a 164->173 167->168 179 ce44db-ce44df 168->179 180 ce4523-ce452a 168->180 172->173 173->161 179->180 183 ce44e1 179->183 182 ce452e-ce4530 180->182 184 ce44e4-ce44e9 183->184 184->184 185 ce44eb-ce44fd call cf6f14 184->185 188 ce44ff-ce4514 call d0379f 185->188 189 ce4518-ce4519 call cf5db9 185->189 188->189 193 ce451e-ce4521 189->193 193->182
                                                                                                              APIs
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00CE43A7
                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00CE43AF
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00CE4438
                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00CE4463
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00CE44B8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2692119300.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2692086399.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693434073.0000000000EB8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693583542.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693879727.0000000000EC3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000EC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.000000000191A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_890000_wi86CSarYC.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 1170836740-1018135373
                                                                                                              • Opcode ID: 35dc0d2bf3bf9334aa512f1a33846fcc67893021ef3f86c877cd1e8c1d84edb4
                                                                                                              • Instruction ID: d9c9a751efbadaea2c9218bcf76880e8e26b374a72c496150d8be8620358794b
                                                                                                              • Opcode Fuzzy Hash: 35dc0d2bf3bf9334aa512f1a33846fcc67893021ef3f86c877cd1e8c1d84edb4
                                                                                                              • Instruction Fuzzy Hash: F7510734A01288AFCF14DF6AD840BAEBBB5EF45324F148059EC185B392DB31DE05CBA1
                                                                                                              Function 00CEF333 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 194 cef333-cef370 GetModuleHandleExW 195 cef372-cef384 GetProcAddress 194->195 196 cef393-cef397 194->196 195->196 197 cef386-cef391 195->197 198 cef399-cef39c FreeLibrary 196->198 199 cef3a2-cef3af 196->199 197->196 198->199
                                                                                                              APIs
                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,75B0545B,?,?,00000000,00D65740,000000FF,?,00CEF30F,00000002,?,00CEF2E3,00CF7581), ref: 00CEF368
                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CEF37A
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,00D65740,000000FF,?,00CEF30F,00000002,?,00CEF2E3,00CF7581), ref: 00CEF39C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2692119300.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2692086399.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693094475.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693434073.0000000000EB8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693583542.0000000000EC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693879727.0000000000EC3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000EC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2693967344.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2694490448.000000000191A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_890000_wi86CSarYC.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                              • Opcode ID: 731f4b795c90de97ca098018ff592211edcaa4f60703d7ddc831f6ef6fa4f18a
                                                                                                              • Instruction ID: 1a8938fabda21da2ebe786f1c43246c0f803767682faff7a43a88fccbdd10c5d
                                                                                                              • Opcode Fuzzy Hash: 731f4b795c90de97ca098018ff592211edcaa4f60703d7ddc831f6ef6fa4f18a
                                                                                                              • Instruction Fuzzy Hash: C3018B75A44B59EFDB118F55EC15FAEBBBCFB04B54F000539F821E26A0D7B49900CA60

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:1.9%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:19.9%
                                                                                                              Total number of Nodes:1285
                                                                                                              Total number of Limit Nodes:24
                                                                                                              execution_graph 58330 e23df0 58413 e841ee 58330->58413 58333 e23e77 CoInitialize DefWindowProcW InitCommonControlsEx 58418 e20d90 58333->58418 58334 e23e55 SetForegroundWindow IsIconic 58335 e23e70 58334->58335 58336 e23e67 ShowWindow 58334->58336 58780 e6316c 58335->58780 58336->58335 58341 e23ec1 58360 e23ee4 58341->58360 58747 e63d26 EnterCriticalSection 58341->58747 58342 e24248 58345 e24258 58345->58360 58752 e40310 GetModuleFileNameW PathRemoveFileSpecW 58345->58752 58351 e24279 58787 e635ad 29 API calls __onexit 58351->58787 58354 e23f0e 58454 e04140 58354->58454 58355 e24283 58788 e63cdc EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 58355->58788 58358 e63d26 5 API calls 58361 e242a6 58358->58361 58427 e467a0 58360->58427 58361->58354 58789 e59830 41 API calls 58361->58789 58366 e242c7 58790 e635ad 29 API calls __onexit 58366->58790 58369 e242d1 58791 e63cdc EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 58369->58791 58379 e03710 27 API calls 58380 e23f6e 58379->58380 58585 dc8bc0 lstrcpynW 58380->58585 58382 e23f84 58586 e210b0 58382->58586 58385 e240a8 58646 e22a60 58385->58646 58386 e23fc4 SHGetValueW 58618 df4fd0 58386->58618 58389 e240d0 58391 e240ea EnterCriticalSection 58389->58391 58392 e240de 58389->58392 58397 e24116 58391->58397 58398 e2415e LeaveCriticalSection 58391->58398 58778 dfe5d0 155 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 58392->58778 58393 e24007 58633 df4980 58393->58633 58394 e242ea 58792 df4150 58394->58792 58400 e2411c DestroyWindow 58397->58400 58407 e2412c std::ios_base::_Ios_base_dtor 58397->58407 58404 e24184 std::ios_base::_Ios_base_dtor 58398->58404 58400->58407 58403 e2421e 58779 e23250 100 API calls 7 library calls 58403->58779 58404->58403 58405 e24041 58405->58385 58409 e2405b SHSetValueW 58405->58409 58407->58398 58408 e24228 CoUninitialize 58408->58335 58410 e2407f 58409->58410 58412 e24095 58409->58412 58410->58412 58777 dffbd0 34 API calls 58410->58777 58412->58385 58796 e869f1 58413->58796 58415 e841f7 58416 e869f1 __set_se_translator 56 API calls 58415->58416 58417 e23e2f SetUnhandledExceptionFilter FindWindowW 58416->58417 58417->58333 58417->58334 58421 e20dc7 GetCurrentThreadId 58418->58421 58831 e63182 9 API calls 4 library calls 58421->58831 58422 e20e3c 58423 e00630 58422->58423 58424 e00643 GetModuleHandleW GetProcAddress 58423->58424 58425 e006ef 58423->58425 58424->58425 58426 e00667 LoadCursorW RegisterClassExW 58424->58426 58425->58341 58426->58341 58832 e03f90 58427->58832 58429 e467d2 GetPrivateProfileIntW 58430 e23eee 58429->58430 58431 e44380 SHGetMalloc 58430->58431 58432 e44507 58431->58432 58433 e443b2 SHGetSpecialFolderLocation 58431->58433 58436 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58432->58436 58434 e4449e __Getcvt 58433->58434 58435 e443cb __Getcvt 58433->58435 58438 e444b1 GetTempPathW 58434->58438 58439 e443de SHGetPathFromIDListW 58435->58439 58437 e23ef3 58436->58437 58450 e042c0 58437->58450 58440 df4980 52 API calls 58438->58440 58441 e44400 58439->58441 58442 e444e6 SHCreateDirectoryExW SetFileAttributesW 58440->58442 58441->58441 58834 df5c80 58441->58834 58442->58432 58444 e44421 58858 e28900 58444->58858 58447 df5c80 27 API calls 58448 e44481 PathFileExistsW 58447->58448 58448->58434 58449 e44491 CreateDirectoryW 58448->58449 58449->58434 58451 e03ec0 58450->58451 58452 e04307 GetPrivateProfileIntW 58451->58452 58453 e0432e 58452->58453 58453->58354 58453->58358 58455 e0418c 58454->58455 58910 df3c30 58455->58910 58457 e0419f 58458 df3c30 27 API calls 58457->58458 58459 e041fd GetPrivateProfileIntW GetPrivateProfileIntW GetPrivateProfileIntW GetPrivateProfileIntW GetPrivateProfileIntW 58458->58459 58918 e04580 58459->58918 58463 e462a0 58464 e462e1 __Getcvt 58463->58464 58465 e462fb GetPrivateProfileStringW GetPrivateProfileStringW 58464->58465 58466 e46345 58465->58466 58467 e4636d GetPrivateProfileStringW 58465->58467 58474 df5c80 27 API calls 58466->58474 58468 e46394 58467->58468 58469 e463bc GetPrivateProfileStringW 58467->58469 58477 df5c80 27 API calls 58468->58477 58470 e463e4 58469->58470 58471 e4640c GetPrivateProfileStringW 58469->58471 58478 df5c80 27 API calls 58470->58478 58472 e46433 58471->58472 58473 e4645c GetPrivateProfileStringW 58471->58473 58481 df5c80 27 API calls 58472->58481 58475 e46483 58473->58475 58476 e464ac GetPrivateProfileStringW 58473->58476 58474->58467 58486 df5c80 27 API calls 58475->58486 58479 e464fc GetPrivateProfileStringW 58476->58479 58482 e464d3 58476->58482 58477->58469 58478->58471 58480 e4654c GetPrivateProfileStringW 58479->58480 58483 e46523 58479->58483 58484 e46573 58480->58484 58485 e4659c GetPrivateProfileStringW 58480->58485 58481->58473 58487 df5c80 27 API calls 58482->58487 58483->58483 58492 df5c80 27 API calls 58483->58492 58495 df5c80 27 API calls 58484->58495 58488 e465c3 58485->58488 58489 e465ec GetPrivateProfileStringW 58485->58489 58486->58476 58487->58479 58496 df5c80 27 API calls 58488->58496 58490 e46613 58489->58490 58491 e4663c GetPrivateProfileStringW 58489->58491 58500 df5c80 27 API calls 58490->58500 58493 e46663 58491->58493 58494 e4668c GetPrivateProfileStringW 58491->58494 58492->58480 58502 df5c80 27 API calls 58493->58502 58497 e466b3 58494->58497 58498 e466dc GetPrivateProfileIntW GetPrivateProfileIntW GetPrivateProfileIntW GetPrivateProfileIntW 58494->58498 58495->58485 58496->58489 58504 df5c80 27 API calls 58497->58504 58499 e4676a 58498->58499 58501 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58499->58501 58500->58491 58503 e23f22 58501->58503 58502->58494 58505 e43560 58503->58505 58504->58498 58982 e82af0 58505->58982 58508 e43621 58509 e43630 SHGetValueW 58508->58509 58517 e43903 __Getcvt 58508->58517 58510 e43681 SHGetValueW 58509->58510 58511 e43669 58509->58511 58514 e436e2 SHGetValueW 58510->58514 58524 e436b0 58510->58524 58511->58510 58512 e43961 58515 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58512->58515 58513 e435ec 58513->58508 58516 df5c80 27 API calls 58513->58516 58518 e43743 SHGetValueW 58514->58518 58527 e43711 58514->58527 58519 e23f2c 58515->58519 58516->58508 58517->58512 58984 dfd240 58517->58984 58520 e437a9 SHGetValueW 58518->58520 58530 e43772 58518->58530 58548 e04b50 58519->58548 58522 e438a2 SHGetValueW 58520->58522 58523 e437dc 58520->58523 58522->58517 58533 e438d1 58522->58533 58523->58522 58529 df4fd0 39 API calls 58523->58529 58524->58514 58526 df5c80 27 API calls 58524->58526 58526->58514 58527->58518 58528 df5c80 27 API calls 58527->58528 58528->58518 58531 e437fc 58529->58531 58530->58520 58534 df5c80 27 API calls 58530->58534 58535 e43806 58531->58535 58536 e4397c 58531->58536 58532 df5c80 27 API calls 58532->58512 58533->58517 58538 df5c80 27 API calls 58533->58538 58534->58520 58540 e43824 58535->58540 58541 e43831 58535->58541 58537 df4150 RaiseException 58536->58537 58539 e43986 58537->58539 58538->58517 59001 df5150 58540->59001 58544 df5c80 27 API calls 58541->58544 58543 e4382f 59024 e43310 RaiseException _wcsstr 58543->59024 58544->58543 58546 e43871 58546->58522 58547 df5c80 27 API calls 58546->58547 58547->58522 58549 e04b76 58548->58549 58550 e04b5d CreateThread 58548->58550 58551 e2f1c0 58549->58551 58550->58549 59175 e05060 58550->59175 59482 e42660 58551->59482 58553 e2f1f7 59513 e2efe0 58553->59513 58555 e2f20c 58556 e42660 71 API calls 58555->58556 58557 e2f243 58556->58557 58558 e2efe0 71 API calls 58557->58558 58559 e2f258 58558->58559 58560 e2f291 58559->58560 58562 e2efe0 71 API calls 58559->58562 58561 e23f3b 58560->58561 58563 e2efe0 71 API calls 58560->58563 58564 df91f0 58561->58564 58562->58560 58563->58561 58565 df4fd0 39 API calls 58564->58565 58566 df921f 58565->58566 58567 df928f 58566->58567 58568 df9225 58566->58568 58569 df4150 RaiseException 58567->58569 58571 df9245 58568->58571 58573 df9252 58568->58573 58570 df9299 58569->58570 58572 df5150 35 API calls 58571->58572 58575 df9250 58572->58575 58573->58573 58574 df5c80 27 API calls 58573->58574 58574->58575 58576 e03710 58575->58576 58580 e03722 _strftime 58576->58580 58577 e037be 58578 df4150 RaiseException 58577->58578 58584 e037c8 58577->58584 58579 e037e8 58578->58579 58580->58577 58581 e0379c 58580->58581 59620 df5610 21 API calls 58580->59620 59600 e05710 58581->59600 58584->58379 58585->58382 58587 e210e5 58586->58587 58587->58587 58588 df5c80 27 API calls 58587->58588 58589 e2110b 58588->58589 59627 dfd790 58589->59627 58593 e21143 58594 dfd790 35 API calls 58593->58594 58595 e21173 58594->58595 58596 df3ca0 28 API calls 58595->58596 58597 e21186 58596->58597 59649 e573c0 58597->59649 58600 dfd790 35 API calls 58601 e211cb 58600->58601 58602 df3ca0 28 API calls 58601->58602 58603 e211db 58602->58603 58604 dfd790 35 API calls 58603->58604 58605 e21230 58604->58605 58606 df3ca0 28 API calls 58605->58606 58607 e21243 58606->58607 59657 e567a0 58607->59657 58609 e2126f 58610 dfd790 35 API calls 58609->58610 58611 e21286 58610->58611 58612 df3ca0 28 API calls 58611->58612 58613 e21296 58612->58613 59709 e43490 GetModuleHandleW GetProcAddress 58613->59709 58616 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58617 e212ff 58616->58617 58617->58385 58617->58386 58619 df5031 58618->58619 58630 df500f 58618->58630 58620 e63d26 5 API calls 58619->58620 58621 df503b 58620->58621 58623 df5047 GetProcessHeap 58621->58623 58621->58630 58622 e63d26 5 API calls 58624 df5094 58622->58624 59756 e635ad 29 API calls __onexit 58623->59756 58632 df501c 58624->58632 59758 e635ad 29 API calls __onexit 58624->59758 58626 df5074 59757 e63cdc EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 58626->59757 58629 df50f8 59759 e63cdc EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 58629->59759 58630->58622 58630->58632 58632->58393 58632->58394 58634 df4a01 58633->58634 58635 df4992 _wcsftime 58633->58635 58636 df4150 RaiseException 58634->58636 58645 df4a0b PathFileExistsW 58634->58645 58638 e9f487 _wcsftime 51 API calls 58635->58638 58637 df4a27 58636->58637 58639 df4150 RaiseException 58637->58639 58641 df49b3 58638->58641 58640 df4a31 58639->58640 58641->58637 58642 df49e2 58641->58642 59763 df5610 21 API calls 58641->59763 59760 e9f4cf 58642->59760 58645->58385 58645->58405 59786 e45ec0 58646->59786 58649 e22b08 ?SetInstance@CPaintManagerUI@DuiLib@@SAXPAUHINSTANCE__@@ ?SetSkinExt@CPaintManagerUI@DuiLib@@SAXPB_W 58651 df4fd0 39 API calls 58649->58651 58650 e22aa9 58652 e42660 71 API calls 58650->58652 58653 e22b2e 58651->58653 58654 e22abf MessageBoxW 58652->58654 58655 e230a3 58653->58655 58656 e22b38 58653->58656 58657 e22afb 58654->58657 58659 df4150 RaiseException 58655->58659 59825 e03870 35 API calls 58656->59825 58658 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58657->58658 58660 e2309f 58658->58660 58661 e230ad 58659->58661 58660->58389 58663 df4150 RaiseException 58661->58663 58664 e230b7 58663->58664 58666 e23127 58664->58666 59842 e57580 49 API calls 58664->59842 58665 e22b86 58668 e03710 27 API calls 58665->58668 58667 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58666->58667 58670 e23131 58667->58670 58672 e22ba4 58668->58672 58670->58389 58671 e22b5a 58671->58665 58675 df5c80 27 API calls 58671->58675 58676 e03710 27 API calls 58672->58676 58673 e230e6 58673->58666 58674 e230eb __Getcvt 58673->58674 58680 e230fe GetModuleFileNameW 58674->58680 58675->58665 58677 e22bb4 ?SetSkinPath@CPaintManagerUI@DuiLib@@SAXPB_W 58676->58677 58678 e22bf7 ?SetResourceZip@CPaintManagerUI@DuiLib@@SAXPB_W 58677->58678 58679 e22bef 58677->58679 58681 e22c0e _wcsstr 58678->58681 58679->58678 59843 eb39dd 26 API calls 58680->59843 58684 e22d34 _wcsstr 58681->58684 58685 e22c19 FindWindowW 58681->58685 58683 e23124 58683->58666 58690 e22de2 _wcsstr 58684->58690 58691 e22d4a 58684->58691 58686 e22c37 58685->58686 58687 e22c2a PostMessageW 58685->58687 58688 df4fd0 39 API calls 58686->58688 58687->58686 58689 e22c43 58688->58689 58689->58661 58692 e22c4d 58689->58692 58696 e22df8 __Getcvt 58690->58696 58700 e22ed2 _wcsstr 58690->58700 59827 dff120 152 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 58691->59827 59826 e03870 35 API calls 58692->59826 58694 e22d58 59828 e57bd0 49 API calls 58694->59828 58699 e22e0b GetModuleFileNameW 58696->58699 58697 e22d62 58697->58657 59829 df92a0 40 API calls 58697->59829 59831 e434d0 7 API calls 2 library calls 58699->59831 58708 e22f1f 58700->58708 59833 e57a20 50 API calls 58700->59833 58703 e22ca0 58705 e03710 27 API calls 58703->58705 58704 e22e27 58709 e22eb3 ShellExecuteW 58704->58709 58710 e22e2f IsUserAnAdmin 58704->58710 58711 e22cbd 58705->58711 58706 e22d76 58712 df4980 52 API calls 58706->58712 58707 e22c72 58707->58703 58713 df5c80 27 API calls 58707->58713 58708->58657 59835 e20cb0 48 API calls 58708->59835 58709->58657 58710->58709 58727 e22e39 58710->58727 58715 e03710 27 API calls 58711->58715 58716 e22d95 58712->58716 58713->58703 58719 e22ccd ShellExecuteW 58715->58719 58720 df41c0 21 API calls 58716->58720 58718 e22f0f 58718->58708 59834 e587a0 71 API calls 58718->59834 58719->58657 58722 e22d27 58719->58722 58723 e22db8 58720->58723 58721 e22f38 PathFileExistsW 58724 e22f52 LoadLibraryW 58721->58724 58725 e22f5e GdiplusStartup 58721->58725 58722->58657 59830 e43fd0 ShellExecuteW ShellExecuteW 58723->59830 58724->58725 59836 dff120 152 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 58725->59836 58727->58727 59832 dfb4e0 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 58727->59832 58730 e22fa9 59837 e63182 9 API calls 4 library calls 58730->59837 58733 e22fb3 58735 e22fcb 58733->58735 59838 e30740 84 API calls 58733->59838 58734 e22e91 58734->58709 58736 e22e98 CloseHandle CloseHandle 58734->58736 58738 e23063 58735->58738 59839 e1fb80 21 API calls 58735->59839 58736->58657 58738->58722 58739 e2306d GdiplusShutdown 58738->58739 58739->58722 58741 e22fed ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@ ?CenterWindow@CWindowWnd@DuiLib@ ?SetIcon@CWindowWnd@DuiLib@@QAEXI 59840 e57900 WaitForSingleObject CloseHandle 58741->59840 58743 e23037 58744 e2303b ??BCWindowWnd@DuiLib@@QBEPAUHWND__@ 58743->58744 58745 e2304e ?MessageLoop@CPaintManagerUI@DuiLib@ 58743->58745 59841 e56380 129 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 58744->59841 58745->58738 58748 e63d3a 58747->58748 58749 e63d3f LeaveCriticalSection 58748->58749 59845 e63dd2 LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 58748->59845 58749->58345 58753 e567a0 56 API calls 58752->58753 58754 e4036a 58753->58754 58755 df3c30 27 API calls 58754->58755 58756 e4037f 58755->58756 59846 e418b0 58756->59846 58759 df3c30 27 API calls 58760 e403c1 58759->58760 58761 e41ad0 77 API calls 58760->58761 58762 e403eb 58761->58762 58763 e4041d GetPrivateProfileIntW 58762->58763 58764 e40445 SHSetValueW 58763->58764 58765 e404cd SHGetValueW 58763->58765 58766 df4fd0 39 API calls 58764->58766 58768 e4051d 58765->58768 58769 e4046e 58766->58769 58768->58351 58770 e40541 58769->58770 58771 e40478 58769->58771 58772 df4150 RaiseException 58770->58772 58774 df4980 52 API calls 58771->58774 58773 e4054b 58772->58773 58773->58351 58775 e40498 WritePrivateProfileStringW 58774->58775 58775->58765 58776 e404c5 58775->58776 58776->58765 58777->58412 58778->58391 58779->58408 58781 e63177 IsProcessorFeaturePresent 58780->58781 58782 e63175 58780->58782 58784 e635fe 58781->58784 58782->58342 59875 e635c2 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 58784->59875 58786 e636e1 58786->58342 58787->58355 58788->58360 58789->58366 58790->58369 58791->58354 58793 df415e 58792->58793 59876 e83e56 RaiseException 58793->59876 58795 df416c 58821 e869ff 9 API calls 3 library calls 58796->58821 58798 e869f6 58799 e869fe 58798->58799 58822 ece7fb EnterCriticalSection LeaveCriticalSection _Atexit 58798->58822 58799->58415 58801 ec0a5f 58802 ec0a6a 58801->58802 58823 ece85f 46 API calls 6 library calls 58801->58823 58804 ec0a74 IsProcessorFeaturePresent 58802->58804 58805 ec0a92 58802->58805 58806 ec0a7f 58804->58806 58825 ebb76e 28 API calls _Atexit 58805->58825 58824 e9f55f 8 API calls 3 library calls 58806->58824 58809 ec0a9c 58826 e92ecd 46 API calls 2 library calls 58809->58826 58811 ec0ab1 58812 ec0abc 58811->58812 58813 ec0b07 58811->58813 58827 ec0d31 46 API calls _Atexit 58812->58827 58815 ec0b2e 58813->58815 58828 ed3f3d 46 API calls _Atexit 58813->58828 58818 ec0b34 58815->58818 58829 eb1823 20 API calls _free 58815->58829 58830 ecc1bb 46 API calls 2 library calls 58818->58830 58820 ec0ac6 58820->58415 58821->58798 58822->58801 58823->58802 58824->58805 58825->58809 58826->58811 58827->58820 58828->58815 58829->58818 58830->58820 58831->58422 58833 e03ec0 58832->58833 58835 df5c8e 58834->58835 58839 df5c99 58834->58839 58862 df4670 58835->58862 58837 df4150 RaiseException 58841 df5d56 58837->58841 58840 df5cd4 58839->58840 58857 df5cfc _wcsftime 58839->58857 58867 df5610 21 API calls 58839->58867 58843 df5cdb 58840->58843 58844 df5d23 58840->58844 58846 df4150 RaiseException 58841->58846 58847 df5cec 58843->58847 58851 df5cfe 58843->58851 58843->58857 58872 df42a0 58844->58872 58849 df5d6a 58846->58849 58868 eb1823 20 API calls _free 58847->58868 58848 df5d3b 58848->58444 58851->58857 58870 eb1823 20 API calls _free 58851->58870 58852 df5cf1 58869 e9f74d 26 API calls std::generic_category 58852->58869 58855 df5d09 58871 e9f74d 26 API calls std::generic_category 58855->58871 58857->58837 58857->58848 58859 e28916 _wcsftime 58858->58859 58884 e9f487 58859->58884 58863 df4681 58862->58863 58864 df4690 58862->58864 58863->58864 58865 df4150 RaiseException 58863->58865 58864->58444 58866 df46ce 58865->58866 58867->58840 58868->58852 58869->58857 58870->58855 58871->58857 58873 df42b5 58872->58873 58875 df42db _Yarn 58872->58875 58876 df42c1 __Getcvt 58873->58876 58881 eb1823 20 API calls _free 58873->58881 58875->58857 58876->58875 58877 df4300 58876->58877 58882 eb1823 20 API calls _free 58876->58882 58877->58875 58883 eb1823 20 API calls _free 58877->58883 58880 df4318 58881->58876 58882->58877 58883->58880 58887 e8f07f 58884->58887 58888 e8f0bf 58887->58888 58889 e8f0a7 58887->58889 58888->58889 58891 e8f0c7 58888->58891 58904 eb1823 20 API calls _free 58889->58904 58906 e92ecd 46 API calls 2 library calls 58891->58906 58893 e8f0ac 58905 e9f74d 26 API calls std::generic_category 58893->58905 58894 e8f0d7 58907 e92e58 20 API calls 2 library calls 58894->58907 58896 e8f0b7 58898 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58896->58898 58900 e28920 58898->58900 58899 e8f14f 58908 e954c2 51 API calls 3 library calls 58899->58908 58900->58447 58903 e8f15a 58909 e930b7 20 API calls _free 58903->58909 58904->58893 58905->58896 58906->58894 58907->58899 58908->58903 58909->58896 58911 df3c48 58910->58911 58912 df3c94 58910->58912 58913 df3c89 58911->58913 58914 df3c58 58911->58914 58912->58457 58915 df5c80 27 API calls 58913->58915 58947 df41c0 58914->58947 58915->58912 58917 df3c5e 58917->58457 58919 e045c1 __Getcvt 58918->58919 58959 e03ff0 58919->58959 58922 e04831 58924 df4150 RaiseException 58922->58924 58923 e045ed 58926 df4980 52 API calls 58923->58926 58925 e0483b 58924->58925 58927 e04614 GetPrivateProfileStringW 58926->58927 58928 e047d3 58927->58928 58929 e04648 58927->58929 58932 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58928->58932 58974 e03590 41 API calls 58929->58974 58931 e0465d 58934 df5c80 27 API calls 58931->58934 58933 e042a1 58932->58933 58933->58463 58935 e04692 GetPrivateProfileStringW 58934->58935 58975 e03590 41 API calls 58935->58975 58937 e046ce 58938 df5c80 27 API calls 58937->58938 58939 e04702 GetPrivateProfileStringW 58938->58939 58976 e03590 41 API calls 58939->58976 58941 e0473a 58942 df5c80 27 API calls 58941->58942 58943 e04772 GetPrivateProfileStringW 58942->58943 58977 e03590 41 API calls 58943->58977 58945 e047aa 58946 df5c80 27 API calls 58945->58946 58946->58928 58948 df41cf 58947->58948 58949 df41de 58948->58949 58950 df421a 58948->58950 58951 df41f8 58948->58951 58949->58917 58956 df5d60 58950->58956 58953 df42a0 20 API calls 58951->58953 58955 df4211 58953->58955 58955->58917 58957 df4150 RaiseException 58956->58957 58958 df5d6a 58957->58958 58960 e04051 58959->58960 58971 e0402f 58959->58971 58961 e63d26 5 API calls 58960->58961 58962 e0405b 58961->58962 58964 e04067 GetProcessHeap 58962->58964 58962->58971 58963 e63d26 5 API calls 58965 e040b4 58963->58965 58978 e635ad 29 API calls __onexit 58964->58978 58973 e0403c 58965->58973 58980 e635ad 29 API calls __onexit 58965->58980 58967 e04094 58979 e63cdc EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 58967->58979 58970 e04118 58981 e63cdc EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 58970->58981 58971->58963 58971->58973 58973->58922 58973->58923 58974->58931 58975->58937 58976->58941 58977->58945 58978->58967 58979->58971 58980->58970 58981->58973 58983 e435b4 SHGetValueW 58982->58983 58983->58508 58983->58513 58985 dfd275 __Getcvt 58984->58985 59025 dfcf50 58985->59025 58988 dfd2ac ___crtLCMapStringA __Getcvt 58990 dfd317 58988->58990 58992 dfd2ed WideCharToMultiByte 58988->58992 58989 dfd29a lstrcpyW 58989->58988 59040 df64b0 58990->59040 58992->58990 58995 dfd338 ___crtLCMapStringA 58996 dfd355 58995->58996 59057 df4110 MultiByteToWideChar 58995->59057 58997 dfd370 lstrcpynW 58996->58997 58998 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58997->58998 59000 dfd392 58998->59000 59000->58532 59169 e64e1b RaiseException EnterCriticalSection LeaveCriticalSection 59001->59169 59003 df5167 59004 df526a 59003->59004 59005 df5188 FindResourceExW 59003->59005 59008 df51c4 59003->59008 59170 df6040 LoadResource LockResource SizeofResource 59003->59170 59171 e64e1b RaiseException EnterCriticalSection LeaveCriticalSection 59003->59171 59004->58543 59005->59003 59008->59004 59009 df51cc FindResourceW 59008->59009 59009->59004 59010 df51e5 59009->59010 59172 df6040 LoadResource LockResource SizeofResource 59010->59172 59012 df51ef 59012->59004 59013 df521d 59012->59013 59173 df5610 21 API calls 59012->59173 59174 eb2161 26 API calls 4 library calls 59013->59174 59016 df5236 59017 df5289 59016->59017 59019 df524c 59016->59019 59022 df4150 RaiseException 59016->59022 59018 df4150 RaiseException 59017->59018 59020 df5293 59018->59020 59021 df5253 59019->59021 59023 df4150 RaiseException 59019->59023 59021->58543 59022->59019 59023->59017 59024->58546 59026 dfcf5d __Getcvt 59025->59026 59058 ddebf0 59026->59058 59028 dfcf90 59079 dde7e0 59028->59079 59031 ddebf0 67 API calls 59032 dfcff7 __Getcvt 59031->59032 59033 df64b0 50 API calls 59032->59033 59035 dfd03a ___crtLCMapStringA 59033->59035 59034 dfd08a 59036 dfd08c lstrcpynW 59034->59036 59035->59034 59039 dfd068 MultiByteToWideChar 59035->59039 59037 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59036->59037 59038 dfd0b3 lstrlenW 59037->59038 59038->58988 59038->58989 59039->59036 59041 df64fc __Getcvt 59040->59041 59157 ddfef0 59041->59157 59045 df65a8 59046 df7120 5 API calls 59045->59046 59047 df660e 59046->59047 59048 df7120 5 API calls 59047->59048 59050 df661f _strncat __Getcvt 59048->59050 59049 ddfef0 50 API calls 59049->59050 59050->59049 59050->59050 59053 df673b __Getcvt 59050->59053 59051 df6764 59052 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59051->59052 59054 df67ac 59052->59054 59053->59051 59055 ddfef0 50 API calls 59053->59055 59056 ebf726 46 API calls 2 library calls 59054->59056 59055->59051 59056->58995 59057->58997 59059 ddebfd __Getcvt 59058->59059 59060 ddec18 GetVersionExW 59059->59060 59061 dded66 59060->59061 59069 ddec3f __Getcvt 59060->59069 59128 ddf550 11 API calls 2 library calls 59061->59128 59062 dded22 59106 ddfa50 59062->59106 59064 dded6b 59065 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59064->59065 59067 dded7a 59065->59067 59067->59028 59069->59062 59077 dded0d CloseHandle 59069->59077 59078 ddeced _strncat 59069->59078 59102 dddfe0 59069->59102 59070 dded4d 59074 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59070->59074 59076 dded62 59074->59076 59075 ddecb5 DeviceIoControl 59075->59062 59075->59069 59076->59028 59077->59070 59077->59078 59078->59062 59078->59069 59078->59077 59080 dde800 __Getcvt 59079->59080 59081 dde830 GetVersionExW 59080->59081 59082 dde857 LoadLibraryA 59081->59082 59096 dde9ef _Yarn _strncat 59081->59096 59083 dde86f GetProcAddress 59082->59083 59084 ddeb26 59082->59084 59083->59084 59086 dde88a GetProcAddress 59083->59086 59085 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59084->59085 59087 ddeb37 59085->59087 59086->59084 59088 dde8a4 GetProcAddress 59086->59088 59087->59031 59087->59032 59088->59084 59089 dde8be GetProcAddress 59088->59089 59089->59084 59090 dde8db NtOpenSection 59089->59090 59090->59084 59092 dde962 NtMapViewOfSection 59090->59092 59094 ddeb06 59092->59094 59095 dde9c2 _wcsftime 59092->59095 59093 dddfe0 50 API calls 59093->59096 59097 ddeb0f CloseHandle 59094->59097 59098 ddeb16 59094->59098 59099 dde9da NtUnmapViewOfSection 59095->59099 59096->59093 59096->59094 59097->59098 59098->59084 59100 ddeb1f FreeLibrary 59098->59100 59099->59096 59101 dde9ea 59099->59101 59100->59084 59101->59094 59103 dddff6 _wcsftime 59102->59103 59129 e9f41b 59103->59129 59115 ddfa80 __Getcvt 59106->59115 59107 dddfe0 50 API calls 59108 ddfa92 CreateFileA 59107->59108 59109 ddfabc DeviceIoControl 59108->59109 59108->59115 59109->59115 59117 ddfc13 _strncat 59109->59117 59110 ddfc6d 59112 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59110->59112 59111 ddfc46 CloseHandle 59111->59115 59111->59117 59113 dded40 59112->59113 59113->59070 59118 ddf850 59113->59118 59114 ddfb39 DeviceIoControl 59114->59111 59114->59115 59115->59107 59115->59110 59115->59114 59115->59117 59117->59110 59117->59111 59117->59115 59155 dde6e0 6 API calls std::_Locinfo::_Locinfo_dtor 59117->59155 59126 ddf870 _strncat __Getcvt _strncpy 59118->59126 59119 dddfe0 50 API calls 59120 ddf882 CreateFileA 59119->59120 59120->59126 59121 ddfa3c 59122 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59121->59122 59123 ddfa4b 59122->59123 59123->59070 59124 ddf8fe DeviceIoControl 59124->59126 59125 ddfa1f CloseHandle 59125->59126 59126->59119 59126->59121 59126->59124 59126->59125 59126->59126 59156 dde6e0 6 API calls std::_Locinfo::_Locinfo_dtor 59126->59156 59128->59064 59132 e8ef03 59129->59132 59133 e8ef2b 59132->59133 59134 e8ef43 59132->59134 59149 eb1823 20 API calls _free 59133->59149 59134->59133 59136 e8ef4b 59134->59136 59151 e92ecd 46 API calls 2 library calls 59136->59151 59137 e8ef30 59150 e9f74d 26 API calls std::generic_category 59137->59150 59140 e8ef5b 59152 e92d26 20 API calls 2 library calls 59140->59152 59141 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59143 dde004 CreateFileA 59141->59143 59143->59062 59143->59075 59144 e8efd3 59153 e94d66 50 API calls 3 library calls 59144->59153 59147 e8ef3b 59147->59141 59148 e8efde 59154 e930b7 20 API calls _free 59148->59154 59149->59137 59150->59147 59151->59140 59152->59144 59153->59148 59154->59147 59155->59117 59156->59126 59158 ddff07 _wcsftime 59157->59158 59159 e9f41b _wcsftime 50 API calls 59158->59159 59160 ddff15 59159->59160 59161 df7120 59160->59161 59162 df7153 59161->59162 59162->59162 59164 df71c3 59162->59164 59167 df6900 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 59162->59167 59164->59045 59164->59164 59166 df7198 59166->59164 59168 df6900 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 59166->59168 59167->59166 59168->59166 59169->59003 59170->59003 59171->59003 59172->59012 59173->59013 59174->59016 59176 e0506a 59175->59176 59177 e0506f 59175->59177 59179 e053a0 59176->59179 59180 e03ff0 39 API calls 59179->59180 59181 e053dc 59180->59181 59182 e056a3 59181->59182 59183 e053e6 59181->59183 59184 df4150 RaiseException 59182->59184 59187 e03ff0 39 API calls 59183->59187 59185 e056ad 59184->59185 59186 df4150 RaiseException 59185->59186 59188 e056b7 59186->59188 59189 e05400 59187->59189 59190 df4150 RaiseException 59188->59190 59189->59185 59192 e0540a 59189->59192 59191 e056c1 59190->59191 59193 df4980 52 API calls 59192->59193 59194 e0543f 59193->59194 59195 df41c0 21 API calls 59194->59195 59196 e05465 59195->59196 59239 e5bca0 59196->59239 59199 df4980 52 API calls 59200 e054ab 59199->59200 59260 df9970 59200->59260 59203 e05606 59205 e05613 59203->59205 59385 e039c0 100 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 59203->59385 59204 e05505 59204->59203 59360 e45300 30 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 59204->59360 59285 e04b80 59205->59285 59209 e0561d CloseHandle 59212 e05645 59209->59212 59210 e0551e 59361 de0e20 9 API calls std::_Facet_Register 59210->59361 59214 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59212->59214 59213 e05530 59362 de8830 9 API calls std::_Facet_Register 59213->59362 59216 e0569f 59214->59216 59216->59177 59217 e05541 59363 de5450 62 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 59217->59363 59219 e0555d 59220 e055c7 59219->59220 59364 de9660 40 API calls 59219->59364 59383 de8f70 38 API calls std::ios_base::_Ios_base_dtor 59220->59383 59223 e05571 59365 deaa00 28 API calls __CxxThrowException@8 59223->59365 59224 e055eb 59384 de19c0 26 API calls std::ios_base::_Ios_base_dtor 59224->59384 59227 e055fa 59229 dc73d0 26 API calls 59227->59229 59228 e05578 59228->59220 59366 de9660 40 API calls 59228->59366 59229->59203 59231 e05591 59367 dea8d0 27 API calls __CxxThrowException@8 59231->59367 59233 e05598 59368 df9160 59233->59368 59237 e055bc 59382 ea2324 47 API calls 2 library calls 59237->59382 59386 dc75b0 59239->59386 59242 e5bd48 59244 dc73d0 26 API calls 59242->59244 59245 e5bd7f 59244->59245 59246 df9160 48 API calls 59245->59246 59247 e5bd9f 59246->59247 59390 dfdd70 59247->59390 59249 e5be35 59250 df64b0 50 API calls 59249->59250 59252 e5be49 59250->59252 59251 e5bdb5 ___crtLCMapStringA __Getcvt 59251->59249 59255 e5be0c WideCharToMultiByte 59251->59255 59253 df9160 48 API calls 59252->59253 59254 e5be5a 59253->59254 59256 dc73d0 26 API calls 59254->59256 59255->59249 59257 e5be97 59256->59257 59258 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59257->59258 59259 e05481 59258->59259 59259->59199 59261 df4fd0 39 API calls 59260->59261 59262 df99ab 59261->59262 59263 df99b5 59262->59263 59264 df9ae3 59262->59264 59419 df39d0 59263->59419 59265 df4150 RaiseException 59264->59265 59266 df9aed 59265->59266 59268 df99e3 59269 df91f0 48 API calls 59268->59269 59270 df99f9 59269->59270 59437 df4dc0 59270->59437 59273 df3c30 27 API calls 59274 df9a19 59273->59274 59275 df9a63 59274->59275 59458 df9af0 40 API calls 59274->59458 59284 df9aa7 59275->59284 59459 df9d80 43 API calls 2 library calls 59275->59459 59456 df3b40 curl_global_cleanup 59284->59456 59286 e03ff0 39 API calls 59285->59286 59287 e04bb5 59286->59287 59288 e0503f 59287->59288 59292 e03ff0 39 API calls 59287->59292 59289 df4150 RaiseException 59288->59289 59290 e05049 59289->59290 59291 df4150 RaiseException 59290->59291 59293 e05053 59291->59293 59294 e04bd9 59292->59294 59295 df4150 RaiseException 59293->59295 59294->59290 59298 df4980 52 API calls 59294->59298 59296 e0505d 59295->59296 59297 e0506f 59296->59297 59299 e053a0 142 API calls 59296->59299 59297->59209 59300 e04c18 59298->59300 59299->59297 59301 df41c0 21 API calls 59300->59301 59302 e04c38 59301->59302 59303 e5bca0 74 API calls 59302->59303 59304 e04c54 59303->59304 59305 df4980 52 API calls 59304->59305 59306 e04c7e 59305->59306 59307 df9970 88 API calls 59306->59307 59308 e04cb9 59307->59308 59308->59293 59309 e04f8a 59308->59309 59462 e45300 30 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 59308->59462 59312 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59309->59312 59311 e04cf0 59463 de0e20 9 API calls std::_Facet_Register 59311->59463 59314 e0503b 59312->59314 59314->59209 59315 e04d02 59464 de8830 9 API calls std::_Facet_Register 59315->59464 59317 e04d13 59465 de5450 62 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 59317->59465 59319 e04d2f 59320 e04f91 59319->59320 59466 de9660 40 API calls 59319->59466 59479 de8f70 38 API calls std::ios_base::_Ios_base_dtor 59320->59479 59323 e04fa0 59480 de19c0 26 API calls std::ios_base::_Ios_base_dtor 59323->59480 59324 e04d47 59467 deaa00 28 API calls __CxxThrowException@8 59324->59467 59327 e04faf 59329 dc73d0 26 API calls 59327->59329 59328 e04d4e 59468 de9660 40 API calls 59328->59468 59329->59309 59331 e04dd2 59472 de9660 40 API calls 59331->59472 59332 e04d60 59332->59331 59469 de9660 40 API calls 59332->59469 59335 e04d7f 59470 dea8d0 27 API calls __CxxThrowException@8 59335->59470 59337 e04d86 59471 e409c0 45 API calls std::ios_base::_Ios_base_dtor 59337->59471 59339 e04de2 59339->59320 59341 e04dfa std::generic_category 59339->59341 59340 e04da5 59342 df3c30 27 API calls 59340->59342 59473 de9660 40 API calls 59341->59473 59343 e04db7 59342->59343 59345 dc73d0 26 API calls 59343->59345 59345->59331 59346 e04f60 59477 de8f70 38 API calls std::ios_base::_Ios_base_dtor 59346->59477 59348 de9660 40 API calls 59359 e04e16 59348->59359 59349 e04f6f 59478 de19c0 26 API calls std::ios_base::_Ios_base_dtor 59349->59478 59352 e04f7e 59353 dc73d0 26 API calls 59352->59353 59353->59309 59355 df9160 48 API calls 59355->59359 59356 df41c0 21 API calls 59356->59359 59358 dc73d0 26 API calls 59358->59359 59359->59288 59359->59346 59359->59348 59359->59355 59359->59356 59359->59358 59474 de9480 40 API calls std::_Facet_Register 59359->59474 59475 dec8e0 99 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 59359->59475 59476 eb24cd 29 API calls 3 library calls 59359->59476 59360->59210 59361->59213 59362->59217 59363->59219 59364->59223 59365->59228 59366->59231 59367->59233 59369 df4fd0 39 API calls 59368->59369 59370 df918e 59369->59370 59371 df91e3 59370->59371 59374 df9194 59370->59374 59372 df4150 RaiseException 59371->59372 59373 df91ed 59372->59373 59375 df5150 35 API calls 59374->59375 59376 df91be 59375->59376 59377 dc73d0 59376->59377 59378 dc73fd 59377->59378 59379 dc7418 std::ios_base::_Ios_base_dtor 59377->59379 59378->59379 59481 e9f75d 26 API calls 2 library calls 59378->59481 59379->59237 59382->59220 59383->59224 59384->59227 59385->59205 59387 dc75e6 59386->59387 59400 dc7620 59387->59400 59389 dc75f2 59389->59242 59399 def7d0 26 API calls 2 library calls 59389->59399 59391 dfddf2 59390->59391 59394 dfdd95 _strftime 59390->59394 59392 df4150 RaiseException 59391->59392 59398 dfddfd 59391->59398 59393 dfde1a 59392->59393 59394->59391 59395 dfddd4 59394->59395 59418 df5610 21 API calls 59394->59418 59397 df42a0 20 API calls 59395->59397 59397->59391 59398->59251 59399->59242 59401 dc7ab1 59400->59401 59413 dc767d std::ios_base::_Ios_base_dtor _Yarn 59400->59413 59401->59389 59403 dc78a5 std::ios_base::_Ios_base_dtor _Yarn 59403->59401 59408 dc7acc 59403->59408 59410 e63182 9 API calls std::_Facet_Register 59403->59410 59411 dc7ac7 59403->59411 59405 dc7ad6 59417 dc7b50 29 API calls 5 library calls 59405->59417 59407 dc7b22 59407->59389 59416 e636e3 5 API calls ___report_securityfailure 59408->59416 59409 e63182 9 API calls std::_Facet_Register 59409->59413 59410->59403 59415 e9f75d 26 API calls 2 library calls 59411->59415 59413->59403 59413->59408 59413->59409 59413->59411 59414 e9fbd9 46 API calls 59413->59414 59414->59413 59416->59405 59417->59407 59418->59395 59420 df4fd0 39 API calls 59419->59420 59421 df3a04 59420->59421 59422 df3a0a 59421->59422 59423 df3a86 59421->59423 59427 df4fd0 39 API calls 59422->59427 59424 df4150 RaiseException 59423->59424 59425 df3a90 59424->59425 59426 df4150 RaiseException 59425->59426 59428 df3a9a 59426->59428 59429 df3a26 59427->59429 59430 df4150 RaiseException 59428->59430 59429->59425 59432 df3a2c 59429->59432 59431 df3aa4 59430->59431 59431->59268 59433 df4fd0 39 API calls 59432->59433 59434 df3a45 59433->59434 59434->59428 59435 df3a4b curl_global_init 59434->59435 59435->59268 59438 df4e51 59437->59438 59440 df4e02 ___crtLCMapStringA 59437->59440 59439 df4670 RaiseException 59438->59439 59441 df4e5a curl_easy_init 59439->59441 59440->59438 59448 df4e30 WideCharToMultiByte 59440->59448 59442 df4ead 8 API calls 59441->59442 59443 df4e66 59441->59443 59444 df4f08 59442->59444 59445 df4f66 curl_easy_cleanup 59442->59445 59446 df41c0 21 API calls 59443->59446 59460 df46d0 64 API calls 59444->59460 59449 df41c0 21 API calls 59445->59449 59451 df4e71 59446->59451 59448->59438 59449->59451 59450 df4f14 59461 df3e90 40 API calls 59450->59461 59452 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59451->59452 59454 df4fca 59452->59454 59454->59273 59455 df4f27 59455->59445 59457 df3b9b 59456->59457 59457->59188 59457->59203 59457->59204 59460->59450 59461->59455 59462->59311 59463->59315 59464->59317 59465->59319 59466->59324 59467->59328 59468->59332 59469->59335 59470->59337 59471->59340 59472->59339 59473->59359 59474->59359 59475->59359 59476->59359 59477->59349 59478->59352 59479->59323 59480->59327 59483 e426b6 __Getcvt 59482->59483 59550 e41f10 59483->59550 59485 e426c2 59564 e42110 59485->59564 59487 e426e9 59488 df4fd0 39 API calls 59487->59488 59489 e426f1 59488->59489 59490 e4279e 59489->59490 59491 e426fb 59489->59491 59492 df4150 RaiseException 59490->59492 59494 e42716 59491->59494 59495 e42723 59491->59495 59493 e427a8 59492->59493 59496 dc75b0 49 API calls 59493->59496 59497 df5150 35 API calls 59494->59497 59501 df5c80 27 API calls 59495->59501 59498 e42801 59496->59498 59499 e42721 59497->59499 59500 df9160 48 API calls 59498->59500 59504 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59499->59504 59502 e42819 59500->59502 59501->59499 59503 e42660 71 API calls 59502->59503 59505 e42827 59503->59505 59506 e4279a 59504->59506 59507 dc73d0 26 API calls 59505->59507 59506->58553 59508 e4285c 59507->59508 59509 dc73d0 26 API calls 59508->59509 59510 e42868 59509->59510 59511 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59510->59511 59512 e42881 59511->59512 59512->58553 59514 e2f003 59513->59514 59528 e2f032 59513->59528 59515 e2f092 59514->59515 59524 e2f01c 59514->59524 59517 e2f12a 59515->59517 59533 e2f099 _wcsftime 59515->59533 59595 df5610 21 API calls 59515->59595 59516 df4150 RaiseException 59518 e2f1b0 59516->59518 59520 e2f131 59517->59520 59521 e2f179 59517->59521 59522 df5d60 RaiseException 59518->59522 59526 e2f142 59520->59526 59527 e2f154 59520->59527 59520->59533 59523 df42a0 20 API calls 59521->59523 59525 e2f1b5 59522->59525 59523->59533 59524->59518 59524->59528 59529 e2f04f 59524->59529 59530 e42660 71 API calls 59525->59530 59596 eb1823 20 API calls _free 59526->59596 59527->59533 59598 eb1823 20 API calls _free 59527->59598 59528->58555 59532 df42a0 20 API calls 59529->59532 59534 e2f1f7 59530->59534 59532->59528 59533->59516 59533->59528 59537 e2efe0 71 API calls 59534->59537 59535 e2f147 59597 e9f74d 26 API calls std::generic_category 59535->59597 59541 e2f20c 59537->59541 59539 e2f15f 59599 e9f74d 26 API calls std::generic_category 59539->59599 59542 e42660 71 API calls 59541->59542 59543 e2f243 59542->59543 59544 e2efe0 71 API calls 59543->59544 59545 e2f258 59544->59545 59546 e2f291 59545->59546 59548 e2efe0 71 API calls 59545->59548 59547 e2f2ab 59546->59547 59549 e2efe0 71 API calls 59546->59549 59547->58555 59548->59546 59549->59547 59551 df4fd0 39 API calls 59550->59551 59552 e41f42 59551->59552 59553 e42095 59552->59553 59554 e41f4c 59552->59554 59555 df4150 RaiseException 59553->59555 59557 e41f6d 59554->59557 59558 e41f78 59554->59558 59556 e4209f 59555->59556 59559 df5150 35 API calls 59557->59559 59560 df5c80 27 API calls 59558->59560 59561 e41f76 59559->59561 59560->59561 59562 dfdd70 21 API calls 59561->59562 59563 e4204d 59562->59563 59563->59485 59590 e63910 59564->59590 59567 e42353 59568 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59567->59568 59569 e423b3 59568->59569 59569->59487 59570 e42189 __Getcvt 59570->59567 59571 e42420 59570->59571 59589 e4224a _wcschr 59570->59589 59593 e636e3 5 API calls ___report_securityfailure 59571->59593 59573 e42425 59574 df4150 RaiseException 59573->59574 59575 e4242f 59574->59575 59577 df41c0 21 API calls 59575->59577 59576 e4233c lstrlenW 59576->59567 59576->59589 59585 e4246b _wcsstr 59577->59585 59578 df4fd0 39 API calls 59578->59589 59579 e42474 59579->59487 59581 e424f4 59582 df41c0 21 API calls 59581->59582 59584 e4252c 59582->59584 59583 df91f0 48 API calls 59583->59589 59584->59487 59585->59579 59585->59581 59594 e43990 RaiseException 59585->59594 59589->59567 59589->59573 59589->59576 59589->59578 59589->59583 59592 e402a0 21 API calls 59589->59592 59591 e4212b StgOpenStorage 59590->59591 59591->59567 59591->59570 59592->59589 59593->59573 59595->59517 59596->59535 59597->59533 59598->59539 59599->59533 59601 e05720 59600->59601 59602 e0571b 59600->59602 59603 e05727 59601->59603 59608 e0573f __Getcvt 59601->59608 59602->58577 59621 eb1823 20 API calls _free 59603->59621 59605 e0572c 59622 e9f74d 26 API calls std::generic_category 59605->59622 59606 e0574f _Yarn 59606->58577 59608->59606 59610 e05771 59608->59610 59611 e0578b 59608->59611 59609 e05737 59609->58577 59623 eb1823 20 API calls _free 59610->59623 59613 e05781 59611->59613 59625 eb1823 20 API calls _free 59611->59625 59613->58577 59614 e05776 59624 e9f74d 26 API calls std::generic_category 59614->59624 59617 e05794 59626 e9f74d 26 API calls std::generic_category 59617->59626 59619 e0579f 59619->58577 59620->58581 59621->59605 59622->59609 59623->59614 59624->59613 59625->59617 59626->59619 59628 dfd7a4 59627->59628 59629 dfd7b0 59627->59629 59639 df3ca0 59628->59639 59712 dfd530 30 API calls 2 library calls 59629->59712 59631 dfd7df WideCharToMultiByte 59632 dfd803 GetLastError 59631->59632 59636 dfd856 59631->59636 59633 dfd80e WideCharToMultiByte 59632->59633 59632->59636 59713 dfd530 30 API calls 2 library calls 59633->59713 59635 dfd837 WideCharToMultiByte 59635->59636 59636->59628 59714 dfde20 GetLastError RaiseException 59636->59714 59640 df3cb3 59639->59640 59641 df3cc6 _wcsftime 59640->59641 59642 df3d5a 59640->59642 59643 df3d35 59640->59643 59641->58593 59648 df3d46 _Yarn 59642->59648 59716 e63182 9 API calls 4 library calls 59642->59716 59715 e63182 9 API calls 4 library calls 59643->59715 59647 df3dad std::ios_base::_Ios_base_dtor 59647->58593 59648->59647 59717 e9f75d 26 API calls 2 library calls 59648->59717 59650 e573f8 59649->59650 59656 e57413 59649->59656 59718 e41ad0 59650->59718 59652 df41c0 21 API calls 59654 e211b7 59652->59654 59654->58600 59655 df3c30 27 API calls 59655->59656 59656->59652 59658 e567f2 __Getcvt 59657->59658 59755 dfd0c0 11 API calls 2 library calls 59658->59755 59660 e56803 59661 df4fd0 39 API calls 59660->59661 59662 e5680b 59661->59662 59663 e56811 59662->59663 59664 e56890 59662->59664 59667 e5683c 59663->59667 59668 e5682f 59663->59668 59665 df4150 RaiseException 59664->59665 59666 e5689a __Getcvt 59665->59666 59669 e568f2 SHGetValueW 59666->59669 59674 df5c80 27 API calls 59667->59674 59670 df5150 35 API calls 59668->59670 59671 df4fd0 39 API calls 59669->59671 59672 e5683a 59670->59672 59673 e56929 59671->59673 59677 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59672->59677 59675 e569b4 59673->59675 59676 e56933 59673->59676 59674->59672 59678 df4150 RaiseException 59675->59678 59682 e56951 59676->59682 59683 e5695e 59676->59683 59679 e5688c 59677->59679 59680 e569be 59678->59680 59679->58609 59681 df4fd0 39 API calls 59680->59681 59684 e56a0d 59681->59684 59685 df5150 35 API calls 59682->59685 59689 df5c80 27 API calls 59683->59689 59686 e56ba2 59684->59686 59695 e56a17 __Getcvt 59684->59695 59687 e5695c 59685->59687 59688 df4150 RaiseException 59686->59688 59691 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59687->59691 59690 e56bac 59688->59690 59689->59687 59692 df41c0 21 API calls 59690->59692 59693 e569ae 59691->59693 59694 e56be8 59692->59694 59693->58609 59694->58609 59696 df91f0 48 API calls 59695->59696 59697 e56a64 59696->59697 59698 dfdd70 21 API calls 59697->59698 59699 e56a80 59698->59699 59700 dfdd70 21 API calls 59699->59700 59701 e56a92 GetPrivateProfileStringW 59700->59701 59702 e56b08 59701->59702 59703 df5c80 27 API calls 59702->59703 59704 e56b3e 59702->59704 59703->59704 59705 e56b82 59704->59705 59706 df5c80 27 API calls 59704->59706 59707 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59705->59707 59706->59705 59708 e56b9c 59707->59708 59708->58609 59710 e212da 59709->59710 59711 e434b9 GetCurrentProcess 59709->59711 59710->58616 59711->59710 59712->59631 59713->59635 59715->59648 59716->59648 59719 df4fd0 39 API calls 59718->59719 59720 e41b1d 59719->59720 59721 e41b27 __Getcvt 59720->59721 59722 e41d4a 59720->59722 59727 e41b5f GetModuleFileNameW GetFileVersionInfoSizeW 59721->59727 59723 df4150 RaiseException 59722->59723 59724 e41d54 59723->59724 59725 df4150 RaiseException 59724->59725 59726 e41d5e 59725->59726 59728 e41b8e 59727->59728 59729 e41c1b std::ios_base::_Ios_base_dtor 59727->59729 59733 e41b94 GetFileVersionInfoW 59728->59733 59730 e41c35 __Getcvt 59729->59730 59731 e41d2c 59729->59731 59735 e41c48 SHGetValueW 59730->59735 59732 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59731->59732 59734 e41d46 59732->59734 59733->59729 59736 e41bad VerQueryValueW 59733->59736 59734->59655 59735->59731 59738 e41c82 59735->59738 59736->59729 59737 e41bca 59736->59737 59739 df4980 52 API calls 59737->59739 59740 df4fd0 39 API calls 59738->59740 59742 e41bea 59739->59742 59741 e41c87 59740->59741 59741->59724 59745 e41c91 59741->59745 59754 ea2324 47 API calls 2 library calls 59742->59754 59744 e41bf1 59746 df4980 52 API calls 59744->59746 59747 e41cc4 59745->59747 59748 e41cb3 59745->59748 59746->59729 59751 df5c80 27 API calls 59747->59751 59749 df5150 35 API calls 59748->59749 59750 e41cc2 59749->59750 59752 df3c30 27 API calls 59750->59752 59751->59750 59753 e41d07 59752->59753 59753->59731 59754->59744 59755->59660 59756->58626 59757->58630 59758->58629 59759->58632 59764 e8f27c 59760->59764 59762 e9f4ee 59762->58634 59763->58642 59765 e8f29c 59764->59765 59766 e8f287 59764->59766 59767 e8f2e0 59765->59767 59769 e8f2aa 59765->59769 59780 eb1823 20 API calls _free 59766->59780 59784 eb1823 20 API calls _free 59767->59784 59782 e8e9fb 51 API calls 5 library calls 59769->59782 59771 e8f28c 59781 e9f74d 26 API calls std::generic_category 59771->59781 59774 e8f297 59774->59762 59775 e8f2c2 59777 e8f2f0 59775->59777 59783 eb1823 20 API calls _free 59775->59783 59777->59762 59779 e8f2d8 59785 e9f74d 26 API calls std::generic_category 59779->59785 59780->59771 59781->59774 59782->59775 59783->59779 59784->59779 59785->59777 59787 df4fd0 39 API calls 59786->59787 59788 e45ef5 59787->59788 59789 e46203 59788->59789 59790 e45eff 59788->59790 59791 df4150 RaiseException 59789->59791 59793 e46015 59790->59793 59794 e45f27 59790->59794 59792 e4620d 59791->59792 59795 e4601c 59793->59795 59796 e4608a 59793->59796 59797 e45fec 59794->59797 59801 e45f2d 59794->59801 59800 e46064 59795->59800 59795->59801 59798 e460b7 59796->59798 59799 e46091 59796->59799 59802 df3c30 27 API calls 59797->59802 59807 df3c30 27 API calls 59798->59807 59805 df3c30 27 API calls 59799->59805 59803 df3c30 27 API calls 59800->59803 59801->59799 59806 e45f49 59801->59806 59804 e45f6d 59802->59804 59803->59804 59808 e460fc PathFileExistsW 59804->59808 59805->59804 59809 df3c30 27 API calls 59806->59809 59807->59804 59810 e46110 59808->59810 59811 e4619c 59808->59811 59809->59804 59844 eb9d92 26 API calls 2 library calls 59810->59844 59815 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59811->59815 59813 e46130 PathRemoveFileSpecW 59814 e46150 59813->59814 59814->59814 59817 df5c80 27 API calls 59814->59817 59816 e22aa5 59815->59816 59816->58649 59816->58650 59818 e4616f 59817->59818 59819 e03710 27 API calls 59818->59819 59820 e4617c PathFindFileNameW 59819->59820 59821 e461a0 59820->59821 59822 e46191 59820->59822 59824 df5c80 27 API calls 59821->59824 59823 df5c80 27 API calls 59822->59823 59823->59811 59824->59811 59825->58671 59826->58707 59827->58694 59828->58697 59829->58706 59830->58722 59831->58704 59832->58734 59833->58718 59834->58708 59835->58721 59836->58730 59837->58733 59838->58735 59839->58741 59840->58743 59841->58745 59842->58673 59843->58683 59844->59813 59845->58748 59847 e82af0 __Getcvt 59846->59847 59848 e41904 SHGetValueW 59847->59848 59849 e419b4 SHGetValueW 59848->59849 59850 e4193b 59848->59850 59851 e41a50 59849->59851 59852 e419dd PathRemoveExtensionW PathFindFileNameW 59849->59852 59853 df4fd0 39 API calls 59850->59853 59854 df4fd0 39 API calls 59851->59854 59852->59851 59857 e41a02 _wcschr 59852->59857 59855 e41940 59853->59855 59856 e41a77 59854->59856 59858 e41ab5 59855->59858 59859 e4194a 59855->59859 59860 e41abf 59856->59860 59870 e41973 59856->59870 59857->59851 59862 e41a13 lstrlenW 59857->59862 59861 df4150 RaiseException 59858->59861 59866 e41975 59859->59866 59867 e41968 59859->59867 59863 df4150 RaiseException 59860->59863 59861->59860 59862->59851 59864 e41a21 SHSetValueW 59862->59864 59865 e41ac9 59863->59865 59868 df91f0 48 API calls 59864->59868 59873 df5c80 27 API calls 59866->59873 59869 df5150 35 API calls 59867->59869 59872 e41a44 59868->59872 59869->59870 59871 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59870->59871 59874 e403ac 59871->59874 59872->59870 59873->59870 59874->58759 59875->58786 59876->58795 59877 dc26e5 59882 e55fa0 59877->59882 59879 dc26ea 59914 e635ad 29 API calls __onexit 59879->59914 59881 dc26f4 59883 df4fd0 39 API calls 59882->59883 59884 e55fef 59883->59884 59885 e55ff9 59884->59885 59886 e5613b 59884->59886 59890 df4fd0 39 API calls 59885->59890 59887 df4150 RaiseException 59886->59887 59888 e56145 59887->59888 59889 df4150 RaiseException 59888->59889 59891 e5614f 59889->59891 59892 e56018 59890->59892 59893 df4150 RaiseException 59891->59893 59892->59888 59894 e56022 59892->59894 59895 e56159 59893->59895 59898 df4fd0 39 API calls 59894->59898 59896 df4150 RaiseException 59895->59896 59897 e56163 59896->59897 59899 e561b7 59897->59899 59900 e561b0 FreeLibrary 59897->59900 59901 e56068 59898->59901 59902 e561be CloseHandle 59899->59902 59904 e561c5 59899->59904 59900->59899 59901->59891 59903 e56072 59901->59903 59902->59904 59905 df4fd0 39 API calls 59903->59905 59904->59879 59906 e5608e 59905->59906 59906->59895 59907 e56098 __Getcvt 59906->59907 59908 e560c0 GetModuleFileNameW PathRemoveFileSpecW lstrcatW LoadLibraryW 59907->59908 59909 e56114 59908->59909 59910 e5610a 59908->59910 59912 e6316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59909->59912 59915 dc8a90 52 API calls 3 library calls 59910->59915 59913 e56137 59912->59913 59913->59879 59914->59881 59915->59909

                                                                                                              Executed Functions

                                                                                                              Function 00E462A0 Relevance: 65.1, APIs: 17, Strings: 20, Instructions: 377COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 141 e462a0-e46343 call e03f90 call e82af0 GetPrivateProfileStringW * 2 146 e46345-e4634e 141->146 147 e4636d-e46392 GetPrivateProfileStringW 141->147 148 e46351-e4635a 146->148 149 e46394-e4639d 147->149 150 e463bc-e463e2 GetPrivateProfileStringW 147->150 148->148 151 e4635c-e46368 call df5c80 148->151 152 e463a0-e463a9 149->152 153 e463e4-e463ed 150->153 154 e4640c-e46431 GetPrivateProfileStringW 150->154 151->147 152->152 159 e463ab-e463b7 call df5c80 152->159 155 e463f0-e463f9 153->155 156 e46433-e4643f 154->156 157 e4645c-e46481 GetPrivateProfileStringW 154->157 155->155 160 e463fb-e46407 call df5c80 155->160 161 e46440-e46449 156->161 162 e46483-e4648f 157->162 163 e464ac-e464d1 GetPrivateProfileStringW 157->163 159->150 160->154 161->161 166 e4644b-e46457 call df5c80 161->166 167 e46490-e46499 162->167 168 e464d3-e464df 163->168 169 e464fc-e46521 GetPrivateProfileStringW 163->169 166->157 167->167 173 e4649b-e464a7 call df5c80 167->173 174 e464e0-e464e9 168->174 170 e46523-e4652f 169->170 171 e4654c-e46571 GetPrivateProfileStringW 169->171 176 e46530-e46539 170->176 177 e46573-e4657f 171->177 178 e4659c-e465c1 GetPrivateProfileStringW 171->178 173->163 174->174 175 e464eb-e464f7 call df5c80 174->175 175->169 176->176 181 e4653b-e46547 call df5c80 176->181 182 e46580-e46589 177->182 183 e465c3-e465cf 178->183 184 e465ec-e46611 GetPrivateProfileStringW 178->184 181->171 182->182 188 e4658b-e46597 call df5c80 182->188 189 e465d0-e465d9 183->189 185 e46613-e4661f 184->185 186 e4663c-e46661 GetPrivateProfileStringW 184->186 190 e46620-e46629 185->190 191 e46663-e4666f 186->191 192 e4668c-e466b1 GetPrivateProfileStringW 186->192 188->178 189->189 194 e465db-e465e7 call df5c80 189->194 190->190 196 e4662b-e46637 call df5c80 190->196 197 e46670-e46679 191->197 198 e466b3-e466bf 192->198 199 e466dc-e46768 GetPrivateProfileIntW * 4 192->199 194->184 196->186 197->197 203 e4667b-e46687 call df5c80 197->203 204 e466c0-e466c9 198->204 200 e46772-e46792 call e6316c 199->200 201 e4676a-e4676d 199->201 201->200 203->192 204->204 207 e466cb-e466d7 call df5c80 204->207 207->199
                                                                                                              APIs
                                                                                                              • GetPrivateProfileStringW.KERNEL32(Partner,00F072BC,00EF8660,00F50FA0,00000010,?), ref: 00E4631C
                                                                                                              • GetPrivateProfileStringW.KERNEL32(Partner,NewVersion,00EF8660,?,00000104,?), ref: 00E4633F
                                                                                                              • GetPrivateProfileStringW.KERNEL32(Partner,Update,00EF8660,?,00000104,?), ref: 00E4638E
                                                                                                              • GetPrivateProfileStringW.KERNEL32(URL,Line,?,00000104,?), ref: 00E463DE
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,TitleLogo,00EF8660,?,00000104,?), ref: 00E4642D
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,TitleText,00EF8660,?,00000104,?), ref: 00E4647D
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,AboutLogo,00EF8660,?,00000104,?), ref: 00E464CD
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,ProductName,00EF8660,?,00000104,?), ref: 00E4651D
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,ShortName,00EF8660,?,00000104,?), ref: 00E4656D
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,CompanyName,00EF8660,?,00000104,?), ref: 00E465BD
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,OfficialSite,00EF8660,?,00000104,?), ref: 00E4660D
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,DlgBgImage,00EF8660,?,00000104,?), ref: 00E4665D
                                                                                                              • GetPrivateProfileStringW.KERNEL32(00F02A80,MsgPayLogo,00EF8660,?,00000104,?), ref: 00E466AD
                                                                                                              • GetPrivateProfileIntW.KERNEL32(00F02A80,ShowOfficial,00000001,?), ref: 00E466F4
                                                                                                              • GetPrivateProfileIntW.KERNEL32(00F02A80,ShowPrivacy,00000001,?), ref: 00E46710
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Other,LairtEmit,00000005,?), ref: 00E4672C
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Other,ShowActive,00000001,?), ref: 00E46743
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfile$String
                                                                                                              • String ID: AboutLogo$CompanyName$DlgBgImage$LairtEmit$Line$MsgPayLogo$NewVersion$OfficialSite$Other$Partner$ProductName$ShortName$ShowActive$ShowOfficial$ShowPrivacy$TitleLogo$TitleText$URL$Update$oem.ini
                                                                                                              • API String ID: 83056003-3115500347
                                                                                                              • Opcode ID: 0d71547ad8b4752b9fad8cd5b9a9c0f9064e512184527128d25149d8276ab320
                                                                                                              • Instruction ID: 69c9c596dae6f7ac623dfc827420160dc38c28b6901ea11aab5b425635e13a76
                                                                                                              • Opcode Fuzzy Hash: 0d71547ad8b4752b9fad8cd5b9a9c0f9064e512184527128d25149d8276ab320
                                                                                                              • Instruction Fuzzy Hash: 9ED1B774A8031FAADF20DF54CC85FE6B779EF51744F0082D0A904760D4EB70AA8A9FA1
                                                                                                              Function 00E23DF0 Relevance: 44.1, APIs: 18, Strings: 7, Instructions: 354windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 210 e23df0-e23e53 call e841ee SetUnhandledExceptionFilter FindWindowW 213 e23e77-e23ede CoInitialize DefWindowProcW InitCommonControlsEx call e20d90 call e00630 210->213 214 e23e55-e23e65 SetForegroundWindow IsIconic 210->214 224 e23ee4-e23f08 call e467a0 call e44380 call e042c0 213->224 225 e2424e-e24262 call e63d26 213->225 215 e23e70-e23e72 214->215 216 e23e67-e23e6a ShowWindow 214->216 218 e24230-e2424b call e6316c 215->218 216->215 238 e23f0e-e23fa8 call e04140 call e462a0 call e43560 call e04b50 call e2f1c0 call df91f0 call e03710 * 2 call dc8bc0 224->238 239 e2429c-e242b0 call e63d26 224->239 225->224 230 e24268-e24274 call e40310 225->230 235 e24279-e24297 call e635ad call e63cdc 230->235 235->224 270 e23fb2-e23fbe call e210b0 238->270 271 e23faa-e23fad 238->271 239->238 248 e242b6-e242e5 call e59830 call e635ad call e63cdc 239->248 248->238 274 e240c7-e240cb call e22a60 270->274 275 e23fc4-e24001 SHGetValueW call df4fd0 270->275 271->270 278 e240d0-e240dc 274->278 282 e24007-e2403f call df4980 PathFileExistsW 275->282 283 e242ea-e24300 call df4150 275->283 280 e240ea-e24114 EnterCriticalSection 278->280 281 e240de-e240e5 call dfe5d0 278->281 286 e24116-e2411a 280->286 287 e2415e-e24182 LeaveCriticalSection 280->287 281->280 309 e24041-e24059 call eb5942 282->309 310 e240a8-e240bd 282->310 291 e2412c-e2412e 286->291 292 e2411c-e24126 DestroyWindow 286->292 288 e241c2-e241ca 287->288 289 e24184-e24188 287->289 298 e241f4-e24202 288->298 299 e241cc-e241cf 288->299 295 e2418a-e24193 call e9fe09 289->295 296 e24199-e2419e 289->296 291->287 297 e24130-e24134 291->297 292->291 295->296 304 e241b0-e241bf call e631b2 296->304 305 e241a0-e241a9 call e9fe09 296->305 306 e24136-e2413f call e9fe09 297->306 307 e24145-e2415b call e631b2 297->307 302 e24204-e24208 298->302 303 e2421e-e2422e call e23250 CoUninitialize 298->303 299->298 308 e241d1-e241d6 299->308 312 e24217-e2421c 302->312 313 e2420a-e24211 302->313 303->218 304->288 305->304 306->307 307->287 319 e241d8-e241da 308->319 320 e241de-e241f2 308->320 309->310 331 e2405b-e2407d SHSetValueW 309->331 310->274 326 e240bf-e240c2 310->326 312->302 312->303 313->312 319->320 320->298 320->308 326->274 332 e240a6 331->332 333 e2407f-e24084 331->333 332->310 333->332 334 e24086-e240a4 call dffbd0 call df3ad0 333->334 334->274
                                                                                                              APIs
                                                                                                              • __set_se_translator.LIBVCRUNTIME ref: 00E23E2A
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00061440), ref: 00E23E37
                                                                                                              • FindWindowW.USER32(EasePaintWndClass,00000000), ref: 00E23E49
                                                                                                              • SetForegroundWindow.USER32(00000000), ref: 00E23E56
                                                                                                              • IsIconic.USER32(00000000), ref: 00E23E5D
                                                                                                              • ShowWindow.USER32(00000000,00000009), ref: 00E23E6A
                                                                                                              • CoInitialize.OLE32(00000000), ref: 00E23E79
                                                                                                              • DefWindowProcW.USER32(00000000,00000000,00000000,00000000), ref: 00E23E87
                                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 00E23E9F
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpDumpDay,00000000,00000000,00000004,0164ED18), ref: 00E23FF2
                                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 00E24037
                                                                                                              • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpDumpDay,00000004,00000000,00000004), ref: 00E24072
                                                                                                              • EnterCriticalSection.KERNEL32(00F5074C,?,?,0164ED18), ref: 00E24102
                                                                                                              • DestroyWindow.USER32(00000000,?,?,0164ED18), ref: 00E24120
                                                                                                              • LeaveCriticalSection.KERNEL32(00F5074C,?,?,0164ED18), ref: 00E24169
                                                                                                              • CoUninitialize.OLE32(?,?,0164ED18), ref: 00E24228
                                                                                                              • __Init_thread_footer.LIBCMT ref: 00E2428F
                                                                                                              • __Init_thread_footer.LIBCMT ref: 00E242DD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$CriticalInit_thread_footerSectionValue$CommonControlsDestroyEnterExceptionExistsFileFilterFindForegroundIconicInitInitializeLeavePathProcShowUnhandledUninitialize__set_se_translator
                                                                                                              • String ID: %s/%s$C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$EasePaintWndClass$Error.tmp$Software\EasePaintWatermarkRemover$UpDumpDay$run.dat
                                                                                                              • API String ID: 2657830758-2213215147
                                                                                                              • Opcode ID: 20c40457239223a7a2b518a726cbc4d472cf46748fd163e0e5343a9fb5f1dbc0
                                                                                                              • Instruction ID: a5392910076fd491936cb919a11442b3a979d4a0d2e2b98c9daa7c3db4c1f055
                                                                                                              • Opcode Fuzzy Hash: 20c40457239223a7a2b518a726cbc4d472cf46748fd163e0e5343a9fb5f1dbc0
                                                                                                              • Instruction Fuzzy Hash: CAD1B0B1A013189FDB20EFA4EC05B5EB7B0EF44715F144128FA15B72D2DBB4A948DB62
                                                                                                              Function 00DDE7E0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 230libraryloadernativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 339 dde7e0-dde851 call e63910 call e82af0 * 2 GetVersionExW 346 dde9ef-ddea05 call e82570 339->346 347 dde857-dde869 LoadLibraryA 339->347 354 ddea08-ddea0a 346->354 349 dde86f-dde884 GetProcAddress 347->349 350 ddeb26-ddeb3d call e6316c 347->350 349->350 353 dde88a-dde89e GetProcAddress 349->353 353->350 356 dde8a4-dde8b8 GetProcAddress 353->356 357 ddea10-ddeaae 354->357 356->350 358 dde8be-dde8d5 GetProcAddress 356->358 357->357 359 ddeab4-ddeabf 357->359 358->350 360 dde8db-dde95c NtOpenSection 358->360 361 ddeac0-ddeb04 call dde580 call dddfe0 call ea3170 359->361 360->350 364 dde962-dde9bc NtMapViewOfSection 360->364 367 ddeb06-ddeb0d 361->367 364->367 368 dde9c2-dde9e8 call e83320 NtUnmapViewOfSection 364->368 371 ddeb0f-ddeb10 CloseHandle 367->371 372 ddeb16-ddeb1d 367->372 368->354 377 dde9ea 368->377 371->372 372->350 375 ddeb1f-ddeb20 FreeLibrary 372->375 375->350 377->367
                                                                                                              APIs
                                                                                                              • GetVersionExW.KERNEL32(00000114), ref: 00DDE844
                                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00DDE85C
                                                                                                              • GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 00DDE87B
                                                                                                              • GetProcAddress.KERNEL32(ZwMapViewOfSection), ref: 00DDE895
                                                                                                              • GetProcAddress.KERNEL32(ZwUnmapViewOfSection), ref: 00DDE8AF
                                                                                                              • GetProcAddress.KERNEL32(RtlInitUnicodeString), ref: 00DDE8C9
                                                                                                              • NtOpenSection.NTDLL(00F4E294,00000004,00000018), ref: 00DDE954
                                                                                                              • NtMapViewOfSection.NTDLL(000000FF,00000000,00000000,00001000,?,?,00000001,00000000,00000002), ref: 00DDE9B4
                                                                                                              • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00DDE9E0
                                                                                                              • _strncat.LIBCMT ref: 00DDEAF3
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DDEB10
                                                                                                              • FreeLibrary.KERNEL32(77310000), ref: 00DDEB20
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$Section$LibraryView$CloseFreeHandleLoadOpenUnmapVersion_strncat
                                                                                                              • String ID: %04X$RtlInitUnicodeString$ZwMapViewOfSection$ZwOpenSection$ZwUnmapViewOfSection$ntdll.dll
                                                                                                              • API String ID: 1990131577-1503435361
                                                                                                              • Opcode ID: 3f4ca7718b61c7f239a03566d90d7ded5a5458cfb7ae4403284c2f801af1911f
                                                                                                              • Instruction ID: eab4f6a87687b97b0d7fd6dc58140d408a23d94b0f6af43288547e3e8a83e4a7
                                                                                                              • Opcode Fuzzy Hash: 3f4ca7718b61c7f239a03566d90d7ded5a5458cfb7ae4403284c2f801af1911f
                                                                                                              • Instruction Fuzzy Hash: 1D81F675F0021D5FEB249F64DC46BE97BE9AB59310F404126FE09F72D1EBB0A9448B50
                                                                                                              Function 00E04140 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 116COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 571 e04140-e041c7 call e03ec0 call df3c30 576 e041d1-e04218 call e03ec0 call df3c30 571->576 577 e041c9-e041cc 571->577 582 e04222-e042b2 GetPrivateProfileIntW * 5 call e04580 576->582 583 e0421a-e0421d 576->583 577->576 583->582
                                                                                                              APIs
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Setting,SendAction,00000001,FFFFFFFF), ref: 00E0423A
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Setting,RepeatShare,00000000,FFFFFFFF), ref: 00E0424E
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Setting,OpenTutorial,00000001,FFFFFFFF), ref: 00E04262
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Setting,EnableShadow,00000001,?), ref: 00E0427B
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Setting,ShowDlgBorder,00000000,?), ref: 00E0428F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfile
                                                                                                              • String ID: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$Config.ini$EnableShadow$OpenTutorial$RepeatShare$SendAction$Setting$ShowDlgBorder
                                                                                                              • API String ID: 1469295129-466980516
                                                                                                              • Opcode ID: 440538e1d41771476708540d0bfda90c8e84b00fe3e515048a03d52b5c3b92ea
                                                                                                              • Instruction ID: 8bf694916604cecb7b4bd16b1dba9d9bd881c26158cb05e5262158af5816a103
                                                                                                              • Opcode Fuzzy Hash: 440538e1d41771476708540d0bfda90c8e84b00fe3e515048a03d52b5c3b92ea
                                                                                                              • Instruction Fuzzy Hash: 9441B3B5A40609ABC710DFA5CC45B6AFBB4FB44720F144315F825AB2D1D7B1AA10EFD1
                                                                                                              Function 00E40310 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 206COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Programs\Ease Organizer Plus,00000104,EEAE26D7,?,00000000,00000000,?,00000000,00000000), ref: 00E40350
                                                                                                              • PathRemoveFileSpecW.SHLWAPI(C:\Users\user\AppData\Local\Programs\Ease Organizer Plus), ref: 00E4035B
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Config,UtilFlag,00000000,?), ref: 00E40436
                                                                                                              • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000004,00000000,00000004,?,?,00000000), ref: 00E40463
                                                                                                              • WritePrivateProfileStringW.KERNEL32(Config,UtilFlag,00000000,?), ref: 00E404AC
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000000,00000000,00000000), ref: 00E40513
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FilePrivateProfileValue$Exception@8ModuleNamePathRemoveSpecStringThrowWrite
                                                                                                              • String ID: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$Config$Config.ini$Software\EasePaintWatermarkRemover$UtilFlag
                                                                                                              • API String ID: 987694952-3649662921
                                                                                                              • Opcode ID: e30ece1f0571eca3363e6531f868fd00e5f2f7b982bead8b97d4236f610a3146
                                                                                                              • Instruction ID: f350c0b6a3f3d885853a7286f61d15159b5d23ee49d4caca8527efabc4b39ecb
                                                                                                              • Opcode Fuzzy Hash: e30ece1f0571eca3363e6531f868fd00e5f2f7b982bead8b97d4236f610a3146
                                                                                                              • Instruction Fuzzy Hash: 7A71D371A00609AFDB10DFA8DC09BAEBBB8FF44325F148269F614E72D1DB749904DB91
                                                                                                              Function 00DF96D0 Relevance: 10.8, APIs: 7, Instructions: 348networkfileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,EEAE26D7), ref: 00DF970E
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00DF9792
                                                                                                              • InternetOpenW.WININET(00EF8660,00000000,00000000,00000000,00000000), ref: 00DF987D
                                                                                                              • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00DF9899
                                                                                                              • InternetReadFile.WININET(00000000,00000000,00001000,00000000), ref: 00DF98EF
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 00DF9933
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Internet$ByteCharMultiOpenWide$CloseFileHandleRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 414901677-0
                                                                                                              • Opcode ID: 78fda25f6e7f0939536e009949eb838d25749a3f13c2aeb67acf854cbfc1f3de
                                                                                                              • Instruction ID: c8cfb42f5f700631c14ae438a6936d698761cda92e0f5717cb76481a35d8e39e
                                                                                                              • Opcode Fuzzy Hash: 78fda25f6e7f0939536e009949eb838d25749a3f13c2aeb67acf854cbfc1f3de
                                                                                                              • Instruction Fuzzy Hash: 71C1E871901249AFDB10DF68CC09BAEBBF8EF44324F158259F514AB2C2D7B59A04CBA1
                                                                                                              Function 00DDFA50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?), ref: 00DDFAAB
                                                                                                              • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 00DDFAF4
                                                                                                              • DeviceIoControl.KERNEL32(00000000,0007C088,00000200,00000020,00F4CA20,00000210,00000000,00000000), ref: 00DDFBB1
                                                                                                              • _strncat.LIBCMT ref: 00DDFC31
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00DDFC47
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ControlDevice$CloseCreateFileHandle_strncat
                                                                                                              • String ID: \\.\PhysicalDrive%d
                                                                                                              • API String ID: 1198454261-2935326385
                                                                                                              • Opcode ID: 784a2e4e19c8331e7dead8fdb1b829abd14c04c1e74d65f7d090d97b0d4b74de
                                                                                                              • Instruction ID: 24a7a9adc167e7479aab15f7ed79fde8269e287591c106c8b4c8806345b6595c
                                                                                                              • Opcode Fuzzy Hash: 784a2e4e19c8331e7dead8fdb1b829abd14c04c1e74d65f7d090d97b0d4b74de
                                                                                                              • Instruction Fuzzy Hash: B751E531E8075C9AE720CB349C86BEA77B4AF56744F1412D6E508BA292E7B06BC48F54
                                                                                                              Function 00DDEBF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersionExW.KERNEL32(00000114), ref: 00DDEC2C
                                                                                                              • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00DDECA8
                                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00001000,?,00000000), ref: 00DDECD9
                                                                                                              • _strncat.LIBCMT ref: 00DDED05
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DDED0E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseControlCreateDeviceFileHandleVersion_strncat
                                                                                                              • String ID: \\.\PhysicalDrive%d
                                                                                                              • API String ID: 222023302-2935326385
                                                                                                              • Opcode ID: 973e07849f11a5ea3b4f0e0fcc09772ef7c9e58752ff87bf605f02035f72dc3e
                                                                                                              • Instruction ID: b2d94603fb80919b7cbc707760f3eed4d1ee6da16e2cbb1f32c11ea3f708ac69
                                                                                                              • Opcode Fuzzy Hash: 973e07849f11a5ea3b4f0e0fcc09772ef7c9e58752ff87bf605f02035f72dc3e
                                                                                                              • Instruction Fuzzy Hash: 0741BD71E402186BDB20AB54DC86FE977BCDB09740F0400A6FB49A6291DAB49F848B75
                                                                                                              Function 00E22A60 Relevance: 72.2, APIs: 27, Strings: 14, Instructions: 460windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 e22a60-e22aa7 call e45ec0 3 e22b08-e22b32 ?SetInstance@CPaintManagerUI@DuiLib@@SAXPAUHINSTANCE__@@@Z ?SetSkinExt@CPaintManagerUI@DuiLib@@SAXPB_W@Z call df4fd0 0->3 4 e22aa9-e22af5 call e42660 MessageBoxW 0->4 9 e230a3-e230a8 call df4150 3->9 10 e22b38-e22b5c call e03870 3->10 11 e23085-e230a2 call e6316c 4->11 12 e22afb-e22b03 4->12 17 e230ad-e230da call df4150 9->17 23 e22b86-e22bed call e03710 * 2 ?SetSkinPath@CPaintManagerUI@DuiLib@@SAXPB_W@Z 10->23 24 e22b5e-e22b63 10->24 12->11 25 e23127-e23134 call e6316c 17->25 26 e230dc-e230e9 call e57580 17->26 40 e22bf7-e22c13 ?SetResourceZip@CPaintManagerUI@DuiLib@@SAXPB_W@Z call e83b03 23->40 41 e22bef-e22bf2 23->41 28 e22b66-e22b6f 24->28 26->25 35 e230eb-e23124 call e82af0 GetModuleFileNameW call eb39dd 26->35 28->28 32 e22b71-e22b81 call df5c80 28->32 32->23 35->25 47 e22d34-e22d44 call e83b03 40->47 48 e22c19-e22c28 FindWindowW 40->48 41->40 55 e22de2-e22df2 call e83b03 47->55 56 e22d4a-e22d65 call dff120 call e57bd0 47->56 49 e22c37-e22c47 call df4fd0 48->49 50 e22c2a-e22c31 PostMessageW 48->50 49->17 57 e22c4d-e22c74 call e03870 49->57 50->49 64 e22ed2-e22f03 call e83b03 call e56370 55->64 65 e22df8-e22e29 call e82af0 GetModuleFileNameW call e434d0 55->65 56->11 72 e22d6b-e22ddd call df92a0 call df4980 call df41c0 call e43fd0 56->72 77 e22ca0-e22d21 call e03710 * 2 ShellExecuteW 57->77 78 e22c76-e22c7f 57->78 85 e22f27-e22f50 call e20cb0 PathFileExistsW 64->85 86 e22f05-e22f11 call e57a20 64->86 87 e22eb3-e22ecd ShellExecuteW 65->87 88 e22e2f-e22e37 IsUserAnAdmin 65->88 119 e23080 call df3ad0 72->119 77->11 104 e22d27-e22d2f 77->104 79 e22c80-e22c89 78->79 79->79 84 e22c8b-e22c9b call df5c80 79->84 84->77 106 e22f52-e22f58 LoadLibraryW 85->106 107 e22f5e-e22fc2 GdiplusStartup call dff120 call e63182 85->107 86->85 102 e22f13-e22f21 call e587a0 86->102 87->11 88->87 93 e22e39-e22e3e 88->93 98 e22e44-e22e4d 93->98 98->98 103 e22e4f-e22e5a 98->103 102->11 102->85 109 e22e60-e22e69 103->109 104->11 106->107 123 e22fc4-e22fcd call e30740 107->123 124 e22fcf 107->124 109->109 113 e22e6b-e22e96 call dfb4e0 109->113 113->87 125 e22e98-e22eae CloseHandle * 2 113->125 119->11 127 e22fd1-e22fd7 123->127 124->127 125->11 129 e23063-e2306b 127->129 130 e22fdd-e23039 call e1fb80 ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ ?SetIcon@CWindowWnd@DuiLib@@QAEXI@Z call e57900 127->130 131 e23073-e2307a 129->131 132 e2306d-e2306e GdiplusShutdown 129->132 137 e2303b-e23049 ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ call e56380 130->137 138 e2304e-e2305e ?MessageLoop@CPaintManagerUI@DuiLib@@SAXXZ call df3ad0 130->138 131->119 132->131 137->138 138->129
                                                                                                              APIs
                                                                                                              • MessageBoxW.USER32(00000000,00000000,Error,00000040), ref: 00E22AD4
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                                • Part of subcall function 00E57580: GetPrivateProfileIntW.KERNEL32(Config,ExcepRunAuto,00000001,EEAE26D7), ref: 00E57616
                                                                                                              • ?SetInstance@CPaintManagerUI@DuiLib@@SAXPAUHINSTANCE__@@@Z.YCOMUIU(EEAE26D7), ref: 00E22B0E
                                                                                                              • ?SetSkinExt@CPaintManagerUI@DuiLib@@SAXPB_W@Z.YCOMUIU(.skin), ref: 00E22B19
                                                                                                              • ?SetSkinPath@CPaintManagerUI@DuiLib@@SAXPB_W@Z.YCOMUIU(?,00EF8660,\skin\,C:\Users\user\AppData\Local\Programs\Ease Organizer Plus), ref: 00E22BBB
                                                                                                              • ?SetResourceZip@CPaintManagerUI@DuiLib@@SAXPB_W@Z.YCOMUIU ref: 00E22BFD
                                                                                                              • _wcsstr.LIBVCRUNTIME ref: 00E22C09
                                                                                                              • FindWindowW.USER32(EasePaintWndClass,00000000), ref: 00E22C20
                                                                                                              • PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00E22C31
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E2310F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@ManagerPaint$MessageSkin$E__@@@Exception@8Ext@FileFindInstance@ModuleNamePath@PostPrivateProfileResourceThrowWindowZip@_wcsstr
                                                                                                              • String ID: .skin$/debug$/install$/tjuninstall$/uninstall$C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$D$EasePaintWndClass$Error$SkinLost$\skin\$ext.dll$open$uninst.exe
                                                                                                              • API String ID: 2991314517-521379311
                                                                                                              • Opcode ID: 4d3cd3f8e98a0594fef7ed93d907cb34f28f34adc5fc14228014f263a77f3b48
                                                                                                              • Instruction ID: a8fb9d953070b123251749a35d7a7e960c25c15bb2b0c8a3ebb6b44ed8f6b9cc
                                                                                                              • Opcode Fuzzy Hash: 4d3cd3f8e98a0594fef7ed93d907cb34f28f34adc5fc14228014f263a77f3b48
                                                                                                              • Instruction Fuzzy Hash: 6B02E570A40218ABDB20EB64EC4ABAD77B4EF44315F144198FA09B71D2DFB49B48DF61
                                                                                                              Function 00E43560 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 300COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 378 e43560-e435ea call e82af0 SHGetValueW 381 e43621-e4362a 378->381 382 e435ec-e435f2 378->382 383 e43630-e43667 SHGetValueW 381->383 384 e43903-e4390c 381->384 382->381 385 e435f4-e435fd 382->385 386 e43681-e436ae SHGetValueW 383->386 387 e43669-e4367c 383->387 388 e43961-e4397b call e6316c 384->388 389 e4390e-e4392d call e82af0 call dfd240 384->389 390 e43600-e43609 385->390 392 e436b0-e436b6 386->392 393 e436e2-e4370f SHGetValueW 386->393 387->386 411 e43932-e4393e 389->411 390->390 391 e4360b-e4361c call df5c80 390->391 391->381 392->393 397 e436b8-e436be 392->397 399 e43711-e43717 393->399 400 e43743-e43770 SHGetValueW 393->400 404 e436c1-e436ca 397->404 399->400 406 e43719-e4371f 399->406 402 e43772-e43778 400->402 403 e437a9-e437d6 SHGetValueW 400->403 402->403 407 e4377a-e43780 402->407 408 e438a2-e438cf SHGetValueW 403->408 409 e437dc-e437e2 403->409 404->404 410 e436cc-e436dd call df5c80 404->410 412 e43722-e4372b 406->412 413 e43783-e4378c 407->413 408->384 417 e438d1-e438d7 408->417 409->408 414 e437e8-e43800 call df4fd0 409->414 410->393 416 e43940-e43949 411->416 412->412 418 e4372d-e4373e call df5c80 412->418 413->413 421 e4378e-e43795 413->421 430 e43806-e43822 414->430 431 e4397c-e43986 call df4150 414->431 416->416 423 e4394b-e4395c call df5c80 416->423 417->384 419 e438d9-e438df 417->419 418->400 424 e438e2-e438eb 419->424 421->403 425 e43797-e437a4 call df5c80 421->425 423->388 424->424 428 e438ed-e438fe call df5c80 424->428 425->403 428->384 436 e43824-e4382f call df5150 430->436 437 e43831-e4383a 430->437 442 e4385e-e43876 call e43310 436->442 439 e43840-e43849 437->439 439->439 441 e4384b-e43859 call df5c80 439->441 441->442 442->408 446 e43878-e4387e 442->446 447 e43881-e4388a 446->447 447->447 448 e4388c-e4389d call df5c80 447->448 448->408
                                                                                                              APIs
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UserName,00000000,?,?,EEAE26D7), ref: 00E435E6
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,type,00000000,00000000,00000208), ref: 00E43663
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,NickName,00000000,?,00000004), ref: 00E436AA
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,token,00000000,?,00000208), ref: 00E4370B
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,mobile,00000000,?,00000208), ref: 00E4376C
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,email,00000000,?,00000208), ref: 00E437D2
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,HeadImage,00000000,?,00000208), ref: 00E438CB
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value$Exception@8Throw
                                                                                                              • String ID: HeadImage$Message$NickName$Software\EasePaintWatermarkRemover$Title$UserName$email$mobile$token$type
                                                                                                              • API String ID: 977719429-3498454798
                                                                                                              • Opcode ID: 4bafdfeeea4fbaae1d3acb285dabefc6eed430fa318456f574ce3d5e73db1708
                                                                                                              • Instruction ID: 76841a4ebc5d1e61b1a0db44c8ff290db7ba85e73989d8074f7ab561e6d4184c
                                                                                                              • Opcode Fuzzy Hash: 4bafdfeeea4fbaae1d3acb285dabefc6eed430fa318456f574ce3d5e73db1708
                                                                                                              • Instruction Fuzzy Hash: 6EB1EBB494021D9EDB24DB24DC95FFAB7B8EF54304F4041E9EA06B2181EB706B89CF64
                                                                                                              Function 00E45EC0 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 238COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 450 e45ec0-e45ef9 call df4fd0 453 e46203-e4620d call df4150 450->453 454 e45eff-e45f21 450->454 458 e46015-e4601a 454->458 459 e45f27 454->459 460 e4601c 458->460 461 e4608a-e4608f 458->461 462 e45fec-e46010 call e03f90 call df3c30 459->462 463 e45f2d-e45f35 459->463 466 e46064-e46088 call e03f90 call df3c30 460->466 467 e4601e-e46023 460->467 464 e460b7-e460d6 call e03f90 call df3c30 461->464 465 e46091-e460b5 call e03f90 call df3c30 461->465 504 e460db-e460f2 462->504 463->465 468 e45f3b-e45f42 463->468 464->504 465->504 466->504 472 e46025-e46028 467->472 473 e46047-e4605f call e03f90 467->473 468->465 475 e45fb5-e45fcd call e03f90 468->475 476 e45f81-e45f99 call e03f90 468->476 477 e45fcf-e45fe7 call e03f90 468->477 478 e45f49-e45f5d call e03f90 468->478 479 e45f9b-e45fb3 call e03f90 468->479 472->465 485 e4602a-e46042 call e03f90 472->485 505 e45f61-e45f7c call df3c30 call df3ad0 473->505 475->505 476->505 477->505 478->505 479->505 485->505 508 e460f4-e460f7 504->508 509 e460fc-e4610a PathFileExistsW 504->509 505->509 508->509 511 e46110-e46149 call eb9d92 PathRemoveFileSpecW 509->511 512 e461c1 509->512 521 e46150-e46159 511->521 516 e461c3-e461db 512->516 519 e461e5-e46202 call e6316c 516->519 520 e461dd-e461e0 516->520 520->519 521->521 523 e4615b-e4618f call df5c80 call e03710 PathFindFileNameW 521->523 529 e461a0-e461a2 523->529 530 e46191-e4619e call df5c80 523->530 532 e461a5-e461ae 529->532 530->516 532->532 534 e461b0-e461bf call df5c80 532->534 534->516
                                                                                                              APIs
                                                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,?,?), ref: 00E46102
                                                                                                              • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?), ref: 00E4613A
                                                                                                              • PathFindFileNameW.SHLWAPI(?,00F01560,?,?,?,?,?,?,?), ref: 00E46182
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FilePath$ExistsFindNameRemoveSpec
                                                                                                              • String ID: skin\skin_ar.skin$skin\skin_de.skin$skin\skin_en.skin$skin\skin_es.skin$skin\skin_fr.skin$skin\skin_id.skin$skin\skin_jp.skin$skin\skin_ko.skin$skin\skin_pt.skin$skin\skin_ru.skin$skin\skin_tr.skin
                                                                                                              • API String ID: 713544028-3662250206
                                                                                                              • Opcode ID: 898002eb4c0c00ff4e4019b02db918737cc18fb98f10098998a921f6cbba9055
                                                                                                              • Instruction ID: dcf27557f1ae258cb22ba5d3747d3e286ecd90930ae8890ee4704ed00f09b0d1
                                                                                                              • Opcode Fuzzy Hash: 898002eb4c0c00ff4e4019b02db918737cc18fb98f10098998a921f6cbba9055
                                                                                                              • Instruction Fuzzy Hash: 73911871D402489FCB10EBB4EC49BEEB7B8AF11304F1481D5E505B7292EB749B489B62
                                                                                                              Function 00E44380 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 107COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • SHGetMalloc.SHELL32(?), ref: 00E443A4
                                                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?), ref: 00E443BD
                                                                                                              • SHGetPathFromIDListW.SHELL32(?,?), ref: 00E443EE
                                                                                                              • PathFileExistsW.SHLWAPI(?,?,?,?,?,?), ref: 00E44487
                                                                                                              • CreateDirectoryW.KERNEL32(00000000,?,?,?,?), ref: 00E44498
                                                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00E444C0
                                                                                                              • SHCreateDirectoryExW.SHELL32(00000000,00000000), ref: 00E444F3
                                                                                                              • SetFileAttributesW.KERNEL32(00000006), ref: 00E44501
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Path$CreateDirectoryFile$AttributesExistsFolderFromListLocationMallocSpecialTemp
                                                                                                              • String ID: %s%s\%s$%s\%s$EasePaintWatermarkRemover$data
                                                                                                              • API String ID: 801663401-1024328609
                                                                                                              • Opcode ID: 9ede6b15a90e8f09b257dc428c4d5989f212a9c031c0f74a39f271a80f6d5629
                                                                                                              • Instruction ID: b519fd3f6e2e8161baf1b31e60cc4a96de6d57c4b245a4565f5eb824b4e186d9
                                                                                                              • Opcode Fuzzy Hash: 9ede6b15a90e8f09b257dc428c4d5989f212a9c031c0f74a39f271a80f6d5629
                                                                                                              • Instruction Fuzzy Hash: B341A9B460030CAFDB209B50EC45FEA77B8EF44705F1041A4FB09A61D2DB71AA59DF65
                                                                                                              Function 00E41AD0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 188COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00F51620), ref: 00E41B70
                                                                                                              • GetFileVersionInfoSizeW.VERSION(?,00000000,?,00F51620), ref: 00E41B7F
                                                                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,00000000,?,00F51620), ref: 00E41BA4
                                                                                                              • VerQueryValueW.VERSION(00000000,00F01560,?,00000034,?,00000000,00000000,00000000,00000000,?,00F51620), ref: 00E41BC1
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,Version,00000000,?,00000208,?,?,00000000), ref: 00E41C74
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$InfoValueVersion$ModuleNameQuerySize
                                                                                                              • String ID: %d%d%d$%d.%d.%d.%d$4$Software\EasePaintWatermarkRemover$Version
                                                                                                              • API String ID: 3751987224-2582149013
                                                                                                              • Opcode ID: 6408303ddda8abf11f276c4f9d62ae6aa5ddf0e145b936f8fb979144cef3e033
                                                                                                              • Instruction ID: 4031313b2defcbe4626f452c768386a13d74809e1e3cafb72800d681391b8c86
                                                                                                              • Opcode Fuzzy Hash: 6408303ddda8abf11f276c4f9d62ae6aa5ddf0e145b936f8fb979144cef3e033
                                                                                                              • Instruction Fuzzy Hash: D261C1B1A00218ABDB20DB64DC45BBAB3FCEF08704F404199F609E7182DB74EA85CF65
                                                                                                              Function 00E418B0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 698 e418b0-e41939 call e82af0 SHGetValueW 701 e419b4-e419d7 SHGetValueW 698->701 702 e4193b-e41944 call df4fd0 698->702 703 e41a72-e41a7b call df4fd0 701->703 704 e419dd-e41a00 PathRemoveExtensionW PathFindFileNameW 701->704 712 e41ab5-e41aba call df4150 702->712 713 e4194a-e41966 702->713 714 e41a7d-e41a91 703->714 715 e41abf-e41ac9 call df4150 703->715 707 e41a50-e41a57 704->707 708 e41a02-e41a11 call e842ac 704->708 707->703 708->707 718 e41a13-e41a1f lstrlenW 708->718 712->715 724 e41975-e4197f 713->724 725 e41968-e41973 call df5150 713->725 727 e41a97-e41ab4 call e6316c 714->727 718->707 722 e41a21-e41a4e SHSetValueW call df91f0 718->722 722->727 726 e41980-e41989 724->726 734 e4199e-e419af 725->734 726->726 731 e4198b-e41999 call df5c80 726->731 731->734 734->727
                                                                                                              APIs
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,adid,00000000,?,00000208,?), ref: 00E41935
                                                                                                              • SHGetValueW.SHLWAPI(80000002,Software\EasePaintWatermarkRemover,InstallerName,00000000,?,00000208), ref: 00E419D3
                                                                                                              • PathRemoveExtensionW.SHLWAPI(?), ref: 00E419EB
                                                                                                              • PathFindFileNameW.SHLWAPI(?), ref: 00E419F8
                                                                                                              • _wcschr.LIBVCRUNTIME ref: 00E41A05
                                                                                                              • lstrlenW.KERNEL32(-00000002), ref: 00E41A17
                                                                                                              • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,adid,00000001,-00000002,00000000), ref: 00E41A36
                                                                                                                • Part of subcall function 00DF5150: FindResourceExW.KERNEL32(00000000,00000006,00DF5E74,00000000,00000000,00000000,00000000,?,00DF5E74,-00000010), ref: 00DF518E
                                                                                                                • Part of subcall function 00DF5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00DF51D7
                                                                                                                • Part of subcall function 00DF4FD0: GetProcessHeap.KERNEL32 ref: 00DF504E
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5080
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5104
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindValue$Init_thread_footerPathResource$ExtensionFileHeapNameProcessRemove_wcschrlstrlen
                                                                                                              • String ID: InstallerName$Software\EasePaintWatermarkRemover$adid
                                                                                                              • API String ID: 2661304214-246061220
                                                                                                              • Opcode ID: 5763882bcd0788e99285415516360ddfb01e1553d69a7b358de93abc116d4b71
                                                                                                              • Instruction ID: d0c0bd60e2d1438af8288495f65bc421036c4549a956df75d3bf221adb14cf31
                                                                                                              • Opcode Fuzzy Hash: 5763882bcd0788e99285415516360ddfb01e1553d69a7b358de93abc116d4b71
                                                                                                              • Instruction Fuzzy Hash: E851B071A41209AFDB10DFA4DC49BBAB7B8EF44704F1041A9F609F7281DB709A849B65
                                                                                                              Function 00E55FA0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 227librarystringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 737 e55fa0-e55ff3 call df4fd0 740 e55ff9-e5601c call df4fd0 737->740 741 e5613b-e56140 call df4150 737->741 744 e56145-e5614a call df4150 740->744 750 e56022-e5606c call df4fd0 740->750 741->744 747 e5614f-e56154 call df4150 744->747 751 e56159-e561ae call df4150 747->751 750->747 761 e56072-e56092 call df4fd0 750->761 756 e561b7-e561bc 751->756 757 e561b0-e561b1 FreeLibrary 751->757 759 e561c5-e561e5 756->759 760 e561be-e561bf CloseHandle 756->760 757->756 762 e561e7-e561ea 759->762 763 e561ef-e5620c 759->763 760->759 761->751 773 e56098-e56108 call e82af0 GetModuleFileNameW PathRemoveFileSpecW lstrcatW LoadLibraryW 761->773 762->763 764 e56216-e56233 763->764 765 e5620e-e56211 763->765 767 e56235-e56238 764->767 768 e5623d-e5625e 764->768 765->764 767->768 771 e56260-e56263 768->771 772 e56268-e56278 768->772 771->772 777 e56117-e5613a call e6316c 773->777 778 e5610a-e56114 call dc8a90 773->778 778->777
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E560D1
                                                                                                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 00E560DE
                                                                                                              • lstrcatW.KERNEL32(?,\LiveUpdate.dll), ref: 00E560F0
                                                                                                              • LoadLibraryW.KERNEL32(?), ref: 00E560FD
                                                                                                                • Part of subcall function 00DC8A90: OutputDebugStringW.KERNEL32(?), ref: 00DC8AF4
                                                                                                              • FreeLibrary.KERNEL32(?,EEAE26D7,?), ref: 00E561B1
                                                                                                              • CloseHandle.KERNEL32(?,EEAE26D7,?), ref: 00E561BF
                                                                                                                • Part of subcall function 00DF4FD0: GetProcessHeap.KERNEL32 ref: 00DF504E
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5080
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5104
                                                                                                              Strings
                                                                                                              • \LiveUpdate.dll, xrefs: 00E560E4
                                                                                                              • [update] Load liveupdate.dll failure., xrefs: 00E5610A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileInit_thread_footerLibrary$CloseDebugFreeHandleHeapLoadModuleNameOutputPathProcessRemoveSpecStringlstrcat
                                                                                                              • String ID: [update] Load liveupdate.dll failure.$\LiveUpdate.dll
                                                                                                              • API String ID: 2596294035-540232465
                                                                                                              • Opcode ID: a64c726429e41a85c4417c2c86feb0bb500e38802185ad590233466a2082daa4
                                                                                                              • Instruction ID: 8a31e81f46068cc789fae5a6a914e79fa006a7e555592c970b668bd2332138e4
                                                                                                              • Opcode Fuzzy Hash: a64c726429e41a85c4417c2c86feb0bb500e38802185ad590233466a2082daa4
                                                                                                              • Instruction Fuzzy Hash: 9A918E70901649DFD710DF69C848BAABBF4EF44314F1086ADE859EB291DB74AA08CF91
                                                                                                              Function 00DDF850 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 783 ddf850-ddf86a 784 ddf870-ddf8a6 call dddfe0 CreateFileA 783->784 787 ddf8ac-ddf8ae 784->787 788 ddfa26-ddfa36 784->788 789 ddf8b0-ddf934 call e82af0 call ea3040 DeviceIoControl 787->789 788->784 790 ddfa3c-ddfa4e call e6316c 788->790 797 ddf93a-ddf941 789->797 798 ddfa15-ddfa19 789->798 797->798 799 ddf947-ddf954 797->799 798->789 800 ddfa1f-ddfa20 CloseHandle 798->800 801 ddf989-ddf98f 799->801 802 ddf956-ddf964 799->802 800->788 804 ddf990-ddf9e2 801->804 802->801 803 ddf966 802->803 805 ddf970-ddf985 803->805 804->804 806 ddf9e4-ddfa13 call dde6e0 call ea3170 804->806 805->805 807 ddf987 805->807 806->798 806->800 807->806
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?), ref: 00DDF89B
                                                                                                              • _strncpy.LIBCMT ref: 00DDF8F9
                                                                                                              • DeviceIoControl.KERNEL32(00000000,0004D008,0000001C,0000003C,0000001C,0000022D,?,00000000), ref: 00DDF92C
                                                                                                              • _strncat.LIBCMT ref: 00DDFA02
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DDFA20
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseControlCreateDeviceFileHandle_strncat_strncpy
                                                                                                              • String ID: SCSIDISK$\\.\Scsi%d:
                                                                                                              • API String ID: 1663224219-2176293039
                                                                                                              • Opcode ID: d7b45aa110e5b46cac42a9aeb321f423b34453cd94162e7e69fe67392b1dbb79
                                                                                                              • Instruction ID: 6c0e6b44aefeb6d463ab982689998d282a10d5bf4adddbbcbe9e10a97b6426f5
                                                                                                              • Opcode Fuzzy Hash: d7b45aa110e5b46cac42a9aeb321f423b34453cd94162e7e69fe67392b1dbb79
                                                                                                              • Instruction Fuzzy Hash: 9E510770D413586AEB20DB749C86BED77B8EB55704F1012E6E50DF6282DB74AB84CF10
                                                                                                              Function 00E42110 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 351stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • StgOpenStorage.OLE32(?,00000000,00000020,00000000,00000000,?,EEAE26D7,?,00000000,80004005,-4141412D,00EEA4DF,000000FF), ref: 00E4217B
                                                                                                              • _wcschr.LIBVCRUNTIME ref: 00E42273
                                                                                                              • lstrlenW.KERNEL32(?), ref: 00E4233D
                                                                                                              • _wcsstr.LIBVCRUNTIME ref: 00E424B6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: OpenStorage_wcschr_wcsstrlstrlen
                                                                                                              • String ID: $$
                                                                                                              • API String ID: 3597257408-2352093064
                                                                                                              • Opcode ID: 77eaf5418b599bbc7ff44f79f7c07e9d488cbdb730aeda6452c48af19bfe20d6
                                                                                                              • Instruction ID: d27e45d3078340761346b9af96ac039e787ab00ad76595fb6ce3c83b606e9910
                                                                                                              • Opcode Fuzzy Hash: 77eaf5418b599bbc7ff44f79f7c07e9d488cbdb730aeda6452c48af19bfe20d6
                                                                                                              • Instruction Fuzzy Hash: 41D1D5719003099FEB20DF68DC84BAEB7B4FF54314F1482ADF919A7292D7749A44CBA0
                                                                                                              Function 00E042C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Setting,LCID,00000000,?), ref: 00E04320
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfile
                                                                                                              • String ID: Config.ini$LCID$Setting
                                                                                                              • API String ID: 1469295129-1763241224
                                                                                                              • Opcode ID: f2b29bdb79fef7018c0b76550aef4ad9a88a9369ad561fb26f0ed62f26acd9f1
                                                                                                              • Instruction ID: 8bc56e140f840ae4a2717a58621b8ff45a3c90f739b5d858ba001783f791320a
                                                                                                              • Opcode Fuzzy Hash: f2b29bdb79fef7018c0b76550aef4ad9a88a9369ad561fb26f0ed62f26acd9f1
                                                                                                              • Instruction Fuzzy Hash: CA41A4F0404654EBE7318F94DB4877876B4E704319F246216DB78FA6E0DBB9CAC9A702
                                                                                                              Function 00E467A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileIntW.KERNEL32(LANG,LCID,00000000,?), ref: 00E467EB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfile
                                                                                                              • String ID: LANG$LCID$oem.ini
                                                                                                              • API String ID: 1469295129-2603398421
                                                                                                              • Opcode ID: 85037b389597335af8b2f87b1e3b5e20fbcee763c6e9687112e86cb530e93dea
                                                                                                              • Instruction ID: c2f7cb5626d03e80b0ba1939647def540659c87784af789309870a9670a22402
                                                                                                              • Opcode Fuzzy Hash: 85037b389597335af8b2f87b1e3b5e20fbcee763c6e9687112e86cb530e93dea
                                                                                                              • Instruction Fuzzy Hash: 93414A32904719DBE7355B08EA883B5B764E382719F045126CB5C7A2F0DBF59D84A783
                                                                                                              Function 00E053A0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 237COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E03FF0: GetProcessHeap.KERNEL32 ref: 00E0406E
                                                                                                                • Part of subcall function 00E03FF0: __Init_thread_footer.LIBCMT ref: 00E040A0
                                                                                                                • Part of subcall function 00E03FF0: __Init_thread_footer.LIBCMT ref: 00E04124
                                                                                                                • Part of subcall function 00E5BCA0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,EEAE26D7), ref: 00E5BE26
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00E05626
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Init_thread_footer$ByteCharCloseHandleHeapMultiProcessWide
                                                                                                              • String ID: lc=%s&product_id=%d&version=%d$open$result
                                                                                                              • API String ID: 2625542054-4117417349
                                                                                                              • Opcode ID: 5dbb1f924b369304f9f49ea212972137b57e56d471860ce85983bcac6838cff7
                                                                                                              • Instruction ID: f3c637a811a18d2d96e203cf50f9aafd0bca184e2e1ee478e998be2c0d1e1f71
                                                                                                              • Opcode Fuzzy Hash: 5dbb1f924b369304f9f49ea212972137b57e56d471860ce85983bcac6838cff7
                                                                                                              • Instruction Fuzzy Hash: E291F471900649DFDB10EBA8CC45B9EBBB4FF15314F0441A9E509A72D2DB719E84CFA1
                                                                                                              Function 00DFD240 Relevance: 6.1, APIs: 4, Instructions: 120stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenW.KERNEL32(?), ref: 00DFD290
                                                                                                              • lstrcpyW.KERNEL32(?,00F00EFC), ref: 00DFD2A6
                                                                                                                • Part of subcall function 00DF4110: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,EEAE26D7,00000000,?,00DF5FDF,?,?,00000000,00000003,EEAE26D7,00000000,00000000), ref: 00DF4132
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00DFD303
                                                                                                              • lstrcpynW.KERNEL32(?,00000000,?,?,?,?,00000003), ref: 00DFD373
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$lstrcpylstrcpynlstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 3832091381-0
                                                                                                              • Opcode ID: d63edc1dddfc70c1ee1b4f279bb827f7a7c45f8a7e8aa615b1f0da3614d7ba60
                                                                                                              • Instruction ID: 7a44efceb1e8d71f6c8d561f2383764f68e4a637e1c0573d74ef24ab19e94d73
                                                                                                              • Opcode Fuzzy Hash: d63edc1dddfc70c1ee1b4f279bb827f7a7c45f8a7e8aa615b1f0da3614d7ba60
                                                                                                              • Instruction Fuzzy Hash: A9410731900209ABDB20EB64DC46FBE77ADDF45704F650698BA09F71C2D674AA05CAA0
                                                                                                              Function 00DFCF50 Relevance: 2.6, APIs: 2, Instructions: 126stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00DDEBF0: GetVersionExW.KERNEL32(00000114), ref: 00DDEC2C
                                                                                                                • Part of subcall function 00DDEBF0: CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00DDECA8
                                                                                                                • Part of subcall function 00DDEBF0: DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00001000,?,00000000), ref: 00DDECD9
                                                                                                                • Part of subcall function 00DDEBF0: _strncat.LIBCMT ref: 00DDED05
                                                                                                                • Part of subcall function 00DDEBF0: CloseHandle.KERNEL32(00000000), ref: 00DDED0E
                                                                                                              • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?), ref: 00DFD07C
                                                                                                              • lstrcpynW.KERNEL32(?,00000000,?), ref: 00DFD094
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharCloseControlCreateDeviceFileHandleMultiVersionWide_strncatlstrcpyn
                                                                                                              • String ID:
                                                                                                              • API String ID: 3846494814-0
                                                                                                              • Opcode ID: 9134a0dc36dcc31e37718598e48044a958bbf2339f4aa73a6ee3b12cc31c6469
                                                                                                              • Instruction ID: c25881bd7e0b42b94e7a78717a06bf7c1a9778b7acbc84b1a413ed9f18d1a9a7
                                                                                                              • Opcode Fuzzy Hash: 9134a0dc36dcc31e37718598e48044a958bbf2339f4aa73a6ee3b12cc31c6469
                                                                                                              • Instruction Fuzzy Hash: 78417C3590420D9FCF25DF38CC05FF9B7A6AF56300F0482D5E6499B182DE725A898BA0
                                                                                                              Function 00E04B50 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00045060,?,00000000,?), ref: 00E04B6D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2422867632-0
                                                                                                              • Opcode ID: 7defa48691d7dc7e81b9562c42498c9ea555925f2bd6249ddf7fedc081f48fc8
                                                                                                              • Instruction ID: f8a8c54e66eeb988a22407f8fca536513bd79211fb4b032c32c2f1dc3417716c
                                                                                                              • Opcode Fuzzy Hash: 7defa48691d7dc7e81b9562c42498c9ea555925f2bd6249ddf7fedc081f48fc8
                                                                                                              • Instruction Fuzzy Hash: BBD05B715547287FE230DA459C06F6777ACD705721F10015AFA04611C0D6E1798486D4

                                                                                                              Non-executed Functions

                                                                                                              Function 00E10AF0 Relevance: 88.5, APIs: 42, Strings: 8, Instructions: 966memoryfilewindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PathFileExistsW.SHLWAPI(?,EEAE26D7), ref: 00E10B44
                                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00E10B54
                                                                                                              • GdipCreateBitmapFromFile.GDIPLUS(?,?,00000010), ref: 00E10B94
                                                                                                              • GdipGetImageWidth.GDIPLUS(?,?,00000010), ref: 00E10BD6
                                                                                                              • GdipGetImageHeight.GDIPLUS(?,?,?,?,00000010), ref: 00E10BF6
                                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00E10C18
                                                                                                              • GdipSetSmoothingMode.GDIPLUS(00000000,00000002), ref: 00E10C90
                                                                                                              • GdipAlloc.GDIPLUS(00000010,00000000,00000000,00000000,00000002), ref: 00E10E91
                                                                                                              • GdipTranslateWorldTransform.GDIPLUS(?), ref: 00E10F4E
                                                                                                              • GdipRotateWorldTransform.GDIPLUS(?,00000000,00000000,?), ref: 00E10F80
                                                                                                              • GdipTranslateWorldTransform.GDIPLUS(?,00000000,?), ref: 00E10FC4
                                                                                                              • GdipCreateFontFamilyFromName.GDIPLUS(?,00000000,?,?,00000000,?), ref: 00E11005
                                                                                                              • GdipCreateFont.GDIPLUS(00000000,?,?,00000002,?,?,00000000,?,?,00000000,?), ref: 00E11044
                                                                                                                • Part of subcall function 00E06760: GdipCreateSolidFill.GDIPLUS(00000006,EEAE26D7), ref: 00E067B5
                                                                                                              • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,00000000,?,?,00000002,?,?,00000000,?,?,00000000,?), ref: 00E110C8
                                                                                                              • GdipSetStringFormatAlign.GDIPLUS(00000000,00000001,00000000,00000000,?,00000000,?,?,00000002,?,?,00000000,?,?,00000000,?), ref: 00E110DF
                                                                                                              • GdipSetStringFormatLineAlign.GDIPLUS(00000000,00000001,00000000,00000001,00000000,00000000,?,00000000,?,?,00000002,?,?,00000000,?,?), ref: 00E110FD
                                                                                                                • Part of subcall function 00E11F70: GdipSetTextRenderingHint.GDIPLUS(?,?,00000000,?,00E11120,00000004,00000000,00000001,00000000,00000001,00000000,00000000,?,00000000,?,?), ref: 00E11F7B
                                                                                                              • GdipDrawString.GDIPLUS(?,?,000000FF,?,41200000,00000000,?,00000004,00000000,00000001,00000000,00000001,00000000,00000000,?,00000000), ref: 00E1114C
                                                                                                              • GdipDrawImageRectI.GDIPLUS(00000000,?,00000000,00000000,00000000,00000001,?,?,000000FF,?,41200000,00000000,?,00000004,00000000,00000001), ref: 00E11244
                                                                                                              • GdipDeleteGraphics.GDIPLUS(?,?,?,000000FF,?,41200000,00000000,?,00000004,00000000,00000001,00000000,00000001,00000000,00000000,?), ref: 00E112C6
                                                                                                              • GdipFree.GDIPLUS(?,?,?,?,000000FF,?,41200000,00000000,?,00000004,00000000,00000001,00000000,00000001,00000000,00000000), ref: 00E112D1
                                                                                                              • GdipDeleteStringFormat.GDIPLUS(00000000,?,?,00000002,?,?,00000000,?,?,00000000,?), ref: 00E112E8
                                                                                                              • GdipDeleteFont.GDIPLUS(?,00000000,?,?,00000002,?,?,00000000,?,?,00000000,?), ref: 00E11306
                                                                                                              • GdipDeleteFontFamily.GDIPLUS(00000000,?,00000000,?,?,00000002,?,?,00000000,?,?,00000000,?), ref: 00E11318
                                                                                                              • PathFileExistsW.SHLWAPI(?,00000000,00000000,00000000,00000002), ref: 00E11328
                                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00E11409
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@HHHH@Z.YCOMUIU(?,?,00000000,00000000,00000007,00000010), ref: 00E11519
                                                                                                              • GdipCreateMatrix.GDIPLUS(?), ref: 00E11530
                                                                                                              • GdipTranslateMatrix.GDIPLUS(00000000), ref: 00E1157F
                                                                                                              • GdipRotateMatrix.GDIPLUS(0026200A,?,00000000,00000000), ref: 00E115AE
                                                                                                              • GdipTranslateMatrix.GDIPLUS(0026200A,00000000,00000000), ref: 00E115ED
                                                                                                              • GdipTransformMatrixPointsI.GDIPLUS(0026200A,?,00000003,0026200A,00000000,00000000), ref: 00E11622
                                                                                                              • GdipDrawImagePointsI.GDIPLUS(?,00000000,?,00000003,0026200A,?,00000003,0026200A,00000000,00000000), ref: 00E11652
                                                                                                              • GdipCreateImageAttributes.GDIPLUS(?,?,00000000,?,00000003,0026200A,?,00000003,0026200A,00000000,00000000), ref: 00E116E4
                                                                                                              • GdipSetImageAttributesColorMatrix.GDIPLUS(00000000,00000000,00000001,?,00000000,00000000,?,?,00000000,?,00000003,0026200A,?,00000003,0026200A,00000000), ref: 00E11708
                                                                                                              • GdipDrawImageRectRectI.GDIPLUS(?,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 00E11787
                                                                                                              • GdipDeleteGraphics.GDIPLUS(?,?,?,00000000,00000000,00000001,?,00000000,00000000,?,?,00000000,?,00000003,0026200A,?), ref: 00E11889
                                                                                                              • GdipFree.GDIPLUS(?,?,?,?,00000000,00000000,00000001,?,00000000,00000000,?,?,00000000,?,00000003,0026200A), ref: 00E1188F
                                                                                                              • GdipDisposeImageAttributes.GDIPLUS(00000000), ref: 00E118BA
                                                                                                              • GdipDeleteMatrix.GDIPLUS(0026200A,00000000), ref: 00E118CC
                                                                                                                • Part of subcall function 00E0DD90: GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?), ref: 00E0DDB3
                                                                                                              • GdipSaveImageToFile.GDIPLUS(?,?,?,00000001,00000000,00000002), ref: 00E11982
                                                                                                              • GdipDeleteGraphics.GDIPLUS(00000000,00000000,00000000,00000000,00000002), ref: 00E11990
                                                                                                              • GdipFree.GDIPLUS(00000000,00000000,00000000,00000000,00000000,00000002), ref: 00E11996
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$Image$CreateDeleteMatrix$DrawString$AllocFileFontFormatRectTransformTranslate$AttributesFreeGraphicsWorld$AlignExistsFamilyFromPathPointsRotate$BitmapColorDisposeFillHeightHintLib@@LineModeNameRect@RenderingSaveSmoothingSolidTextWidth
                                                                                                              • String ID: &$%?$gfff$gfff$image/bmp$image/gif$image/jpeg$image/png
                                                                                                              • API String ID: 4051807090-525921346
                                                                                                              • Opcode ID: d87875270e2b157b7af4c5fc28bcbea12fcef4b8438220aaafac0d2b91b6dde6
                                                                                                              • Instruction ID: 70d7446c0dc74564399f47cd7859e4d20c7b39dbb799c37f2cac487bd8aad890
                                                                                                              • Opcode Fuzzy Hash: d87875270e2b157b7af4c5fc28bcbea12fcef4b8438220aaafac0d2b91b6dde6
                                                                                                              • Instruction Fuzzy Hash: ED925670A012299FEB25DB65CD41BE9B7B5BF48300F1492E9E50DB7291EB70AEC09F50
                                                                                                              Function 00E23250 Relevance: 55.0, APIs: 23, Strings: 8, Instructions: 752COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteCriticalSection.KERNEL32(?,?,?,00E1F8D2,EEAE26D7,?,?,?,00EE4508,000000FF), ref: 00E232AE
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E23300
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpDumpDay,00000000,00000000,EEAE26D7), ref: 00E23378
                                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 00E233BD
                                                                                                              • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpDumpDay,00000004,00000000,00000004), ref: 00E233F8
                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,EEAE26D7), ref: 00E23513
                                                                                                              • GetLastError.KERNEL32 ref: 00E2351D
                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00E23569
                                                                                                              • LeaveCriticalSection.KERNEL32(?,7734E820,?), ref: 00E23596
                                                                                                              • GetModuleFileNameW.KERNEL32(00DC0000,?,00000104), ref: 00E235EB
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00E2368C
                                                                                                              • LeaveCriticalSection.KERNEL32(?,Module,?), ref: 00E23790
                                                                                                                • Part of subcall function 00E1FF70: EnterCriticalSection.KERNEL32(00F02728,EEAE26D7,7734E820,00000000), ref: 00E1FFAD
                                                                                                                • Part of subcall function 00E1FF70: LeaveCriticalSection.KERNEL32(00F02728), ref: 00E1FFBE
                                                                                                                • Part of subcall function 00E1FF70: DeleteCriticalSection.KERNEL32(00F02728), ref: 00E1FFDA
                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00E2380C
                                                                                                              • LeaveCriticalSection.KERNEL32(?,Module_Raw,?), ref: 00E23840
                                                                                                                • Part of subcall function 00E636E3: ___report_securityfailure.LIBCMT ref: 00E636E8
                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,EEAE26D7,7734E820), ref: 00E2395C
                                                                                                              • GetLastError.KERNEL32 ref: 00E23966
                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00E239B8
                                                                                                              • LeaveCriticalSection.KERNEL32(?,7734E820,?), ref: 00E239E5
                                                                                                              • GetModuleFileNameW.KERNEL32(00DC0000,?,00000104), ref: 00E23A3B
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00E23ADC
                                                                                                              • LeaveCriticalSection.KERNEL32(?,Module,?), ref: 00E23BE0
                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00E23C5C
                                                                                                              • LeaveCriticalSection.KERNEL32(?,Module_Raw,?), ref: 00E23C90
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$Leave$Enter$Module$File$CountDeleteErrorHandleInitializeLastNameSpinValue$Exception@8ExistsPathThrow___report_securityfailure
                                                                                                              • String ID: %s/%s$C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$Error.tmp$Module$Module_Raw$REGISTRY$Software\EasePaintWatermarkRemover$UpDumpDay
                                                                                                              • API String ID: 2275077174-140225058
                                                                                                              • Opcode ID: b56ca09fa25bb52faf1c0c7389e88bb8eb60bae9c7b2d69d208a3b4b61076314
                                                                                                              • Instruction ID: 0a21590705438108918cb4191d8d5295cc21ca5eee686a92759fc55b50f9f09b
                                                                                                              • Opcode Fuzzy Hash: b56ca09fa25bb52faf1c0c7389e88bb8eb60bae9c7b2d69d208a3b4b61076314
                                                                                                              • Instruction Fuzzy Hash: AB52BE71A00328DBDB20DB64DC44BDEB7B4AF49304F1442A9E919B7291DB799F48CF92
                                                                                                              Function 00E34FA0 Relevance: 47.4, APIs: 11, Strings: 16, Instructions: 180libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(EraserDll.dll), ref: 00E350B8
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThumbnail), ref: 00E350D8
                                                                                                              • GetProcAddress.KERNEL32(00000000,RemoveWatermark), ref: 00E350EA
                                                                                                              • GetProcAddress.KERNEL32(00000000,AddWatermark), ref: 00E350FC
                                                                                                              • GetProcAddress.KERNEL32(00000000,StopErasing), ref: 00E3510E
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetEraseProgressCallback), ref: 00E35120
                                                                                                              • GetProcAddress.KERNEL32(00000000,Playing), ref: 00E35132
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetPlayerState), ref: 00E35144
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetPlayerPos), ref: 00E35156
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetPlayerPos), ref: 00E35168
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00E351C5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                                              • String ID: AddWatermark$EraserDll.dll$GetPlayerPos$GetThumbnail$LowOS$Playing$RemoveWatermark$SetEraseProgressCallback$SetPlayerPos$SetPlayerState$StopErasing$Vista$Windows2000$Windows2003$WindowsXP$[EasePaint]: OS = %s
                                                                                                              • API String ID: 2449869053-3182467469
                                                                                                              • Opcode ID: 27eb40847ed5e6002308fa71b32a48f40c39f4d3e16f227b5c3f6bcfa9fd51c5
                                                                                                              • Instruction ID: 5f489118c7ef9816d6f561072e37b60e448832755de84f4df5fb6102e5b14545
                                                                                                              • Opcode Fuzzy Hash: 27eb40847ed5e6002308fa71b32a48f40c39f4d3e16f227b5c3f6bcfa9fd51c5
                                                                                                              • Instruction Fuzzy Hash: D261E3776027069BDB285F20EC1C7B6BE60FB01B1AF546169D906677A0DF719C81FB80
                                                                                                              Function 00E0EAF6 Relevance: 39.5, APIs: 26, Instructions: 501COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipRotateWorldTransform.GDIPLUS(?,?,00000000), ref: 00E0EB08
                                                                                                              • GdipTranslateWorldTransform.GDIPLUS(?), ref: 00E0EB4C
                                                                                                              • GdipCreateFontFamilyFromName.GDIPLUS(?,00000000,00000000), ref: 00E0EB98
                                                                                                              • GdipCreateFont.GDIPLUS(00000000,?,?,00000002,?,?,00000000,00000000), ref: 00E0EBD7
                                                                                                              • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,00000000,?,?,00000002,?,?,00000000,00000000), ref: 00E0EC84
                                                                                                              • GdipSetStringFormatAlign.GDIPLUS(00000000,00000001,00000000,00000000,?,00000000,?,?,00000002,?,?,00000000,00000000), ref: 00E0EC9B
                                                                                                              • GdipSetStringFormatLineAlign.GDIPLUS(00000000,00000001,00000000,00000001,00000000,00000000,?,00000000,?,?,00000002,?,?,00000000,00000000), ref: 00E0ECB9
                                                                                                              • GdipSetTextRenderingHint.GDIPLUS(?,00000004,00000000,00000001,00000000,00000001,00000000,00000000,?,00000000,?,?,00000002,?,?,00000000), ref: 00E0ECD9
                                                                                                              • GdipDrawString.GDIPLUS(?,?,000000FF,?,?,00000000,?,?,00000004,00000000,00000001,00000000,00000001,00000000,00000000,?), ref: 00E0ED16
                                                                                                              • GdipResetWorldTransform.GDIPLUS(?,?,?,000000FF,?,?,00000000,?,?,00000004,00000000,00000001,00000000,00000001,00000000,00000000), ref: 00E0ED2C
                                                                                                              • GdipDrawImageRectRect.GDIPLUS(?,00000000), ref: 00E0EE24
                                                                                                              • GdipDrawImageRectRect.GDIPLUS(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E0EF20
                                                                                                              • GdipDrawImageRectRect.GDIPLUS(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E0F022
                                                                                                              • GdipDrawImageRectRect.GDIPLUS(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E0F106
                                                                                                                • Part of subcall function 00E092E0: GdipGetImageWidth.GDIPLUS(00000000,00000000), ref: 00E092F5
                                                                                                                • Part of subcall function 00E08D50: GdipGetImageHeight.GDIPLUS(00000000,00000000), ref: 00E08D65
                                                                                                              • GdipDrawImageRectRect.GDIPLUS(41800000,00000000,?,?,?,?,?,?,?,00000000), ref: 00E0F202
                                                                                                              • ?GetHeight@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(?,?,?,000000FF,?,?,00000000,?,?,00000004,00000000,00000001,00000000,00000001,00000000,00000000), ref: 00E0F2AE
                                                                                                              • ?GetWidth@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(?,?,00000002,?,?,00000000,00000000), ref: 00E0F2C9
                                                                                                              • GdipDrawImageRectI.GDIPLUS(?,00000008,00000000,?,?,?,?,?,00000002,?,?,00000000,00000000), ref: 00E0F2F7
                                                                                                              • ?GetWidth@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(?,00000008,00000000,?,?,?,?,?,00000002,?,?,00000000,00000000), ref: 00E0F315
                                                                                                              • ?GetHeight@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(?,?,00000002,?,?,00000000,00000000), ref: 00E0F367
                                                                                                              • GdipDeleteGraphics.GDIPLUS(?,?,?,00000002,?,?,00000000,00000000), ref: 00E0F387
                                                                                                              • GdipFree.GDIPLUS(?,?,?,?,00000002,?,?,00000000,00000000), ref: 00E0F392
                                                                                                              • GdipDeleteStringFormat.GDIPLUS(00000000,?,?,00000002,?,?,00000000,00000000), ref: 00E0F3A9
                                                                                                              • GdipDeleteBrush.GDIPLUS(?,?,?,?,?,?,00000000,?,?,00000002,?,?,00000000,00000000), ref: 00E0F3C2
                                                                                                              • GdipDeleteFont.GDIPLUS(?,?,?,?,?,?,?,00000000,?,?,00000002,?,?,00000000,00000000), ref: 00E0F3D1
                                                                                                              • GdipDeleteFontFamily.GDIPLUS(00000000,?,?,?,?,?,?,?,00000000,?,?,00000002,?,?,00000000,00000000), ref: 00E0F3E3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$Rect$Image$Draw$DeleteString$FontFormatLib@@Rect@$CreateTransformWorld$AlignFamilyHeight@Width@$BrushFreeFromGraphicsHeightHintLineNameRenderingResetRotateTextTranslateWidth
                                                                                                              • String ID:
                                                                                                              • API String ID: 3081257830-0
                                                                                                              • Opcode ID: e2d47736b86be06b02cebcd49a7bf997552399c261c6f94624f98ead1c35d231
                                                                                                              • Instruction ID: 71c00e8aace8dce854251cbd36be1dfd09ed1e356f27b0071ddb2a160729b0c9
                                                                                                              • Opcode Fuzzy Hash: e2d47736b86be06b02cebcd49a7bf997552399c261c6f94624f98ead1c35d231
                                                                                                              • Instruction Fuzzy Hash: 56323630A113189FDB26DB25CC50B99F7B5BF49300F0096E9E449BB2A1EB70AAD4DF41
                                                                                                              Function 00E39230 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 117windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?OnSize@WindowImplBase@DuiLib@@UAEJIIJAAH@Z.YCOMUIU(?,?,?,?), ref: 00E3924F
                                                                                                              • IsIconic.USER32(?), ref: 00E39261
                                                                                                              • ?SetControlWidth@WindowImplBase@DuiLib@@QAEXPB_WH@Z.YCOMUIU(Lable_ScrollBarBg,?), ref: 00E39286
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(LayView_VideoWatermark), ref: 00E392B6
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(LayPic_AWatermark), ref: 00E39309
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(tabMain), ref: 00E39332
                                                                                                              • ?GetCurSel@CTabLayoutUI@DuiLib@@QBEHXZ.YCOMUIU ref: 00E3933E
                                                                                                              • ?PostMessageW@CWindowWnd@DuiLib@@QAEJIIJ@Z.YCOMUIU(00000411,00000000,00000000), ref: 00E3937E
                                                                                                              • IsWindow.USER32(?), ref: 00E3938D
                                                                                                              • MoveWindow.USER32(?,00000000,00000050,?,?,00000001), ref: 00E393AB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Window$Control$Control@FindI@2@ManagerPaint$Base@Impl$IconicLayoutMessageMovePostSel@Size@Width@Wnd@
                                                                                                              • String ID: ($Lable_ScrollBarBg$LayPic_AWatermark$LayView_VideoWatermark$tabMain
                                                                                                              • API String ID: 3321931053-102796370
                                                                                                              • Opcode ID: bc80867c50577e9caf78c1114a5153d1f6fd20ba736c50d1d372b52bd6ed5c2a
                                                                                                              • Instruction ID: eae0c17f92c245bc18dbda121d4d3aa25c1bc0ab6d8ac8f5da8c605e408a3be9
                                                                                                              • Opcode Fuzzy Hash: bc80867c50577e9caf78c1114a5153d1f6fd20ba736c50d1d372b52bd6ed5c2a
                                                                                                              • Instruction Fuzzy Hash: 1F41BE70B0021AAFEB109F65DD49BBEBBB4FF44704F004519E946B72D1DBB0A954CB91
                                                                                                              Function 00DDF2C0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 95libraryloadernativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00DDF2E9
                                                                                                              • GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 00DDF308
                                                                                                              • GetProcAddress.KERNEL32(ZwMapViewOfSection), ref: 00DDF322
                                                                                                              • GetProcAddress.KERNEL32(ZwUnmapViewOfSection), ref: 00DDF33C
                                                                                                              • GetProcAddress.KERNEL32(RtlInitUnicodeString), ref: 00DDF356
                                                                                                              • NtOpenSection.NTDLL(00F4E294,00000004,00000018), ref: 00DDF3DB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoadOpenSection
                                                                                                              • String ID: RtlInitUnicodeString$ZwMapViewOfSection$ZwOpenSection$ZwUnmapViewOfSection$ntdll.dll
                                                                                                              • API String ID: 3573973580-4018374555
                                                                                                              • Opcode ID: d742309b518b1dda65ad83b03e40d2e156f0dbb7ade226e5e816706c7de0db3f
                                                                                                              • Instruction ID: 9646ed230ca1dd4a271af64e560a355e3c8d630ec235da9c140f0a51a51c06d4
                                                                                                              • Opcode Fuzzy Hash: d742309b518b1dda65ad83b03e40d2e156f0dbb7ade226e5e816706c7de0db3f
                                                                                                              • Instruction Fuzzy Hash: 1D316D74E0530D9BDB009FA9DC416AEBFF9FF19300F14122ADC05E62A1EB709A44DB50
                                                                                                              Function 00EC4634 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 00EC46B6
                                                                                                              • _free.LIBCMT ref: 00EC46DA
                                                                                                              • _free.LIBCMT ref: 00EC4861
                                                                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F14C64), ref: 00EC4873
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00F52C6C,000000FF,00000000,0000003F,00000000,?,?), ref: 00EC48EB
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00F52CC0,000000FF,?,0000003F,00000000,?), ref: 00EC4918
                                                                                                              • _free.LIBCMT ref: 00EC4A2D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                              • String ID: $J$$J$,J
                                                                                                              • API String ID: 314583886-2670825776
                                                                                                              • Opcode ID: 9fdda7ab395c4f6e6759dedd42e6ca82aea519417cb233dc59f4ba06030d9fb0
                                                                                                              • Instruction ID: cb1490facef26e3aa7e23718b4c83515a8c3b16111728cb17d84517001efde2d
                                                                                                              • Opcode Fuzzy Hash: 9fdda7ab395c4f6e6759dedd42e6ca82aea519417cb233dc59f4ba06030d9fb0
                                                                                                              • Instruction Fuzzy Hash: B3C14AB19002059FDB10DF788E51FAA7BE8AF46324F14219EE590B72D2E7328E43D740
                                                                                                              Function 00E28E60 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 361memorywindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipGetImageWidth.GDIPLUS(?,00000000,EEAE26D7,?,00000000,?,?,00000000,00000000,00000000,00E28374,?,?), ref: 00E28E9C
                                                                                                              • GdipGetImageHeight.GDIPLUS(?,?,?,00000000,EEAE26D7,?,00000000,?,?,00000000,00000000,00000000,00E28374,?), ref: 00E28EB6
                                                                                                              • GdipAlloc.GDIPLUS(00000010,?,?,?,00000000,EEAE26D7,?,00000000,?,?,00000000,00000000,00000000,00E28374,?), ref: 00E29117
                                                                                                              • GdipCreateBitmapFromScan0.GDIPLUS(00000000,00000000,00000000,0026200A,00000000,00000000,00000010,?,?,?,00000000,EEAE26D7,?,00000000,?,?), ref: 00E29156
                                                                                                              • GdipCreatePen1.GDIPLUS(000000FF,?,00000000,?,00000001,00000000,00000000,?), ref: 00E29282
                                                                                                              • GdipSetPenStartCap.GDIPLUS(00000000,00000002,000000FF,?,00000000,?,00000001,00000000,00000000,?), ref: 00E29296
                                                                                                              • GdipSetPenEndCap.GDIPLUS(00000000,00000002,00000000,00000002,000000FF,?,00000000,?,00000001,00000000,00000000,?), ref: 00E292AB
                                                                                                              • GdipDrawLine.GDIPLUS(00000000,00000000), ref: 00E292F3
                                                                                                              • GdipDeletePen.GDIPLUS(00000000,00000000,00000000), ref: 00E29309
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$CreateImage$AllocBitmapDeleteDrawFromHeightLinePen1Scan0StartWidth
                                                                                                              • String ID: .png
                                                                                                              • API String ID: 2210183595-502324627
                                                                                                              • Opcode ID: 0593c0889ff727e68097a3ccb4161c43c15ab6e1971baad28e3fba93368f0271
                                                                                                              • Instruction ID: b9f4eddf7c2f20ae15a212d1eeedb77602e7aa7f8ca9d07d956b2943b9d82155
                                                                                                              • Opcode Fuzzy Hash: 0593c0889ff727e68097a3ccb4161c43c15ab6e1971baad28e3fba93368f0271
                                                                                                              • Instruction Fuzzy Hash: F8E1CE31D0171DDBDB11CF77D8817AEBBB0AF5A344F18E71AE8147A2A1D730A891AB50
                                                                                                              Function 00E567A0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 329COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00DFD0C0: LoadLibraryW.KERNEL32(ntdll.dll), ref: 00DFD103
                                                                                                                • Part of subcall function 00DFD0C0: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00DFD11D
                                                                                                                • Part of subcall function 00DFD0C0: lstrcpynW.KERNEL32(?,Windows2000,?), ref: 00DFD184
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,DownloadedUpdateVersion,00000000,?,00000208), ref: 00E5691E
                                                                                                                • Part of subcall function 00DF5150: FindResourceExW.KERNEL32(00000000,00000006,00DF5E74,00000000,00000000,00000000,00000000,?,00DF5E74,-00000010), ref: 00DF518E
                                                                                                                • Part of subcall function 00DF5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00DF51D7
                                                                                                              • GetPrivateProfileStringW.KERNEL32(Config,GoogleUserAgent,Default,?,00000104,?), ref: 00E56AD7
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindResource$AddressException@8LibraryLoadPrivateProcProfileStringThrowValuelstrcpyn
                                                                                                              • String ID: Config$Default$DownloadedUpdateVersion$GoogleUserAgent$Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.4.154.18 Safari/525.19$Software\EasePaintWatermarkRemover$cd.dat$
                                                                                                              • API String ID: 4267482599-3275086205
                                                                                                              • Opcode ID: aa1fedf011a61f635dd0e9d1e8883d60015607e6c757d86906540fccdc1a4a4c
                                                                                                              • Instruction ID: 062ace4d6815ebb3fe7a01ff3e368fbe9571dd98cd867f8451ce8c711f8b3abe
                                                                                                              • Opcode Fuzzy Hash: aa1fedf011a61f635dd0e9d1e8883d60015607e6c757d86906540fccdc1a4a4c
                                                                                                              • Instruction Fuzzy Hash: 1AC1D271A4021CAFDB10DF68DC49BEAB7F8EF14714F4046A9E909A72D1DB719A44CF90
                                                                                                              Function 00E26440 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 223fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00E2666A
                                                                                                              • DeleteFileW.KERNEL32(?), ref: 00E266B6
                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00E266C0
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00E266CC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$CloseDeleteFirstNext
                                                                                                              • String ID: %s/%s$%s//%s//$%s\%s$*.*$data
                                                                                                              • API String ID: 3592162902-2701475228
                                                                                                              • Opcode ID: c5fc957dfcdd9f5a0ab1aa2561c6ba4c8468c714501346d46b547b93b918c179
                                                                                                              • Instruction ID: 585749f4d964245269353d940abc37d6aee032587a101927d8e0b34353c73448
                                                                                                              • Opcode Fuzzy Hash: c5fc957dfcdd9f5a0ab1aa2561c6ba4c8468c714501346d46b547b93b918c179
                                                                                                              • Instruction Fuzzy Hash: 5A81D1B1901A149FDB20DF28DC89B5AB7F8FF44714F1487A8E819AB291DB71E944CF90
                                                                                                              Function 00E40B60 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00E40BBF
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E40C1A
                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,00000000), ref: 00E40D0B
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E40D58
                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E40D62
                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00E40D6E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$ByteCharMultiWide$CloseDeleteFirstNext
                                                                                                              • String ID: %s\%s$%s\*.*
                                                                                                              • API String ID: 656457022-1665845743
                                                                                                              • Opcode ID: b439fb19ae3465b02ebd950992cb4a744b14adb2a450e0b042c18cab55fb8c87
                                                                                                              • Instruction ID: ff0bd8bc459854ab02307a9d414ebdbf05105f90e09557ef227b18f052293c93
                                                                                                              • Opcode Fuzzy Hash: b439fb19ae3465b02ebd950992cb4a744b14adb2a450e0b042c18cab55fb8c87
                                                                                                              • Instruction Fuzzy Hash: 37510872901208AFCB10DF68DC45BAEB7B8EF44314F104669F919E72D2DB71AE04CBA1
                                                                                                              Function 00DDED80 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00DDEDF8
                                                                                                              • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00DDEE39
                                                                                                              • SHGetValueA.SHLWAPI(80000001,?,PnPInstanceId,00000000,?,00000400), ref: 00DDEEDA
                                                                                                              • _strncat.LIBCMT ref: 00DDEF6C
                                                                                                              Strings
                                                                                                              • PCI, xrefs: 00DDEEEC
                                                                                                              • %02X%02X%02X%02X%02X%02X, xrefs: 00DDEF46
                                                                                                              • PnPInstanceId, xrefs: 00DDEEC9
                                                                                                              • SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection, xrefs: 00DDEE83
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AdaptersInfo$Value_strncat
                                                                                                              • String ID: %02X%02X%02X%02X%02X%02X$PCI$PnPInstanceId$SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection
                                                                                                              • API String ID: 3256633040-189302858
                                                                                                              • Opcode ID: 76cab0d7ae624e3f112404b58e27e3ff3a11c335701d5cec8d22efe5c75f57bd
                                                                                                              • Instruction ID: 629f72d8b209fd16a89692230b6982863f5852dcd5f27495db2c46e1ed8f3347
                                                                                                              • Opcode Fuzzy Hash: 76cab0d7ae624e3f112404b58e27e3ff3a11c335701d5cec8d22efe5c75f57bd
                                                                                                              • Instruction Fuzzy Hash: 705129719413186AD731B7648C42FFA77F8AF45B00F084199FA88FA181EE74AB44CBA5
                                                                                                              Function 00DDE020 Relevance: 11.4, APIs: 9, Instructions: 110memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcessHeap.KERNEL32(?,?,00DC98F2,00000000,?,00000000), ref: 00DDE034
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,80000000,00000000,00000000,?,00000000,?,?,00DC98F2,00000000,?,00000000), ref: 00DDE097
                                                                                                              • HeapAlloc.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00DC98F2,00000000,?,00000000), ref: 00DDE0AF
                                                                                                              • SetLastError.KERNEL32(00000008,?,00000000,?,?,00DC98F2,00000000,?,00000000), ref: 00DDE0C2
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,?,?,00DC98F2,00000000,?,00000000), ref: 00DDE0DE
                                                                                                              • GetLastError.KERNEL32(?,00000000,?,?,00DC98F2,00000000,?,00000000), ref: 00DDE0E8
                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00DC98F2,00000000,?,00000000), ref: 00DDE0F8
                                                                                                              • SetLastError.KERNEL32(00000000,?,00000000,?,?,00DC98F2,00000000,?,00000000), ref: 00DDE0FF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHeapLast$ByteCharMultiWide$AllocFreeProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1914750029-0
                                                                                                              • Opcode ID: 45e426e2745715b33627b486d4f09e6dfc287ca701b7ac249ea63b9fdf598926
                                                                                                              • Instruction ID: a6fce1ab59eb75b0d455c51a11de62cf87a0412dfbee2c504d55fa39e7015c90
                                                                                                              • Opcode Fuzzy Hash: 45e426e2745715b33627b486d4f09e6dfc287ca701b7ac249ea63b9fdf598926
                                                                                                              • Instruction Fuzzy Hash: C131C036341205AFE7205B59EC49BBA77A9EBC8721F18412AFA1DDE2A0CB71DC048770
                                                                                                              Function 00E42890 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 599fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000), ref: 00E42901
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8FileFindFirstThrow
                                                                                                              • String ID: .$//*
                                                                                                              • API String ID: 3642325601-1832234615
                                                                                                              • Opcode ID: 5c368a05cc3efe5613342cb349213ce5d1fd18f7a90c2f89ebe137a761de7c7b
                                                                                                              • Instruction ID: 620db12d46cd8ae2ccc87713e4db28e589269e1c1d9c122f1c3f51f0512b2e4a
                                                                                                              • Opcode Fuzzy Hash: 5c368a05cc3efe5613342cb349213ce5d1fd18f7a90c2f89ebe137a761de7c7b
                                                                                                              • Instruction Fuzzy Hash: 52328C31A012198FDB24DF28D888BAEB7B4EF54314F5486EDE919E7291DB31AE44CF50
                                                                                                              Function 00E40610 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00E40667
                                                                                                              • DeleteFileW.KERNEL32(?), ref: 00E406B3
                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00E406BD
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00E406C9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$CloseDeleteFirstNext
                                                                                                              • String ID: %s\%s$%s\*.*
                                                                                                              • API String ID: 3592162902-1665845743
                                                                                                              • Opcode ID: fe69784c3abda360d841d36c15f57a2851d9df70bcd4db2666581b99b742579e
                                                                                                              • Instruction ID: b0c21d3e965f9c900804c14871e94ea21fdaff543dd2defb269402b8df75553d
                                                                                                              • Opcode Fuzzy Hash: fe69784c3abda360d841d36c15f57a2851d9df70bcd4db2666581b99b742579e
                                                                                                              • Instruction Fuzzy Hash: 232199B294021CAFC710DB64DC45FEA73BCFB85714F0006A5F919E3191DB35AA54CB94
                                                                                                              Function 00E2AEA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?), ref: 00E2AEDF
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E2AF33
                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E2AF3D
                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00E2AF49
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$CloseDeleteFirstNext
                                                                                                              • String ID: %s/%s$%s\%s
                                                                                                              • API String ID: 3592162902-413370503
                                                                                                              • Opcode ID: c3108701b8a1b8424834e230ee1d34c66abf231693628736e959a19d9d74e2fb
                                                                                                              • Instruction ID: c3d7562c5e954986b095b73924763b4ab034f4ebfda860df2c0e4a64fa5ac6e7
                                                                                                              • Opcode Fuzzy Hash: c3108701b8a1b8424834e230ee1d34c66abf231693628736e959a19d9d74e2fb
                                                                                                              • Instruction Fuzzy Hash: D71198B690121CAFCB10EB68EC49EEE73BCEB85310F0045A1F918F3142DA31AB54CB65
                                                                                                              Function 00DC8F20 Relevance: 9.1, APIs: 6, Instructions: 115filenetworkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,00000000,00000000,?,00DC8D4F,00000000,?,00000000,?), ref: 00DC8F54
                                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,00000000,00000000,?,00DC8D4F,00000000,?,00000000,?), ref: 00DC8F67
                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000014,00DC8D4F), ref: 00DC8FA4
                                                                                                              • InternetReadFile.WININET(?,?,00002000,?), ref: 00DC8FF5
                                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DC9027
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00DC9070
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$DescriptorSecurity$CloseCreateDaclHandleInitializeInternetReadWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3104294044-0
                                                                                                              • Opcode ID: 315816a4b9d0940c648d2d0b8dd1235d2e5a9f6744d6c58c5c6a84342dd464a6
                                                                                                              • Instruction ID: 912a39d5f8ca283475cf21906681d9b8772a1dc4252c63c2c04f899efba6011b
                                                                                                              • Opcode Fuzzy Hash: 315816a4b9d0940c648d2d0b8dd1235d2e5a9f6744d6c58c5c6a84342dd464a6
                                                                                                              • Instruction Fuzzy Hash: 18412C71901329DFEB20DF54CC89BA9B7B9BB44710F1541DAA905A7291C7709E84DFA0
                                                                                                              Function 00DC6F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120encryptionmemorystringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,?,EEAE26D7,00000000,00000000,?,00DC6CD4,00000000,?), ref: 00DC6F5D
                                                                                                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00DC6F8C
                                                                                                              • LocalAlloc.KERNEL32(00000040,?,?,?,EEAE26D7,00000000,00000000,?,00DC6CD4,00000000,?), ref: 00DC6F9F
                                                                                                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00DC6FCF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptDecodeObject$AllocLocallstrcmp
                                                                                                              • String ID: 1.3.6.1.4.1.311.2.1.12
                                                                                                              • API String ID: 3284379815-2596186611
                                                                                                              • Opcode ID: b2002957b69582bb6fca7d2c451060eef5e65cf5ebe32b55464a2ee259027559
                                                                                                              • Instruction ID: c56a54ce09fd239e6085a1dba4c626ee13ceb50b69766821997f1fd0f0216965
                                                                                                              • Opcode Fuzzy Hash: b2002957b69582bb6fca7d2c451060eef5e65cf5ebe32b55464a2ee259027559
                                                                                                              • Instruction Fuzzy Hash: 27418CB1A04206AFCB20CF64C845F6ABBB5FF48710F14856DE85AAB251D772E840DFA0
                                                                                                              Function 00ED1146 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00ED1465,?,00000000), ref: 00ED11DF
                                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00ED1465,?,00000000), ref: 00ED1208
                                                                                                              • GetACP.KERNEL32(?,?,00ED1465,?,00000000), ref: 00ED121D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID: ACP$OCP
                                                                                                              • API String ID: 2299586839-711371036
                                                                                                              • Opcode ID: 34a9d463153c9051eaa9c3313f35faf8e3e38fbd16458914ae3c7f98ad67c10b
                                                                                                              • Instruction ID: d4072990396f323432eb020b67e38edf17b80b6285f962e71d71ea7b702c2c1a
                                                                                                              • Opcode Fuzzy Hash: 34a9d463153c9051eaa9c3313f35faf8e3e38fbd16458914ae3c7f98ad67c10b
                                                                                                              • Instruction Fuzzy Hash: 9F21BB22B01101BAE7308F54D900AE773A7EF58B58B5691A6EA09FB311E733DD43D350
                                                                                                              Function 00E0A580 Relevance: 8.5, APIs: 5, Instructions: 979COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SystemParametersInfoW.USER32(00000068,00000000,?,00000000), ref: 00E0AEDA
                                                                                                              • SystemParametersInfoW.USER32(0000006C,00000000,?,00000000), ref: 00E0AEE6
                                                                                                              • SetScrollInfo.USER32(0000001C,00000000,0000001C,00000001), ref: 00E0AF72
                                                                                                              • SetScrollInfo.USER32(?,00000001,00000010,00000001), ref: 00E0AFC5
                                                                                                              • ScrollWindowEx.USER32(?,?,?,00000000,00000000,00000000,00000000,?), ref: 00E0B00B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Info$Scroll$ParametersSystem$Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 128421252-0
                                                                                                              • Opcode ID: afb666d8a6535577f35fc286ec3c7377ceb80858536aa31663aa1bc204239247
                                                                                                              • Instruction ID: 40b5bee9811c84e97f4c25a19223f70d57dab1d8fc4cae48ae7ec3b925bb561b
                                                                                                              • Opcode Fuzzy Hash: afb666d8a6535577f35fc286ec3c7377ceb80858536aa31663aa1bc204239247
                                                                                                              • Instruction Fuzzy Hash: FD822D71E002199FDF15CFA8D941BAEBBF5FF48700F14822AE905BB694D771A991CB80
                                                                                                              Function 00E00700 Relevance: 8.3, APIs: 5, Instructions: 774COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00E0071A
                                                                                                              • GetWindowRgn.USER32(?,00000000), ref: 00E00728
                                                                                                              • PtInRegion.GDI32(?,00000000,00000000,?,00000000), ref: 00E00876
                                                                                                              • PtInRegion.GDI32(?,?,00000000), ref: 00E008C6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Region$CreateRectWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1620756862-0
                                                                                                              • Opcode ID: 316c4b1eed35c7a4775c2c07d157bb92bcabc09ebc9e3f35ba2cfc66e22581c3
                                                                                                              • Instruction ID: d0f7301b5d2619eab4c327584f3829186317e7270bf1f88d722b7030e19666d4
                                                                                                              • Opcode Fuzzy Hash: 316c4b1eed35c7a4775c2c07d157bb92bcabc09ebc9e3f35ba2cfc66e22581c3
                                                                                                              • Instruction Fuzzy Hash: 1F624C716087518FC708CF28C49062AFBE1FFC9344F159A6DE895AB351D731E986CB92
                                                                                                              Function 00DC6BC0 Relevance: 7.6, APIs: 5, Instructions: 104encryptionmemorystringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcpynW.KERNEL32(?,?,00000104,EEAE26D7), ref: 00DC6C30
                                                                                                              • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DC6C73
                                                                                                              • CryptMsgGetParam.CRYPT32(00000000,00000006,00000000,00000000,?), ref: 00DC6C8E
                                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00DC6CA0
                                                                                                              • CryptMsgGetParam.CRYPT32(00000000,00000006,00000000,00000000,?), ref: 00DC6CC3
                                                                                                                • Part of subcall function 00DC6F00: lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,?,EEAE26D7,00000000,00000000,?,00DC6CD4,00000000,?), ref: 00DC6F5D
                                                                                                                • Part of subcall function 00DC6F00: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00DC6F8C
                                                                                                                • Part of subcall function 00DC6F00: LocalAlloc.KERNEL32(00000040,?,?,?,EEAE26D7,00000000,00000000,?,00DC6CD4,00000000,?), ref: 00DC6F9F
                                                                                                                • Part of subcall function 00DC6F00: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00DC6FCF
                                                                                                                • Part of subcall function 00DC6D60: CertFindCertificateInStore.CRYPT32(?,00010001,00000000,000B0000,EEAE26D7,00000000), ref: 00DC6DD7
                                                                                                                • Part of subcall function 00DC6D60: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00DC6E00
                                                                                                                • Part of subcall function 00DC6D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000001,00000000,00000000,00000000), ref: 00DC6E31
                                                                                                                • Part of subcall function 00DC6D60: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00DC6E46
                                                                                                                • Part of subcall function 00DC6D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000001,00000000,00000000,00000000,?,00001000,00000004), ref: 00DC6E5F
                                                                                                                • Part of subcall function 00DC6D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00DC6E7F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Crypt$AllocCert$NameObjectString$DecodeLocalParamVirtual$CertificateFindQueryStorelstrcmplstrcpyn
                                                                                                              • String ID:
                                                                                                              • API String ID: 1492655826-0
                                                                                                              • Opcode ID: 3a1e7917cf91a18eeeed4f75554a34964def5e1ce351ee5ecf72d6ea5845a650
                                                                                                              • Instruction ID: 4ffb0b42166a7e005593da3e084eb17b5a322a43a5fb48a072eb1ddbd80fb2d7
                                                                                                              • Opcode Fuzzy Hash: 3a1e7917cf91a18eeeed4f75554a34964def5e1ce351ee5ecf72d6ea5845a650
                                                                                                              • Instruction Fuzzy Hash: 42314FB2901219BBDB209F95DD49FABBBBCFB44B10F10419AF509E6190DB35DA84CF60
                                                                                                              Function 00ED09C4 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00EBE6C0,?,?,?,?,00EBE002,?,00000004), ref: 00ED0AA6
                                                                                                              • _wcschr.LIBVCRUNTIME ref: 00ED0B36
                                                                                                              • _wcschr.LIBVCRUNTIME ref: 00ED0B44
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00EBE6C0,00000000,00EBE7E0), ref: 00ED0BE7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 4212172061-0
                                                                                                              • Opcode ID: 69b688395fca2b55aa4f435cdc6ecc9bfe1604ce6e1c4d0c43ebe275e22e81ab
                                                                                                              • Instruction ID: 379c3bfbad311fb3a0109312def168b8a2f5e046a6ad76c73a70dab9e0724caa
                                                                                                              • Opcode Fuzzy Hash: 69b688395fca2b55aa4f435cdc6ecc9bfe1604ce6e1c4d0c43ebe275e22e81ab
                                                                                                              • Instruction Fuzzy Hash: B5612771A00306AADB25AB75CC42FAB73E8EF44754F18106BF905FB281EA70E942C760
                                                                                                              Function 00DC8B60 Relevance: 6.0, APIs: 4, Instructions: 21windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32 ref: 00DC8B6B
                                                                                                              • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00DC8B86
                                                                                                              • OutputDebugStringW.KERNEL32(?), ref: 00DC8B8F
                                                                                                              • LocalFree.KERNEL32(?), ref: 00DC8B98
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugErrorFormatFreeLastLocalMessageOutputString
                                                                                                              • String ID:
                                                                                                              • API String ID: 1629417986-0
                                                                                                              • Opcode ID: ec11de78aa1fb536eebb57efdd48dcd2da1cc16c2df0efd16ca03919eda72478
                                                                                                              • Instruction ID: 0657d3feedc184972350617433b387ef66db3295c73aea275905fa61925f0de6
                                                                                                              • Opcode Fuzzy Hash: ec11de78aa1fb536eebb57efdd48dcd2da1cc16c2df0efd16ca03919eda72478
                                                                                                              • Instruction Fuzzy Hash: 1AE0EC71680209FFEB045FA5EC0AFB83B79EB88B51F104114F719A90F1CBB1A945DBA5
                                                                                                              Function 00ED0DCD Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC305F
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC306C
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED0E21
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED0E72
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED0F32
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 2829624132-0
                                                                                                              • Opcode ID: 132186c849d483a31ab4589a73248d96983b7be596d97fba9ef7fd681880f36f
                                                                                                              • Instruction ID: 4658dd29ad49e255e4a97f4f1b39500b6375bc1b850ebfebd0bf07a265cb2f31
                                                                                                              • Opcode Fuzzy Hash: 132186c849d483a31ab4589a73248d96983b7be596d97fba9ef7fd681880f36f
                                                                                                              • Instruction Fuzzy Hash: 1661B371600207EFEB389F24CD82BBA77A8EF04314F2450AAED05E6645E775DE82DB50
                                                                                                              Function 00DF6040 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadResource.KERNEL32(00DF51A2,?,00000000,?,00DF51A2,00000000,00000000,?), ref: 00DF604A
                                                                                                              • LockResource.KERNEL32(00000000,?,00DF51A2,00000000,00000000,?), ref: 00DF6055
                                                                                                              • SizeofResource.KERNEL32(00DF51A2,?,?,00DF51A2,00000000,00000000,?), ref: 00DF6067
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$LoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 2853612939-0
                                                                                                              • Opcode ID: d8ae28c54fc30f7558de938c551903aab1520e288598af537b6af968a3c395ef
                                                                                                              • Instruction ID: fa8b606df96841aeb569659383534515081f35e17a7012c89958e87e882f8bc7
                                                                                                              • Opcode Fuzzy Hash: d8ae28c54fc30f7558de938c551903aab1520e288598af537b6af968a3c395ef
                                                                                                              • Instruction Fuzzy Hash: 1DF0C83250022A9BCF315FA5DC044B97B69EF4035571A8929FE5D96524DA71EC50C7D0
                                                                                                              Function 00DC6D25 Relevance: 4.5, APIs: 3, Instructions: 16encryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LocalFree.KERNEL32(00000000,00DC6CFB), ref: 00DC6D2A
                                                                                                              • CertCloseStore.CRYPT32(00000000,00000000), ref: 00DC6D3D
                                                                                                              • CryptMsgClose.CRYPT32(00000000), ref: 00DC6D4E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$CertCryptFreeLocalStore
                                                                                                              • String ID:
                                                                                                              • API String ID: 361375584-0
                                                                                                              • Opcode ID: edb64992fc422ac55a1bdb79a96610c616628d0c15c677bde293891fa631400c
                                                                                                              • Instruction ID: 1981e51eecd06263ab45d2e2960359b09789e384e5bbc6c58f020d7a7c14682d
                                                                                                              • Opcode Fuzzy Hash: edb64992fc422ac55a1bdb79a96610c616628d0c15c677bde293891fa631400c
                                                                                                              • Instruction Fuzzy Hash: AED06770B02621ABDE205B66AC4CF6A7778AB44B01F180554A906F7250DB34DD48D974
                                                                                                              Function 00DDEB40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _strncat
                                                                                                              • String ID: %08X%08X%08X%08X
                                                                                                              • API String ID: 2648904263-2755470124
                                                                                                              • Opcode ID: d4d42d17edb0706f2d8bfc60b187f65230e0b0e7a0026f1ba3cc836cc5308e5b
                                                                                                              • Instruction ID: cec5192a55cc27a5dc9ac9e04b5f87836499a88efb616fef76cd9bab6d32f3ba
                                                                                                              • Opcode Fuzzy Hash: d4d42d17edb0706f2d8bfc60b187f65230e0b0e7a0026f1ba3cc836cc5308e5b
                                                                                                              • Instruction Fuzzy Hash: 4E11E671D04348ABDB01AFA99C82A9EFBB4FF49714F104229FD0467281EB7169518795
                                                                                                              Function 00EBD14F Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EBD14A,?,?,00000008,?,?,00ED90D1,00000000), ref: 00EBD37C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionRaise
                                                                                                              • String ID:
                                                                                                              • API String ID: 3997070919-0
                                                                                                              • Opcode ID: 18e98eb820b38dc0a67cc035476eea9b7bf7911480db29ac68224d22d5387086
                                                                                                              • Instruction ID: cbfd6c95eb9e205778b6b11f5cbf8216aa94d5d635cbd83d35f3b07713e12287
                                                                                                              • Opcode Fuzzy Hash: 18e98eb820b38dc0a67cc035476eea9b7bf7911480db29ac68224d22d5387086
                                                                                                              • Instruction Fuzzy Hash: 14B17031514608DFD719CF28C88ABA67BE0FF45368F259658E8D9DF2A2D335E981CB40
                                                                                                              Function 00E1E9F0 Relevance: 1.7, Strings: 1, Instructions: 451COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: <
                                                                                                              • API String ID: 0-4251816714
                                                                                                              • Opcode ID: 1ea769136b40e0300f3415f306df6396d3dde34a2cc32486e08479f2690c77f3
                                                                                                              • Instruction ID: 5c7d1ed99daec191980b90f6805034a0fc47b6085df3a810ea5c15df1406f378
                                                                                                              • Opcode Fuzzy Hash: 1ea769136b40e0300f3415f306df6396d3dde34a2cc32486e08479f2690c77f3
                                                                                                              • Instruction Fuzzy Hash: 02027B71A002099FCB15CF68C485A9ABBF1FF89344F19926AEC05BB356D770E991CB90
                                                                                                              Function 00ED101D Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC305F
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC306C
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00ED1071
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 1663032902-0
                                                                                                              • Opcode ID: 5a95e498e7f188f065d4d58bec7cfee0c3f4fffaae74efbe8d5c0d32ca2aaf97
                                                                                                              • Instruction ID: 045c6d638475e3d46a85e77759c4474a11ad955e7845762e1535c3f126f9c63f
                                                                                                              • Opcode Fuzzy Hash: 5a95e498e7f188f065d4d58bec7cfee0c3f4fffaae74efbe8d5c0d32ca2aaf97
                                                                                                              • Instruction Fuzzy Hash: CB21C832600286EBDB24BB25DC42BBA77E8EF45314F1461BBFD01E6641EB359D86CB50
                                                                                                              Function 00ED0CA5 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                              • EnumSystemLocalesW.KERNEL32(00ED0DCD,00000001,00000000,?,00EBE6B9,?,00ED13FA,00000000,?,?,?), ref: 00ED0D17
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1084509184-0
                                                                                                              • Opcode ID: b40046916334f198396b332966f8b57f93ed47a230e90517aa79e09c1bc914d1
                                                                                                              • Instruction ID: 0b9a8a8098d64122cf2a837a6f625d6e50461f240563d77c96c98a84ec624bba
                                                                                                              • Opcode Fuzzy Hash: b40046916334f198396b332966f8b57f93ed47a230e90517aa79e09c1bc914d1
                                                                                                              • Instruction Fuzzy Hash: B21106362007015FDB189F7988917BAB792FF80318B18442EE54657740D3717943C740
                                                                                                              Function 00ED124D Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00ED10C8,00000000,00000000,?), ref: 00ED1279
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2692324296-0
                                                                                                              • Opcode ID: db7253c1ac4da4a3a3ce63581d9b22522ff503ec7d57bc17fd3d982d93723724
                                                                                                              • Instruction ID: 8da63294e35105aec24036da4416775338ad6325929fddaa4f3aaa85beee4815
                                                                                                              • Opcode Fuzzy Hash: db7253c1ac4da4a3a3ce63581d9b22522ff503ec7d57bc17fd3d982d93723724
                                                                                                              • Instruction Fuzzy Hash: DFF0F932A40115BBDB245A648946BFA7768EB40358F0445AAEC49F3350EA72BD03D6D0
                                                                                                              Function 00ED0B93 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC305F
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC306C
                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00EBE6C0,00000000,00EBE7E0), ref: 00ED0BE7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 1663032902-0
                                                                                                              • Opcode ID: 1e99fbcfa3e7f42719e23c9956bab601f38ebac9e032c82b80e44c396161fa63
                                                                                                              • Instruction ID: b8ce1b635a2ea83ef6776deeaceb5c596d3435fda96bc110faff3d95dc89f1dd
                                                                                                              • Opcode Fuzzy Hash: 1e99fbcfa3e7f42719e23c9956bab601f38ebac9e032c82b80e44c396161fa63
                                                                                                              • Instruction Fuzzy Hash: 44F0D132A40109ABC724AB78EC06ABA73ECDB45311F1011BEAA06A7241EA35AD068790
                                                                                                              Function 00ED0D40 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                              • EnumSystemLocalesW.KERNEL32(00ED101D,00000001,00000008,?,00EBE6B9,?,00ED13BE,00EBE6B9,?,?,?,?,?,00EBE6B9,?,?), ref: 00ED0D8C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1084509184-0
                                                                                                              • Opcode ID: 8feb5fc41afe3c28db0ba50c6e2d17a96c66a9ba387bff018dd4a48510cabe06
                                                                                                              • Instruction ID: b95515de3c9f4b0d0836b69e3b39ce9adb1a8aa42e21fa78d0b40f13e1d5a8e2
                                                                                                              • Opcode Fuzzy Hash: 8feb5fc41afe3c28db0ba50c6e2d17a96c66a9ba387bff018dd4a48510cabe06
                                                                                                              • Instruction Fuzzy Hash: 97F0C2362003056FDB145F799895B7A7B96EF8036CF09842EF9459B690D6B2AC43C640
                                                                                                              Function 00EC10B7 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EBF82E: EnterCriticalSection.KERNEL32(?,?,00EBC6ED,00E04118,00F3BCB0,0000000C), ref: 00EBF83D
                                                                                                              • EnumSystemLocalesW.KERNEL32(00EC1059,00000001,00F3BDF8,0000000C), ref: 00EC10EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1272433827-0
                                                                                                              • Opcode ID: 55f21ea4474e8227aa12b2856998aef813709c87fc73a67c0acd417699eb2b67
                                                                                                              • Instruction ID: 82c1fc4f77a19d209d38ac13dc5ddced8c0b37ed8487655c5b352a997f52da23
                                                                                                              • Opcode Fuzzy Hash: 55f21ea4474e8227aa12b2856998aef813709c87fc73a67c0acd417699eb2b67
                                                                                                              • Instruction Fuzzy Hash: B1F04F76650308EFDB10EF68E846B5D37E0BB06721F005159F914EB2E2CB7989409F45
                                                                                                              Function 00ED0C3C Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                              • EnumSystemLocalesW.KERNEL32(00ED0B93,00000001,00000008,?,?,00ED141C,00EBE6B9,?,?,?,?,?,00EBE6B9,?,?,?), ref: 00ED0C73
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1084509184-0
                                                                                                              • Opcode ID: ecb161d19ee68f00fed2e0e428e80c37db8de149a634e29f7b76907ab34bd6c2
                                                                                                              • Instruction ID: e43796a97b07fc2bcece4d1b8771104f606acabdc1642f37277aa9f3b1cf9ad8
                                                                                                              • Opcode Fuzzy Hash: ecb161d19ee68f00fed2e0e428e80c37db8de149a634e29f7b76907ab34bd6c2
                                                                                                              • Instruction Fuzzy Hash: 70F0E53A70020557CB04DF35D865B6ABF95EFC1718F0A406EEA099B351C6B29943C7D0
                                                                                                              Function 00E980C4 Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 0-4108050209
                                                                                                              • Opcode ID: d713f5b8f8ef851fe19af728ebab7b15270f75e36a15916d0212b2ecc52453b2
                                                                                                              • Instruction ID: 36214f492156d3870352b33a9ce7601ae16c9b7ae4d9e82a55f58799b3797039
                                                                                                              • Opcode Fuzzy Hash: d713f5b8f8ef851fe19af728ebab7b15270f75e36a15916d0212b2ecc52453b2
                                                                                                              • Instruction Fuzzy Hash: 82516971601B08A6DF384BA98B56BFE63D99B1330CF18350AD882F72B2DE15DD038315
                                                                                                              Function 00DC4D50 Relevance: .9, Instructions: 932COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d6826bcd6ada147e4ca7756a962adb59d195d692811617d672eb730d90662d48
                                                                                                              • Instruction ID: f11ad353b94c6edb786b43a887e5c48fcce298014972f04082833cde45735b77
                                                                                                              • Opcode Fuzzy Hash: d6826bcd6ada147e4ca7756a962adb59d195d692811617d672eb730d90662d48
                                                                                                              • Instruction Fuzzy Hash: 8E920F39A1006D9FCF04CF5DECD08BEB3B0F75A301785455AEA4297391CA75EA16EB90
                                                                                                              Function 00DF83E0 Relevance: .7, Instructions: 691COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f2eeb6a963692540725b7ebf77cfa924b90c25e2717eed13cd1771c0dc5764c
                                                                                                              • Instruction ID: 5be0be99e8ac5141ec9a66c4d9948d0391d7288ebdecbbebe64fb040db591ca8
                                                                                                              • Opcode Fuzzy Hash: 7f2eeb6a963692540725b7ebf77cfa924b90c25e2717eed13cd1771c0dc5764c
                                                                                                              • Instruction Fuzzy Hash: 4522A2B3F505244BDB1CCA19CCA27ECB2E3ABD4214F0E80BD954EE3745EA789D958A44
                                                                                                              Function 00DF6900 Relevance: .7, Instructions: 691COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f2eeb6a963692540725b7ebf77cfa924b90c25e2717eed13cd1771c0dc5764c
                                                                                                              • Instruction ID: 701ce847989a299b6d1e9ed573af73b9d0fe3c8d6930ee7903a60edd88ed568f
                                                                                                              • Opcode Fuzzy Hash: 7f2eeb6a963692540725b7ebf77cfa924b90c25e2717eed13cd1771c0dc5764c
                                                                                                              • Instruction Fuzzy Hash: D222A2B3F505244BDB1CCA19CCA27ECB2E3ABD4314F0E80BD954EE3745EA789D958A44
                                                                                                              Function 00DC31E0 Relevance: .5, Instructions: 458COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4fc8688b52408f95d1a770a8b1a2c7ac86f34a299e4f630302fcc5b0137de4a4
                                                                                                              • Instruction ID: af25cbf13b27c1f04a8799288279d707388c8a8cbde77fa862d8229132721648
                                                                                                              • Opcode Fuzzy Hash: 4fc8688b52408f95d1a770a8b1a2c7ac86f34a299e4f630302fcc5b0137de4a4
                                                                                                              • Instruction Fuzzy Hash: 49022AB1A006059FCB50CF69D981A8AB7F4FF48314B548A6DE84AC7B11E731F955CFA0
                                                                                                              Function 00E1A220 Relevance: .3, Instructions: 309COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ab35607f72ea5a58432516cfdbb39ab3ce010c897abde8142ceb1faf4c678cf
                                                                                                              • Instruction ID: c406d306b37b7d19c0d47c50968078d016641f82232b912be8ec323e60c6d624
                                                                                                              • Opcode Fuzzy Hash: 8ab35607f72ea5a58432516cfdbb39ab3ce010c897abde8142ceb1faf4c678cf
                                                                                                              • Instruction Fuzzy Hash: 34E12F71D152599FC706CB3B85801A9FBB1BF9E204B2CE796E414BA192F330A5C5EF90
                                                                                                              Function 00DC2C70 Relevance: .3, Instructions: 301COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 92e3bc9ea4b605e1ea5e1cc12fee00ca9b5236cba62e6724e19dd52b572f9668
                                                                                                              • Instruction ID: 7ea72702efe479a1e20ba06ce9d8525247306d3492830dacfdf40c213488c3a4
                                                                                                              • Opcode Fuzzy Hash: 92e3bc9ea4b605e1ea5e1cc12fee00ca9b5236cba62e6724e19dd52b572f9668
                                                                                                              • Instruction Fuzzy Hash: 49C109B190060A9FC720DF69C98099AB7F4FF483147548A6EE85ACBB11E331F955CFA0
                                                                                                              Function 00E987BC Relevance: .2, Instructions: 237COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2055fbaa702d9fa0466057b97908da08e1295634454a6652cad7b9d23d106c9b
                                                                                                              • Instruction ID: 1657b10690f238bf97a2cab9fd2ce6243b183d7277b6a91fd0ad8e8922ffcc29
                                                                                                              • Opcode Fuzzy Hash: 2055fbaa702d9fa0466057b97908da08e1295634454a6652cad7b9d23d106c9b
                                                                                                              • Instruction Fuzzy Hash: E9616A71600708A6DE3C99688B51BFE23D8AB43748FD4341AE987FB2B1DE15DD418366
                                                                                                              Function 00E98A19 Relevance: .2, Instructions: 237COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 86ebf7f7d5e7a3456c243a82ec778ddd8d1a0eabe1bf4e71651b31e83cf9c5b6
                                                                                                              • Instruction ID: 1d155080148a5767118608c788a20d7b9d256a8931893485d0eccb80600e453a
                                                                                                              • Opcode Fuzzy Hash: 86ebf7f7d5e7a3456c243a82ec778ddd8d1a0eabe1bf4e71651b31e83cf9c5b6
                                                                                                              • Instruction Fuzzy Hash: CD619BB160070966DE7899288B91BFE73C4DB03718F18391FE982FB2B1EE959D428355
                                                                                                              Function 00E98EE2 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 644b35e48d840b562212a8b9cd6f4f629b5a2c4e66b96b432b71d14e5b712683
                                                                                                              • Instruction ID: 2e7df48e7b5644bf3c579c9f788123d3cb0b64640c58362ae2252388a7208cee
                                                                                                              • Opcode Fuzzy Hash: 644b35e48d840b562212a8b9cd6f4f629b5a2c4e66b96b432b71d14e5b712683
                                                                                                              • Instruction Fuzzy Hash: BE61687130070D66DE386A2C8A967FE73D6AB53748F14351EE942FB2A2DE16DD82C205
                                                                                                              Function 00DC68F0 Relevance: .2, Instructions: 182COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 04b16c175319c191d9a24a2d6d2c99794a75f465d51cfca071ca4845c73a0f1b
                                                                                                              • Instruction ID: 69cfe3ddc9a496cfea4c68760d6987535b24788873a572c9724bc56c0f2bc82f
                                                                                                              • Opcode Fuzzy Hash: 04b16c175319c191d9a24a2d6d2c99794a75f465d51cfca071ca4845c73a0f1b
                                                                                                              • Instruction Fuzzy Hash: B5513A352082610BD7088F3E5CA02BA7FD2ABA7381F88117DE8C5C7692CA79C506F765
                                                                                                              Function 00E83270 Relevance: .1, Instructions: 76COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                              • Instruction ID: 702136257ddd57c1c4958f488238d86a947ef65f637b8344141393069dcf3a40
                                                                                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                              • Instruction Fuzzy Hash: 6A11BD7720108283D604FB7DC8B42FBA785EBC572872C637AE05E6B728C722EB059700
                                                                                                              Function 00DDE620 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fb0ee4b9657882b0065da7b46cacd19938d9eefeb88cae0d58c3e9ccbec2cff6
                                                                                                              • Instruction ID: fb3fcb463d1dfc117a6c567200b9b3aa6ff66a0021b8f309317569b08717306a
                                                                                                              • Opcode Fuzzy Hash: fb0ee4b9657882b0065da7b46cacd19938d9eefeb88cae0d58c3e9ccbec2cff6
                                                                                                              • Instruction Fuzzy Hash: A0118134E1021D9BCB00EFA8D8416EEB7F4EF26310F5499AEDC99A7301E6319A41C790
                                                                                                              Function 00DDF210 Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d9058c4e28484c4de467aa68e8a84ca278c753296a54c0284597f23a373f1f1
                                                                                                              • Instruction ID: f407728d2beb8100b8e055711760717fb4b55f54d1eabad3ece52ce55226b6c8
                                                                                                              • Opcode Fuzzy Hash: 7d9058c4e28484c4de467aa68e8a84ca278c753296a54c0284597f23a373f1f1
                                                                                                              • Instruction Fuzzy Hash: A20192AAB209560FDF5C842CD4627AA22C343E4212FD18D396D8BCB3C6FE659C564585
                                                                                                              Function 00E36410 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 431COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CStdString@DuiLib@@QAE@PB_WH@Z.YCOMUIU(00E34A64,000000FF,EEAE26D7,?,769523D0,?), ref: 00E3645A
                                                                                                              • ??0CStdString@DuiLib@@QAE@PB_WH@Z.YCOMUIU(00E34C64,000000FF,?,769523D0,?), ref: 00E36472
                                                                                                              • ??0CStdString@DuiLib@@QAE@PB_WH@Z.YCOMUIU(00E35464,000000FF,?,769523D0,?), ref: 00E36487
                                                                                                              • ?DeletePtr@CPaintManagerUI@DuiLib@@QAEXPAX@Z.YCOMUIU(00E34A64,?,769523D0,?), ref: 00E36491
                                                                                                              • ?CompareNoCase@CStdString@DuiLib@@QBEHPB_W@Z.YCOMUIU(menuLang,?,769523D0,?), ref: 00E364A8
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU(?,769523D0,?), ref: 00E364B4
                                                                                                                • Part of subcall function 00E53510: ??0CStdString@DuiLib@@QAE@PB_WH@Z.YCOMUIU(769523D0,000000FF,EEAE26D7,?,6C494B50), ref: 00E5354B
                                                                                                                • Part of subcall function 00E53510: ?CompareNoCase@CStdString@DuiLib@@QBEHPB_W@Z.YCOMUIU(menuEn,?,6C494B50), ref: 00E53569
                                                                                                                • Part of subcall function 00E53510: ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(6C494B50), ref: 00E53774
                                                                                                              • ?CompareNoCase@CStdString@DuiLib@@QBEHPB_W@Z.YCOMUIU(menuLogout,?,769523D0,?), ref: 00E364D0
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(?,769523D0,?), ref: 00E369F1
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(?,769523D0,?), ref: 00E369FD
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(?,769523D0,?), ref: 00E36A0C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$Case@Compare$DeleteManagerPaintPtr@
                                                                                                              • String ID: %s//LOG_%lld.dat$Explorer.exe$LogFile$OnResetPass$menuAbout$menuExportLog$menuLang$menuLicenseCode$menuLogout$menuQQ$menuResetPass$menuSetting$menuShare$menuTrial$menuUpdate$menuUpdateUser$menuUserCenter$open
                                                                                                              • API String ID: 175989753-4156296262
                                                                                                              • Opcode ID: b0a71ccee2cbb966fc89ad4c690a712cbecb84668702148dc925d9c4f0470daf
                                                                                                              • Instruction ID: a77e31e120e192215137f14f6779ae34349728ad84071bf378476c6a1a5e7905
                                                                                                              • Opcode Fuzzy Hash: b0a71ccee2cbb966fc89ad4c690a712cbecb84668702148dc925d9c4f0470daf
                                                                                                              • Instruction Fuzzy Hash: 94E1D570A05259BBEB10DB74CD4ABEDBFA4AF55704F108094E90AB72D1DF709E08DB92
                                                                                                              Function 00E34120 Relevance: 84.4, APIs: 29, Strings: 19, Instructions: 433COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(?,EEAE26D7,?,?,00E322D8), ref: 00E3415A
                                                                                                              • ?SelectItem@CTabLayoutUI@DuiLib@@QAE_NH@Z.YCOMUIU(?,?,00E322D8), ref: 00E34174
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRPicFile,?,?,00E322D8), ref: 00E341D3
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAPicFile,00000000,?,00E322D8), ref: 00E341DE
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRVideoFile,00000000,?,00E322D8), ref: 00E341E9
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAVideoFile,00000000,?,00E322D8), ref: 00E341F4
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRPicFile,00000001,?,00E322D8), ref: 00E3420B
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRVideoFile,00000001,?,00E322D8), ref: 00E3423D
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAPicFile,?,?,00E322D8), ref: 00E34254
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAVideoFile,00000001,?,00E322D8), ref: 00E34285
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(tabConver,?,00E322D8), ref: 00E342C0
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(btnAddFile,00000000,?,?,00E322D8), ref: 00E343A0
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(btnAddFileList,00000000,?,?,?,?,?,00E322D8), ref: 00E343D7
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(btnAddFile,00000000,?,?,00E322D8), ref: 00E34419
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(btnAddFileList,00000000,?,?,?,?,?,00E322D8), ref: 00E34467
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayFileList,?,?,?,?,?,?,00E322D8), ref: 00E344A0
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000000), ref: 00E344B4
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayPic_RWatermark,?), ref: 00E344BE
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayPic_AWatermark,00000000), ref: 00E344C9
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000001), ref: 00E344E9
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayPic_RWatermark,00000000), ref: 00E344F4
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayPic_AWatermark,00000001), ref: 00E344FF
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayFileList,00000001,?,?,?,?,?,00E322D8), ref: 00E3452C
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000000,?,?,?,?,?,00E322D8), ref: 00E3453F
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_RVideo,00000001,?,?,?,?,?,00E322D8), ref: 00E3454A
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000001,?,?,?,?,?,00E322D8), ref: 00E3456A
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_RVideo,00000000,?,?,?,?,?,00E322D8), ref: 00E34575
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000000,?,?,?,?,?,00E322D8), ref: 00E3459D
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayFileList,00000000,?,?,?,?,?,00E322D8), ref: 00E345A8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Base@ImplWindow$ShowWindow@$ItemText$ControlControl@FindI@2@ManagerPaint$Item@LayoutSelect
                                                                                                              • String ID: AddPicFile$AddPicFile2$AddVideoFile$AddVideoFile2$LayFileList$LayPic_AWatermark$LayPic_RWatermark$LayToolbar_RVideo$LayToolbar_WatermarkType$btnAddFile$btnAddFileList$listAPicFile$listAVideoFile$listRPicFile$listRVideoFile$tabConver$tabConverBottom$tabMain$tabWatermarkType
                                                                                                              • API String ID: 4050989271-3367122727
                                                                                                              • Opcode ID: e9394cfd89b6d1ac8a369d7f42722f1d8a50758697ef86e9e10e907a7c2dd614
                                                                                                              • Instruction ID: 2bf14e810700cc156d6e144df1484753447a9570db57bd3394c9e5d7790b5fd5
                                                                                                              • Opcode Fuzzy Hash: e9394cfd89b6d1ac8a369d7f42722f1d8a50758697ef86e9e10e907a7c2dd614
                                                                                                              • Instruction Fuzzy Hash: 93F1D4B0700A099BDB20EF64CC59BAEBBE1EF95B14F114128E552A72D1DBB0E944EF41
                                                                                                              Function 00E393C0 Relevance: 63.2, APIs: 22, Strings: 14, Instructions: 239COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(valuechanged), ref: 00E39415
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(sliderEraserSize), ref: 00E39452
                                                                                                              • ?GetValue@CProgressUI@DuiLib@@QBEHXZ.YCOMUIU ref: 00E3945E
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(sliderFontRotate), ref: 00E3947A
                                                                                                              • ?GetValue@CProgressUI@DuiLib@@QBEHXZ.YCOMUIU ref: 00E39495
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtFontRotate,?), ref: 00E394BF
                                                                                                              • ?GetValue@CProgressUI@DuiLib@@QBEHXZ.YCOMUIU ref: 00E3969A
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtPicSize,?), ref: 00E396C4
                                                                                                              • ??4CStdString@DuiLib@@QAEABV01@PB_W@Z.YCOMUIU(sliderPlay), ref: 00E396F0
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E396F8
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 00E39717
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$ProgressValue@$Base@ImplItemTextWindow$V01@
                                                                                                              • String ID: %d%%$sliderEraserSize$sliderFontAlpha$sliderFontRotate$sliderPicAlpha$sliderPicRotate$sliderPicSize$sliderPlay$txtFontAlpha$txtFontRotate$txtPicAlpha$txtPicRotate$txtPicSize$valuechanged
                                                                                                              • API String ID: 1801458589-727569712
                                                                                                              • Opcode ID: 2da75853356de1e7d2e346a98d2e7f0ee37b58c45ecab0b4fe9e71c0ee75286b
                                                                                                              • Instruction ID: 5da589f932a4c0f2e5a90f274b24f1e166f20a740b5a759b2a3421ca02ad3d5d
                                                                                                              • Opcode Fuzzy Hash: 2da75853356de1e7d2e346a98d2e7f0ee37b58c45ecab0b4fe9e71c0ee75286b
                                                                                                              • Instruction Fuzzy Hash: C491C231B002159BCB18EB70DC59FEABB65FF84704F0041A5E51AA72D2DF709E49DBA1
                                                                                                              Function 00E3A7A0 Relevance: 58.2, APIs: 20, Strings: 13, Instructions: 467COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PathFindFileNameW.SHLWAPI(00EE8698,9DE8FFFF,?), ref: 00E3A8A2
                                                                                                              • ?GetMarkup@CDialogBuilder@DuiLib@@QAEPAVCMarkup@2@XZ.YCOMUIU ref: 00E3A8B7
                                                                                                              • ?IsValid@CMarkup@DuiLib@@QBE_NXZ.YCOMUIU ref: 00E3A8BF
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,C0000005,00000000), ref: 00E3A8E2
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(00000000,C0000005,00000000), ref: 00E3A8F0
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picThumbnail), ref: 00E3A908
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtFileName), ref: 00E3A934
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picThumbnail), ref: 00E3A964
                                                                                                              • ?SelectItem@CTileLayoutUI@DuiLib@@QAE_NH_N@Z.YCOMUIU(00000000,00000000,00000001,tabConver,?), ref: 00E3AAC8
                                                                                                              • ?CheckDlgButton@WindowImplBase@DuiLib@@QAEHPB_W_N@Z.YCOMUIU(optPicPos1,?,?,00000002,tabWatermarkType,EEAE26D7,?,?,00E322D8,?,00000000,00EE8708,000000FF,?,C000008C,00000001), ref: 00E3ABB6
                                                                                                              • ?CheckDlgButton@WindowImplBase@DuiLib@@QAEHPB_W_N@Z.YCOMUIU(optPicPos2,00000000,?,00E322D8,?,00000000,00EE8708,000000FF,?,C000008C,00000001,?), ref: 00E3ABCB
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(sliderPicRotate,?,00E322D8,?,00000000,00EE8708,000000FF,?,C000008C,00000001,?), ref: 00E3ABD8
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtPicRotate,?,?), ref: 00E3AC2C
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?), ref: 00E3AC3B
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(sliderPicAlpha,?,00E322D8,?,00000000,00EE8708,000000FF,?,C000008C,00000001,?), ref: 00E3AC6B
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtPicAlpha,?,?), ref: 00E3ACBE
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?), ref: 00E3ACCC
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(sliderPicSize,?,00E322D8,?,00000000,00EE8708,000000FF,?,C000008C,00000001,?), ref: 00E3ACFC
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtPicSize,?,?), ref: 00E3AD4F
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?), ref: 00E3AD5D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Control$I@2@$ManagerPaint$Find$Base@DialogImplWindow$Builder@Control@ItemName@ProgressTextV32@Value@$BuilderButton@Callback@2@CheckCreate@Markup@V32@@$D@2@FileItem@LayoutMarkup@2@NamePathSelectTileValid@
                                                                                                              • String ID: %d%%$optPicPos1$optPicPos2$picThumbnail$sliderPicAlpha$sliderPicRotate$sliderPicSize$tabConver$tabWatermarkType$txtFileName$txtPicAlpha$txtPicRotate$txtPicSize
                                                                                                              • API String ID: 2176707297-2040010724
                                                                                                              • Opcode ID: 6f697da5e1cb93541dfb4ac76bd567a4c346599492d39c8e5dee26d4b8a7be5c
                                                                                                              • Instruction ID: 98934a97c6ca8abfb11f448b036d15b3cb7e55dccd0eb87bbc5422e9645e5a80
                                                                                                              • Opcode Fuzzy Hash: 6f697da5e1cb93541dfb4ac76bd567a4c346599492d39c8e5dee26d4b8a7be5c
                                                                                                              • Instruction Fuzzy Hash: CB02D231A0060A9FDB14DF64C858BAEFBB4FF45314F184229E55AB72D1DB70A944CF92
                                                                                                              Function 00E3B0D0 Relevance: 42.4, APIs: 13, Strings: 11, Instructions: 353COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?RemoveAll@CListUI@DuiLib@@QAEXXZ.YCOMUIU(EEAE26D7,?,?,?), ref: 00E3B125
                                                                                                              • ?GetMarkup@CDialogBuilder@DuiLib@@QAEPAVCMarkup@2@XZ.YCOMUIU(?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B1B5
                                                                                                              • ?IsValid@CMarkup@DuiLib@@QBE_NXZ.YCOMUIU(?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B1BD
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,?,00000000,?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B1DC
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(00000000,?,00000000,?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B1E6
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem1,?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B21F
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemTitle,?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B23E
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem2,?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B28E
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemPos,?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B2AD
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem3,?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B359
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemTime,?,?,?,?,?,00F02A80,?,?,?), ref: 00E3B378
                                                                                                              • _strftime.LIBCMT ref: 00E3B417
                                                                                                              • _strftime.LIBCMT ref: 00E3B46D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Control$Lib@@$I@2@$ManagerPaint$FindName@V32@$Dialog$Builder@$BuilderCallback@2@Create@Markup@V32@@_strftime$All@D@2@ListMarkup@2@RemoveValid@
                                                                                                              • String ID: %s - %s$(%d,%d), (%d,%d)$ControlTimeListItem1$ControlTimeListItem2$ControlTimeListItem3$TimeListItem1$TimeListItem2$TimeListItem3$txtTimeItemPos$txtTimeItemTime$txtTimeItemTitle
                                                                                                              • API String ID: 1442838796-3810458828
                                                                                                              • Opcode ID: ca6062dcc856b20e6777a4bf31519b604f315cded5290d2112805afd8aea2d64
                                                                                                              • Instruction ID: e492303b9697c6af0754e63a106588085b71ee79ccc5935cb35a6e8b1eb7ebeb
                                                                                                              • Opcode Fuzzy Hash: ca6062dcc856b20e6777a4bf31519b604f315cded5290d2112805afd8aea2d64
                                                                                                              • Instruction Fuzzy Hash: B7E181B0A016189FCB11DF64CC88BAAB7B9EF44714F1441D9E609B7292DB70EE84CF65
                                                                                                              Function 00DD4B40 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 262filenetworkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(?,00000000,00000001,00000000,00000003,00000080,00000000), ref: 00DD4B8D
                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00DD4BAB
                                                                                                              • InternetReadFile.WININET(?,?,00002800,?), ref: 00DD4BEE
                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00DD4C1C
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DD4C3E
                                                                                                              • GetLastError.KERNEL32(00000000), ref: 00DD4C59
                                                                                                                • Part of subcall function 00DD6200: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD6247
                                                                                                              • CloseHandle.KERNEL32(00000000,CHttpResponseT::SaveContent: szFilePath can not be NULL.,00000000), ref: 00DD4C77
                                                                                                              • GetLastError.KERNEL32(?,00000072,00000000,?), ref: 00DD4C88
                                                                                                              • GetLastError.KERNEL32(CHttpResponseT::ReadContent: m_hRequest can not be NULL.,00000000,0000025B,00000000), ref: 00DD4CA5
                                                                                                              • CloseHandle.KERNEL32 ref: 00DD4CAE
                                                                                                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,?,0000025E,00000000,?), ref: 00DD4D1D
                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,0000025E,00000000,?), ref: 00DD4D3B
                                                                                                              • InternetReadFile.WININET(?,?,00002800,?), ref: 00DD4D7E
                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00DD4DAC
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DD4DCE
                                                                                                              • CloseHandle.KERNEL32(00000000,CHttpResponseT::SaveContent: szFilePath can not be NULL.,00000000,?,00000000,?,?,0000025E,00000000,?), ref: 00DD4E07
                                                                                                              • GetLastError.KERNEL32(00000000), ref: 00DD4DE9
                                                                                                                • Part of subcall function 00DD6430: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD6477
                                                                                                                • Part of subcall function 00DD6590: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD65AF
                                                                                                              • GetLastError.KERNEL32(?,00000072,00000000,?,?,?,0000025E,00000000,?), ref: 00DD4E18
                                                                                                              • GetLastError.KERNEL32(CHttpResponseT::ReadContent: m_hRequest can not be NULL.,00000000,0000025B,00000000,?,?,0000025E,00000000,?), ref: 00DD4E35
                                                                                                              • CloseHandle.KERNEL32(?,?,?,0000025E,00000000,?), ref: 00DD4E3E
                                                                                                              Strings
                                                                                                              • CHttpResponseT::SaveContent: szFilePath can not be NULL., xrefs: 00DD4C6C
                                                                                                              • CHttpResponseT::SaveContent: szFilePath can not be NULL., xrefs: 00DD4DFC
                                                                                                              • CHttpResponseT::ReadContent: m_hRequest can not be NULL., xrefs: 00DD4E2B
                                                                                                              • CHttpResponseT::ReadContent: m_hRequest can not be NULL., xrefs: 00DD4C9B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseErrorHandleLast$Create$Exception@8Throw$InternetReadWrite
                                                                                                              • String ID: CHttpResponseT::ReadContent: m_hRequest can not be NULL.$CHttpResponseT::ReadContent: m_hRequest can not be NULL.$CHttpResponseT::SaveContent: szFilePath can not be NULL.$CHttpResponseT::SaveContent: szFilePath can not be NULL.
                                                                                                              • API String ID: 198237359-1465477268
                                                                                                              • Opcode ID: 0f9be6abf14d7e586e0b9b12ddc453fc28851d7d1e0e2619e347d866646f9eeb
                                                                                                              • Instruction ID: 920024f6dd0ff6719c65299ebe5650205d385a081816308a2347d27ca0b73b3f
                                                                                                              • Opcode Fuzzy Hash: 0f9be6abf14d7e586e0b9b12ddc453fc28851d7d1e0e2619e347d866646f9eeb
                                                                                                              • Instruction Fuzzy Hash: 1D81B675781214BBEB209B659C8EF7A77B8EB84B10F148156F514BB2D0CE70AD44CB74
                                                                                                              Function 00E53180 Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?SetResourceZip@CPaintManagerUI@DuiLib@@SAXPB_W@Z.YCOMUIU(?,6C494B50,00E53752,?,6C494B50), ref: 00E5319D
                                                                                                              • ?ReloadSkin@CPaintManagerUI@DuiLib@@SAXXZ.YCOMUIU(6C494B50), ref: 00E531A6
                                                                                                                • Part of subcall function 00E3AF00: ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU(Default.xml,?,00E531B3), ref: 00E3AF09
                                                                                                                • Part of subcall function 00E3AF00: ?ReloadFont@CSkinManager@DuiLib@@QAEHPB_WPAVCPaintManagerUI@2@@Z.YCOMUIU ref: 00E3AF11
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU(skin.xml), ref: 00E531BD
                                                                                                              • ?LoadLanguage@CSkinManager@DuiLib@@QAEHPB_W@Z.YCOMUIU ref: 00E531CB
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU(HomeCtrl.xml), ref: 00E531D2
                                                                                                              • ?LoadLanguage@CSkinManager@DuiLib@@QAEHPB_W@Z.YCOMUIU ref: 00E531DA
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU(ConverCtrl.xml), ref: 00E531E1
                                                                                                              • ?LoadLanguage@CSkinManager@DuiLib@@QAEHPB_W@Z.YCOMUIU ref: 00E531E9
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU(WatermarkPicCtrl.xml), ref: 00E531F0
                                                                                                              • ?LoadLanguage@CSkinManager@DuiLib@@QAEHPB_W@Z.YCOMUIU ref: 00E531F8
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU(WatermarkVideoCtrl.xml), ref: 00E531FF
                                                                                                              • ?LoadLanguage@CSkinManager@DuiLib@@QAEHPB_W@Z.YCOMUIU ref: 00E53207
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU(WatermarkTypeCtrl.xml), ref: 00E5320E
                                                                                                              • ?LoadLanguage@CSkinManager@DuiLib@@QAEHPB_W@Z.YCOMUIU ref: 00E53216
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU ref: 00E53218
                                                                                                              • ?ReloadText@CSkinManager@DuiLib@@QAEXXZ.YCOMUIU ref: 00E53220
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU ref: 00E53226
                                                                                                              • ?ResetTextMap@CSkinManager@DuiLib@@QAEXXZ.YCOMUIU ref: 00E5322E
                                                                                                                • Part of subcall function 00E52E60: ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(listVideoSegment,EEAE26D7,?,6C47C8D0,00E34A64,00000000,00EEDEF0,000000FF,?,00E5323B), ref: 00E52E9F
                                                                                                                • Part of subcall function 00E52E60: ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem1), ref: 00E52F2C
                                                                                                                • Part of subcall function 00E52E60: ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem2), ref: 00E52F4E
                                                                                                                • Part of subcall function 00E52E60: ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem3), ref: 00E52F70
                                                                                                                • Part of subcall function 00E3C760: GetWindowRect.USER32(FFFFFFFF,?), ref: 00E3C77A
                                                                                                                • Part of subcall function 00E3C760: ?Invalidate@CPaintManagerUI@DuiLib@@QAEXAAUtagRECT@@@Z.YCOMUIU(?,?,?,?,?,?,00E53249), ref: 00E3C787
                                                                                                                • Part of subcall function 00E3C760: ?NeedUpdate@CPaintManagerUI@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,?,00E53249), ref: 00E3C790
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Manager@Skin$Instance@ManagerPaintV12@$Control$Language@Load$FindI@2@$Name@ReloadV32@$Control@Font@I@2@@Invalidate@Map@NeedRectResetResourceSkin@T@@@TextText@Update@UtagWindowZip@
                                                                                                              • String ID: ConverCtrl.xml$HomeCtrl.xml$WatermarkPicCtrl.xml$WatermarkTypeCtrl.xml$WatermarkVideoCtrl.xml$skin.xml
                                                                                                              • API String ID: 850836796-1237618152
                                                                                                              • Opcode ID: ce6e726ecafa6d134c2f747f85353906e076ff5b27a0e34a0488280d075d5356
                                                                                                              • Instruction ID: 008318794f9709c22d9c1f68e2a330a496bb1270f6061889cc636b1ea4563e4b
                                                                                                              • Opcode Fuzzy Hash: ce6e726ecafa6d134c2f747f85353906e076ff5b27a0e34a0488280d075d5356
                                                                                                              • Instruction Fuzzy Hash: F111F534700215CFCB083BB6EC1D47DBBB2EFC8796740452AE842A72E0DF759809EA52
                                                                                                              Function 00E34700 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 285COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindow.USER32(?), ref: 00E34777
                                                                                                              • ?GetHeight@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000001), ref: 00E34795
                                                                                                              • ?GetWidth@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000000), ref: 00E347A2
                                                                                                              • MoveWindow.USER32(?,?,?,00000000), ref: 00E347B1
                                                                                                              • IsWindow.USER32(?), ref: 00E347BD
                                                                                                              • ?GetHeight@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000001), ref: 00E347E2
                                                                                                              • ?GetWidth@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000000), ref: 00E347EF
                                                                                                              • MoveWindow.USER32(?,?,?,00000000), ref: 00E347FE
                                                                                                                • Part of subcall function 00E36F00: ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(tabMain,EEAE26D7,?,?), ref: 00E36F47
                                                                                                                • Part of subcall function 00E36F00: ?GetCurSel@CTabLayoutUI@DuiLib@@QBEHXZ.YCOMUIU(?,?), ref: 00E36F57
                                                                                                                • Part of subcall function 00E36F00: DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E36F6C
                                                                                                                • Part of subcall function 00E36F00: DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E36FE9
                                                                                                                • Part of subcall function 00E36F00: PathFindExtensionW.SHLWAPI(?,?,?), ref: 00E36FF6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Rect@Window$DragFileFindHeight@MoveQueryWidth@$ControlControl@ExtensionI@2@LayoutManagerPaintPathSel@
                                                                                                              • String ID: [Error]:%d
                                                                                                              • API String ID: 146719164-423514254
                                                                                                              • Opcode ID: fd5fa123fe399e4ddbf60c6dd6ac522bf6d27f7152cc5d3248c5b94f6fe13cf3
                                                                                                              • Instruction ID: adc196011adfec91d4dc5bd27f5d8712fbb88454f129e9b78085b990071c5cea
                                                                                                              • Opcode Fuzzy Hash: fd5fa123fe399e4ddbf60c6dd6ac522bf6d27f7152cc5d3248c5b94f6fe13cf3
                                                                                                              • Instruction Fuzzy Hash: 94B1AAB1600605AFDB249F61DC4AFAAFBB4FF08704F101619F55AB26E1DB31B914DB90
                                                                                                              Function 00E327B0 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 255COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetMarkup@CDialogBuilder@DuiLib@@QAEPAVCMarkup@2@XZ.YCOMUIU ref: 00E32814
                                                                                                              • ?IsValid@CMarkup@DuiLib@@QBE_NXZ.YCOMUIU ref: 00E3281C
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,?,00000000), ref: 00E32841
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(00000000,?,00000000), ref: 00E3284B
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem1,?,?,?,?,?,?,EEAE26D7), ref: 00E328C6
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemTitle,?,?,?,?,?,?,EEAE26D7), ref: 00E328E5
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem2,?,?,?,?,?,?,EEAE26D7), ref: 00E32934
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemPos,?,?,?,?,?,?,EEAE26D7), ref: 00E32953
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem3,?,?,?,?,?,?,EEAE26D7), ref: 00E329C4
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemTime,?,?,?,?,?,?,EEAE26D7), ref: 00E329E3
                                                                                                              • _strftime.LIBCMT ref: 00E32A54
                                                                                                              • _strftime.LIBCMT ref: 00E32A94
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Control$I@2@Lib@@$ManagerPaint$FindName@V32@$Dialog$Builder@$BuilderCallback@2@Create@Markup@V32@@_strftime$D@2@Markup@2@Valid@
                                                                                                              • String ID: %s - %s$(%d,%d), (%d,%d)$ControlTimeListItem1$ControlTimeListItem2$ControlTimeListItem3$TimeListItem1$TimeListItem2$TimeListItem3$txtTimeItemPos$txtTimeItemTime$txtTimeItemTitle
                                                                                                              • API String ID: 880538387-3810458828
                                                                                                              • Opcode ID: d20b3b9f9172c293c107e54ac7b6a82b991538d3e8b389e24b34ce0f3a46b178
                                                                                                              • Instruction ID: f182c1b5b3eb5ad0b69b20bd044668a919272122ce46560b715bff840ceda6ab
                                                                                                              • Opcode Fuzzy Hash: d20b3b9f9172c293c107e54ac7b6a82b991538d3e8b389e24b34ce0f3a46b178
                                                                                                              • Instruction Fuzzy Hash: 50A18FB0A006189FCB21DB64CC49BEEBBB8EF45704F044199F649B7191DB70AE84DFA5
                                                                                                              Function 00E3E410 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(btnSendCaptcha_Step1,EEAE26D7), ref: 00E3E448
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(tabStep), ref: 00E3E461
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(caption,00000000), ref: 00E3E4A7
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(layBottom,00000000), ref: 00E3E4BB
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(caption,00EF8660), ref: 00E3E4CD
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(caption,00000000), ref: 00E3E4FE
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(edtMobile_Step3), ref: 00E3E519
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(edtEmail_Step3), ref: 00E3E528
                                                                                                              • ?EnableWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnSubmit,00000000), ref: 00E3E533
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(caption,00000000), ref: 00E3E55F
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00E3E572
                                                                                                              • ?SelectItem@CTabLayoutUI@DuiLib@@QAE_NH@Z.YCOMUIU(?), ref: 00E3E57C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Window$Base@Impl$ItemText$Window@$ControlControl@FindI@2@ManagerPaint$CenterEnableItem@LayoutSelectShowWnd@
                                                                                                              • String ID: ModifyDlgTitle1$ModifyDlgTitle2$ModifyDlgTitle3$btnSendCaptcha_Step1$btnSubmit$caption$edtEmail_Step3$edtMobile_Step3$layBottom$tabStep
                                                                                                              • API String ID: 2672919530-2442832240
                                                                                                              • Opcode ID: 554d6edd76732bb7e8df2c7942f063839670fe75538a34a45f693988f917eeb2
                                                                                                              • Instruction ID: 2702aa018b349104ff41ec183cecfaee374c3ec1c04d8a53b6052f82ac459814
                                                                                                              • Opcode Fuzzy Hash: 554d6edd76732bb7e8df2c7942f063839670fe75538a34a45f693988f917eeb2
                                                                                                              • Instruction Fuzzy Hash: 21316F75B40209EFCB049FA1DC49ABD7BB8FB89704F000579F502A72D1DB71A918EB61
                                                                                                              Function 00E12EF0 Relevance: 37.7, APIs: 25, Instructions: 248memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7), ref: 00E12F36
                                                                                                              • GetClientRect.USER32(?,?), ref: 00E12F43
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00E12F52
                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E12F63
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(EEAE26D7), ref: 00E12FD9
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12FE7
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12FF4
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E13001
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@HH@Z.YCOMUIU(?), ref: 00E1301B
                                                                                                              • ??4CDuiPoint@DuiLib@@QAEAAV01@$$QAV01@@Z.YCOMUIU(00000000), ref: 00E13025
                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00E13064
                                                                                                              • SetCursor.USER32(00000000), ref: 00E1306B
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00E13086
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(EEAE26D7), ref: 00E130DD
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E130EB
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E130F8
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E13105
                                                                                                              • GetDC.USER32(?), ref: 00E13182
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00E1318B
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00E1319B
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00E131C8
                                                                                                              • GdipAlloc.GDIPLUS(00000008), ref: 00E131DF
                                                                                                              • GdipCreateFromHDC.GDIPLUS(?,?,00000008), ref: 00E13202
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Rect@$Height@Width@$CreateCursorGdipLongPoint@RectWindow$AllocClientCompatibleFromInvalidateLoadObjectReleaseSelectV01@$$V01@@
                                                                                                              • String ID:
                                                                                                              • API String ID: 3077440823-0
                                                                                                              • Opcode ID: b101b47a4f951a04948b46a85cbc548aa0930e5f9f7a1faa65fc74ff986d804f
                                                                                                              • Instruction ID: 865591d10f923baba6348ceaf3f0583b8228c8d13b97660c0f7c97fb1d30d5f2
                                                                                                              • Opcode Fuzzy Hash: b101b47a4f951a04948b46a85cbc548aa0930e5f9f7a1faa65fc74ff986d804f
                                                                                                              • Instruction Fuzzy Hash: B3A17A71A00606EFDB14DF65C988BEDBBF0FB08310F101129E956F76A1DB74A9A4CB91
                                                                                                              Function 00E36F00 Relevance: 37.1, APIs: 5, Strings: 16, Instructions: 355fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(tabMain,EEAE26D7,?,?), ref: 00E36F47
                                                                                                              • ?GetCurSel@CTabLayoutUI@DuiLib@@QBEHXZ.YCOMUIU(?,?), ref: 00E36F57
                                                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E36F6C
                                                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E36FE9
                                                                                                              • PathFindExtensionW.SHLWAPI(?,?,?), ref: 00E36FF6
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                                • Part of subcall function 00DF4FD0: GetProcessHeap.KERNEL32 ref: 00DF504E
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5080
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5104
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$DragFileInit_thread_footerLib@@Query$ControlControl@ExtensionHeapI@2@LayoutManagerPaintPathProcessResourceSel@
                                                                                                              • String ID: .avi$.bmp$.exif$.flv$.jpeg$.jpg$.mkv$.mov$.mp4$.mpeg$.png$.tif$.tiff2$.ts$.wmv$tabMain
                                                                                                              • API String ID: 3570297370-3171585849
                                                                                                              • Opcode ID: 2d0166c3c2d0569d4c386eee8e6bb643f13f415860a109c10a9602d17f588ba0
                                                                                                              • Instruction ID: 5888b266fd592d60e024486ebc01e609cdef2d90cff1cab94ebd041865b0dbd8
                                                                                                              • Opcode Fuzzy Hash: 2d0166c3c2d0569d4c386eee8e6bb643f13f415860a109c10a9602d17f588ba0
                                                                                                              • Instruction Fuzzy Hash: 15D1D2B19052199ADB30DB24DC89BEEBBF4AF15314F1441E8E848B3291EB309E44DEA1
                                                                                                              Function 00E3A400 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 147windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??1CMenuWnd@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7,6C494A20,?,?,?,?,?,?,00000000,00EE85E2,000000FF,?,00E35C19,?), ref: 00E3A445
                                                                                                              • ??0CMenuWnd@DuiLib@@QAE@XZ.YCOMUIU(?,?,?,?,?,?,00000000,00EE85E2,000000FF,?,00E35C19,?), ref: 00E3A480
                                                                                                              • ?GetGlobalContextMenuObserver@CMenuWnd@DuiLib@@SAAAVMenuObserverImpl@2@XZ.YCOMUIU(?,?,?,?,?,?,00000000,00EE85E2,000000FF,?,00E35C19,?), ref: 00E3A49F
                                                                                                              • ?GetControlRect@WindowImplBase@DuiLib@@QAE?AUtagRECT@@PB_W@Z.YCOMUIU(00EE85E2,LayoutNickname,?,?,?,?,?,?,00000000,00EE85E2,000000FF,?,00E35C19,?), ref: 00E3A4BE
                                                                                                              • ClientToScreen.USER32(00000001,?), ref: 00E3A4D7
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU(?,?,?,?,?,?,00000000,00EE85E2,000000FF,?,00E35C19,?), ref: 00E3A4E0
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@ABUtagPOINT@@@Z.YCOMUIU(?,?,?,?,?,?,?,00000000,00EE85E2,000000FF,?,00E35C19,?), ref: 00E3A4ED
                                                                                                              • ??4CDuiPoint@DuiLib@@QAEAAV01@$$QAV01@@Z.YCOMUIU(?,?,?,?,?,?,?,00000000,00EE85E2,000000FF,?,00E35C19,?), ref: 00E3A4FA
                                                                                                              • ?Init@CMenuWnd@DuiLib@@QAEXPAVCMenuElementUI@2@VSTRINGorID@2@UtagPOINT@@PAVCPaintManagerUI@2@PAVCStdStringPtrMap@2@K@Z.YCOMUIU(00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000,00EE85E2,000000FF), ref: 00E3A51F
                                                                                                              • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuUpdateUser,00000001,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 00E3A540
                                                                                                              • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuUserCenter,00000001,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 00E3A557
                                                                                                              • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuLogout,00000000,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 00E3A56E
                                                                                                              • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuResetPass,00000000,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 00E3A594
                                                                                                              • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuTrial,00000001,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 00E3A5CA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Lib@@$Wnd@$ItemState@$Point@Utag$I@2@$Base@ClientContextControlD@2@ElementGlobalImplImpl@2@Init@ManagerMap@2@ObserverObserver@PaintRect@ScreenStringT@@@V01@$$V01@@Window
                                                                                                              • String ID: LayoutNickname$menuLogout$menuResetPass$menuTrial$menuUpdateUser$menuUserCenter
                                                                                                              • API String ID: 3900149944-531684954
                                                                                                              • Opcode ID: f7319b0e539273d1737934ff350491b91c75e67f29bb37a1ee07babd3cfceffa
                                                                                                              • Instruction ID: 1076e8cf79506014fcb1224b8806a780c14fb8a9f3a925a6dcc6baee9d218e5e
                                                                                                              • Opcode Fuzzy Hash: f7319b0e539273d1737934ff350491b91c75e67f29bb37a1ee07babd3cfceffa
                                                                                                              • Instruction Fuzzy Hash: D351B371A40349AFDB10EBA0DC19BBABBF8FB45705F040129F652A72D0DFB0A944DB21
                                                                                                              Function 00E08D80 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 343windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipGetImageWidth.GDIPLUS(?,?,EEAE26D7), ref: 00E08DD2
                                                                                                              • GdipGetImageHeight.GDIPLUS(?,?,?,?,EEAE26D7), ref: 00E08DEF
                                                                                                              • GdipCreateBitmapFromScan0.GDIPLUS(00000000,00000000,00000000,0026200A,00000000,?), ref: 00E08E82
                                                                                                              • GdipGetImageGraphicsContext.GDIPLUS(?,00000000,00000000,00000000,00000000,0026200A,00000000,?), ref: 00E08EA5
                                                                                                              • GdipCreateSolidFill.GDIPLUS(00000000,00000000,?,00000000,00000000,00000000,00000000,0026200A,00000000,?), ref: 00E08EDF
                                                                                                              • GdipFillRectangleI.GDIPLUS(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,0026200A,00000000,?), ref: 00E08F00
                                                                                                              • GdipCloneBitmapArea.GDIPLUS(?,EEAE26D7), ref: 00E08F41
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$Image$BitmapCreateFill$AreaCloneContextFromGraphicsHeightRectangleScan0SolidWidth
                                                                                                              • String ID: %d.dat$image/jpeg
                                                                                                              • API String ID: 876185177-3458802690
                                                                                                              • Opcode ID: 3c5bf601039a77961b4d0ebe5d461b26d75e28291d68434f7247f2f92e831018
                                                                                                              • Instruction ID: 51dbf9413ee66f8d50fdfc25d34bbee8dfd9b75d8471e3b40045ecf353d03f3e
                                                                                                              • Opcode Fuzzy Hash: 3c5bf601039a77961b4d0ebe5d461b26d75e28291d68434f7247f2f92e831018
                                                                                                              • Instruction Fuzzy Hash: FFE16A71D00249AFDB11DFA8C945BEEFBF4BF48304F149259E958BB292EB709984CB50
                                                                                                              Function 00E40010 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 221COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtState,00000000), ref: 00E40078
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtStateTip,00000000), ref: 00E400BD
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnLogin,00000000), ref: 00E400EF
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnBuy,00000001), ref: 00E400FA
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtLimit,?), ref: 00E40178
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtLimitBatch,00000000), ref: 00E401CB
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtLimitBatch,?), ref: 00E40255
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Base@ImplLib@@Window$ItemText$ShowWindow@
                                                                                                              • String ID: LayShare$NoVIP$NoVIPTip$TrialBatchCount$TrialBatchCountZero$TrialCount$btnBuy$btnLogin$txtLimit$txtLimitBatch$txtState$txtStateTip
                                                                                                              • API String ID: 2212878618-3739357055
                                                                                                              • Opcode ID: 596413f92be3548e43e2bf278fec357e2c56e7af792d6de9aeebd050ba7559c4
                                                                                                              • Instruction ID: 5e13c1d32ac4d1a3f9d2b750f13a01faccae7f27d0d895087cdc19409c8197cd
                                                                                                              • Opcode Fuzzy Hash: 596413f92be3548e43e2bf278fec357e2c56e7af792d6de9aeebd050ba7559c4
                                                                                                              • Instruction Fuzzy Hash: 5D71B070B00609AFCB00DBA9DC49F6ABBE5FF85324F148268F515E72E2DB749904DB61
                                                                                                              Function 00DE0260 Relevance: 30.2, APIs: 20, Instructions: 245windowmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GlobalAlloc.KERNEL32(00000042,?,EEAE26D7), ref: 00DE029F
                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00DE02BB
                                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00DE02E3
                                                                                                              • GdipCreateBitmapFromStream.GDIPLUS(00000000,?,00000010), ref: 00DE0314
                                                                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,00000000,000000FF,00000010), ref: 00DE033E
                                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00DE037F
                                                                                                              • GetDC.USER32(00000000), ref: 00DE0428
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00DE0444
                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 00DE044E
                                                                                                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00DE045C
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00DE0470
                                                                                                              • SelectObject.GDI32(?,?), ref: 00DE047A
                                                                                                              • SetStretchBltMode.GDI32(?,00000004), ref: 00DE0483
                                                                                                              • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00DE04A8
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00DE04B8
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00DE04BE
                                                                                                              • DeleteDC.GDI32(?), ref: 00DE04C9
                                                                                                              • DeleteDC.GDI32(?), ref: 00DE04CE
                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 00DE04D5
                                                                                                              • DeleteObject.GDI32(?), ref: 00DE0502
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateObject$Select$BitmapCompatibleDeleteGdip$AllocFromGlobalStreamStretch$ModeRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 3130437922-0
                                                                                                              • Opcode ID: 623fbe983919f42df84a54f09d38e4541268b00e9890ad30c1666e5828daed1a
                                                                                                              • Instruction ID: fb4ce9293d1dc423fec3e9c2878048cc75f446a5be9b72e41562cd2459a2da90
                                                                                                              • Opcode Fuzzy Hash: 623fbe983919f42df84a54f09d38e4541268b00e9890ad30c1666e5828daed1a
                                                                                                              • Instruction Fuzzy Hash: B1914971900259AFDB11DFA6D904BAEBFB5FF88710F14422AE914B7290E771A850CB60
                                                                                                              Function 00E2A060 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 265fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                                • Part of subcall function 00DF4FD0: GetProcessHeap.KERNEL32 ref: 00DF504E
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5080
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5104
                                                                                                              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E2A163
                                                                                                              • GdipSaveImageToFile.GDIPLUS(?,000000FF,00000000,?), ref: 00E2A2EF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Init_thread_footer$CreateDirectoryFileFindGdipHeapImageProcessResourceSave
                                                                                                              • String ID: %s%lld.bmp$%s%lld.jpg$%s%lld.png$%s%lld.tif$%s\%s\$.bmp$.jpg$.tif$YY$d$data$image/bmp$image/jpeg$image/png$image/tiff
                                                                                                              • API String ID: 33071416-3066061585
                                                                                                              • Opcode ID: 92343b5373d1789a581bf180023006cdd69136e89b3a86cdecc3bc702bc12a10
                                                                                                              • Instruction ID: f46720317cb2df114372b3ddc6fd1c574bb2be5c2c005a1d00586473a4d669ea
                                                                                                              • Opcode Fuzzy Hash: 92343b5373d1789a581bf180023006cdd69136e89b3a86cdecc3bc702bc12a10
                                                                                                              • Instruction Fuzzy Hash: 7591B372A01219DFDB10DFA4DC05BAEB7B4EF44718F188129E905FB292D7719D40DB62
                                                                                                              Function 00DFD0C0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 102stringlibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(ntdll.dll), ref: 00DFD103
                                                                                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00DFD11D
                                                                                                              • lstrcpynW.KERNEL32(?,Windows2000,?), ref: 00DFD184
                                                                                                              • lstrcpynW.KERNEL32(?,Vista,?), ref: 00DFD1D9
                                                                                                              • lstrcpynW.KERNEL32(?,Windows10,?), ref: 00DFD1FE
                                                                                                              • FreeLibrary.KERNEL32(?), ref: 00DFD20D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrcpyn$Library$AddressFreeLoadProc
                                                                                                              • String ID: RtlGetVersion$Vista$Windows10$Windows2000$Windows2003$Windows7$Windows7.1$Windows8$Windows8.1$WindowsXP$ntdll.dll
                                                                                                              • API String ID: 2157295677-1911280315
                                                                                                              • Opcode ID: e864fda23c67ddd62c11e87cf5aa446a3e20100eb20eb925ce58b4a61015f3d7
                                                                                                              • Instruction ID: f121c0a9eadc4043be0d8cac892300a4b7923126e92fca56ad7685cf6dcb0bde
                                                                                                              • Opcode Fuzzy Hash: e864fda23c67ddd62c11e87cf5aa446a3e20100eb20eb925ce58b4a61015f3d7
                                                                                                              • Instruction Fuzzy Hash: EF31B63194031DABCB309F25DC49FFAB6B7EB45711F058095E608B2190DA31DE80FAA5
                                                                                                              Function 00E02710 Relevance: 29.8, APIs: 10, Strings: 7, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(btnYes), ref: 00E0276C
                                                                                                              • ?Close@CWindowWnd@DuiLib@@QAEXI@Z.YCOMUIU ref: 00E0277D
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(btnClose), ref: 00E0278E
                                                                                                              • ?Close@CWindowWnd@DuiLib@@QAEXI@Z.YCOMUIU ref: 00E0279F
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(optLeftTop), ref: 00E027B0
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(optRightTop), ref: 00E027CB
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(optLeftBottom), ref: 00E027E6
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(optRightBottom), ref: 00E02801
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(optCenter), ref: 00E0281C
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 00E02839
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$Close@WindowWnd@
                                                                                                              • String ID: btnClose$btnYes$optCenter$optLeftBottom$optLeftTop$optRightBottom$optRightTop
                                                                                                              • API String ID: 1507982089-3463930116
                                                                                                              • Opcode ID: 8720e388340a952b1d48cb2aab1733cba8b082810b134823255984296b018257
                                                                                                              • Instruction ID: 0c3e41964ef48066b05f43c8c4ec5578341a932e70b7727ec7e79a136fbdbade
                                                                                                              • Opcode Fuzzy Hash: 8720e388340a952b1d48cb2aab1733cba8b082810b134823255984296b018257
                                                                                                              • Instruction Fuzzy Hash: 8731E2716003098BCB24DF64CC48FE9B7B1BF46B48F00419DE51A276D1DBB26A89CB51
                                                                                                              Function 00E0B080 Relevance: 28.8, APIs: 19, Instructions: 325COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E0B0CC
                                                                                                              • GetClientRect.USER32(?,?), ref: 00E0B0D9
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@HH@Z.YCOMUIU ref: 00E0B1DB
                                                                                                              • ??4CDuiPoint@DuiLib@@QAEAAV01@$$QAV01@@Z.YCOMUIU(00000000), ref: 00E0B1E8
                                                                                                                • Part of subcall function 00E09580: ??0CDuiPoint@DuiLib@@QAE@HH@Z.YCOMUIU(?), ref: 00E096B2
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0B25A
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00E0B27B
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0B29A
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00E0B2BB
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00E0B387
                                                                                                              • GetCursorPos.USER32(?), ref: 00E0B38D
                                                                                                              • ScreenToClient.USER32(?,?), ref: 00E0B39A
                                                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00E0B3F3
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00E0B40C
                                                                                                              • GetCursorPos.USER32(?), ref: 00E0B412
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@ABV01@@Z.YCOMUIU(?), ref: 00E0B41F
                                                                                                              • ScreenToClient.USER32(?,?), ref: 00E0B42C
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0B480
                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00E0B4AB
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0B4B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$Lib@@$Point@$ClientRect$InvalidateLoadScreenV01@@$Rect@V01@$$
                                                                                                              • String ID:
                                                                                                              • API String ID: 4168047994-0
                                                                                                              • Opcode ID: 8040e491631fd11db0fc990127a9f99c5cece80e7ff35a271c400925500ba942
                                                                                                              • Instruction ID: 5029daffa9658ef5caa115da8498b424c82d37b3b946e3e42202917829763a2f
                                                                                                              • Opcode Fuzzy Hash: 8040e491631fd11db0fc990127a9f99c5cece80e7ff35a271c400925500ba942
                                                                                                              • Instruction Fuzzy Hash: 3CC1D532A003089FDB21EF76D845BAEB7E4FF59300F14461AE85AB71D2DB756988CB50
                                                                                                              Function 00DFA8F0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000003C), ref: 00DFAC07
                                                                                                              • InternetOpenW.WININET(00EF8660,00000000,00000000,00000000,00000000), ref: 00DFAC22
                                                                                                              • InternetConnectW.WININET(00000000,?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DFAC4A
                                                                                                              • HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,20000000,00000000), ref: 00DFAC78
                                                                                                              • HttpSendRequestW.WININET(00000000,Content-Type: application/x-www-form-urlencoded,000000FF,?,?), ref: 00DFAC97
                                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,00000104,00000000), ref: 00DFACED
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HttpInternet$OpenRequest$ConnectCrackInfoQuerySend
                                                                                                              • String ID: <$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                              • API String ID: 3705522640-2842678110
                                                                                                              • Opcode ID: 94fbe5f1939c9a636303d87c1d56211346ee08007e0a30742b40d2a158a425aa
                                                                                                              • Instruction ID: 9c0a9737e9a22c0cd15030511358f55c799ed6ff256d7e119c44c7c23a5eb147
                                                                                                              • Opcode Fuzzy Hash: 94fbe5f1939c9a636303d87c1d56211346ee08007e0a30742b40d2a158a425aa
                                                                                                              • Instruction Fuzzy Hash: 42714EB1940618AFDB20DF65DC45FEABBB8AF48711F104195B608B62C1EB709B84CF61
                                                                                                              Function 00E3C0F0 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnStart_RemovePic,?,?), ref: 00E3C12A
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnSave_RemovePic,?), ref: 00E3C138
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnStart_RemoveVideo,?), ref: 00E3C16E
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnSave_RemoveVideo,?), ref: 00E3C17C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Base@ImplLib@@ShowWindowWindow@
                                                                                                              • String ID: btnSave_AddPic$btnSave_AddVideo$btnSave_RemovePic$btnSave_RemoveVideo$btnStart_AddPic$btnStart_AddVideo$btnStart_RemovePic$btnStart_RemoveVideo
                                                                                                              • API String ID: 1918941322-4234188849
                                                                                                              • Opcode ID: 4b6dfaba27dbb859af2cc42910bd609cb02acb830fc398bc157ff199e35fb8e8
                                                                                                              • Instruction ID: 3faa265c688cddb02a11d2b7248eabf55908a2f6d95c6a374371e539d704920c
                                                                                                              • Opcode Fuzzy Hash: 4b6dfaba27dbb859af2cc42910bd609cb02acb830fc398bc157ff199e35fb8e8
                                                                                                              • Instruction Fuzzy Hash: 2431D77234022BAECA04DB95EC80CF7F768EB65369B001063F509A7191DA70AD19FFB1
                                                                                                              Function 00E085D0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 363COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipSetSmoothingMode.GDIPLUS(?,00000002,EEAE26D7,?,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E0860A
                                                                                                              • GdipFillEllipse.GDIPLUS(?,?,?,?,?,00000000,00000000,00000001), ref: 00E08757
                                                                                                              • GdipDeleteBrush.GDIPLUS(?,?,?,?,?,?,00000000,00000000,00000001), ref: 00E08774
                                                                                                              • GdipCreatePen1.GDIPLUS(00EFFC10,00000007,00000000,00000000,?,00000002,EEAE26D7,?,00000000,00000000,00000001), ref: 00E0882F
                                                                                                              • GdipSetPenStartCap.GDIPLUS(00000000,00000002,00EFFC10,00000007,00000000,00000000,?,00000002,EEAE26D7,?,00000000,00000000,00000001), ref: 00E08843
                                                                                                              • GdipSetPenEndCap.GDIPLUS(00000000,00000002,00000000,00000002,00EFFC10,00000007,00000000,00000000,?,00000002,EEAE26D7,?,00000000,00000000,00000001), ref: 00E08858
                                                                                                              • GdipDrawLine.GDIPLUS(?,00000000,00000002,EEAE26D7,?,00000000,00000000,00000001), ref: 00E0889B
                                                                                                              • GdipDeletePen.GDIPLUS(00000000,?,00000000,00000002,EEAE26D7,?,00000000,00000000,00000001), ref: 00E088B1
                                                                                                              • GdipCreateSolidFill.GDIPLUS(00EFFC10,00000000,?,00000002,EEAE26D7,?,00000000,00000000,00000001,?,00000000), ref: 00E089A7
                                                                                                              • GdipFillRectangle.GDIPLUS(?,00000000,?,EEAE26D7,?,00000000,00000000,00000001,?,00000000), ref: 00E089F3
                                                                                                              • GdipDeleteBrush.GDIPLUS(00000000,?,00000000,?,EEAE26D7,?,00000000,00000000,00000001,?,00000000), ref: 00E08A15
                                                                                                              • GdipCreateSolidFill.GDIPLUS(96FF0000,?), ref: 00E08ADC
                                                                                                              • GdipFillEllipse.GDIPLUS(?,00000000), ref: 00E08B20
                                                                                                              • GdipDeleteBrush.GDIPLUS(00000000,?,00000000), ref: 00E08B3B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$Fill$Delete$BrushCreate$EllipseSolid$DrawLineModePen1RectangleSmoothingStart
                                                                                                              • String ID: &
                                                                                                              • API String ID: 2944087214-3042966939
                                                                                                              • Opcode ID: cdbe7b17b729dbab8c5ca231f7364b3f798d93f5c51ec67f9e00f39168c53302
                                                                                                              • Instruction ID: 2817296f3435a0b5137ef2f22c5ea7ea8e4379d008927a733345eabaf8dbb5ad
                                                                                                              • Opcode Fuzzy Hash: cdbe7b17b729dbab8c5ca231f7364b3f798d93f5c51ec67f9e00f39168c53302
                                                                                                              • Instruction Fuzzy Hash: ECF16870D10B099BCB11DFBAC9816EEF7B0BF99304F14DB1AE854762A1EB306594AF50
                                                                                                              Function 00E2E210 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 186COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(picFile,?,EEAE26D7,?,?,?,?,00EE6240,000000FF,?,00E2EA3D,?), ref: 00E2E2D1
                                                                                                              • ?SetBkImage@CControlUI@DuiLib@@QAE_NPB_W@Z.YCOMUIU(?,?,?,?,?,?,00EE6240,000000FF,?,00E2EA3D,?), ref: 00E2E30B
                                                                                                                • Part of subcall function 00E2D9D0: ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(?,EEAE26D7), ref: 00E2DA06
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(wndMedia,?,EEAE26D7,?,?,?,?,00EE6240,000000FF,?,00E2EA3D,?), ref: 00E2E36F
                                                                                                              • ?GetHWND@CWndUI@DuiLib@@QAEPAUHWND__@@XZ.YCOMUIU(?,?,?,?,00EE6240,000000FF,?,00E2EA3D,?), ref: 00E2E37E
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(picMedia,?,?,?,?,00EE6240,000000FF,?,00E2EA3D,?), ref: 00E2E3A8
                                                                                                              • ?SetBkImage@CControlUI@DuiLib@@QAE_NPB_W@Z.YCOMUIU(?,?,?,?,?,?,00EE6240,000000FF,?,00E2EA3D,?), ref: 00E2E3DE
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(wndMedia,?,?,?,?,?,00EE6240,000000FF,?,00E2EA3D,?), ref: 00E2E420
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(picMedia,?), ref: 00E2E43C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Control$Control@FindI@2@ManagerPaint$Base@Image@ImplShowWindowWindow@$D__@@
                                                                                                              • String ID: =$LayPic_AWatermark$LayView_VideoWatermark$file='%s' restype='fullpath'$picFile$picMedia$wndMedia
                                                                                                              • API String ID: 1129891798-2031177472
                                                                                                              • Opcode ID: 90cc675603616c1484d66057b8be5e0de274907074ebd7aaa98194c7201dd12a
                                                                                                              • Instruction ID: e74947a1a94c403a1de277fbceb588030adf3aa77baeb26059333c4dbd6655d0
                                                                                                              • Opcode Fuzzy Hash: 90cc675603616c1484d66057b8be5e0de274907074ebd7aaa98194c7201dd12a
                                                                                                              • Instruction Fuzzy Hash: 5271C131A002199FCB14EFA8D915AFEBBB1FF48714F144259E991B7391DB31AD40CBA1
                                                                                                              Function 00E10550 Relevance: 25.8, APIs: 17, Instructions: 259COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7), ref: 00E1059A
                                                                                                              • GetClientRect.USER32(?,?), ref: 00E105A7
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00E105B9
                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E105CA
                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00E10634
                                                                                                              • SetCursor.USER32(00000000), ref: 00E1063B
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00E10648
                                                                                                                • Part of subcall function 00E0FAD0: ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E0FB12
                                                                                                                • Part of subcall function 00E0FAD0: ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E0FB1F
                                                                                                                • Part of subcall function 00E0FAD0: ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E0FB2B
                                                                                                                • Part of subcall function 00E0FAD0: ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E0FB38
                                                                                                                • Part of subcall function 00E0FAD0: ??0CDuiPoint@DuiLib@@QAE@HH@Z.YCOMUIU ref: 00E0FB65
                                                                                                                • Part of subcall function 00E0FAD0: ??4CDuiPoint@DuiLib@@QAEAAV01@$$QAV01@@Z.YCOMUIU(00000000), ref: 00E0FB72
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Rect@$CursorHeight@LongPoint@RectWidth@Window$ClientInvalidateLoadV01@$$V01@@
                                                                                                              • String ID:
                                                                                                              • API String ID: 3514533644-0
                                                                                                              • Opcode ID: 5551937004a2627da80fd909a8dccef8d014b225846301cbe02538136d1520bf
                                                                                                              • Instruction ID: 722b50abc10aa3dbf59b1b46ef874107c4f941daac26b0c825d360aa4e63e16c
                                                                                                              • Opcode Fuzzy Hash: 5551937004a2627da80fd909a8dccef8d014b225846301cbe02538136d1520bf
                                                                                                              • Instruction Fuzzy Hash: B2A18D70A04605EFEB14EF64C958BE9BBB1FF44314F105229E526B7291DBB1A8D0CF91
                                                                                                              Function 00E44060 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 250processsynchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHBrowseForFolderW.SHELL32(EEAE26D7), ref: 00E440E1
                                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E440F7
                                                                                                              • PathAddBackslashW.SHLWAPI(?,?,6C494B50), ref: 00E44108
                                                                                                              • GetPrivateProfileIntW.KERNEL32(Config,UtilFlag,00000000,?), ref: 00E4421E
                                                                                                              • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000004,?), ref: 00E4424E
                                                                                                              • WritePrivateProfileStringW.KERNEL32(Config,UtilFlag,?,00000004), ref: 00E44297
                                                                                                              • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,769523D0), ref: 00E44353
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E44360
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00E44369
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00E44372
                                                                                                                • Part of subcall function 00DF5150: FindResourceExW.KERNEL32(00000000,00000006,00DF5E74,00000000,00000000,00000000,00000000,?,00DF5E74,-00000010), ref: 00DF518E
                                                                                                                • Part of subcall function 00DF5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00DF51D7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFindHandlePathPrivateProfileResource$BackslashBrowseCreateFolderFromListObjectProcessSingleStringValueWaitWrite
                                                                                                              • String ID: Config$Config.ini$Software\EasePaintWatermarkRemover$UtilFlag
                                                                                                              • API String ID: 82620523-495804700
                                                                                                              • Opcode ID: 3ef9cff168bfb89648e89413ee44f8c1077fa15a55e7dc61a0debe535325dbe8
                                                                                                              • Instruction ID: f6285c22d3dd1016d1231c25f566b9f57c367a6f11152ec2506e132e589cc16e
                                                                                                              • Opcode Fuzzy Hash: 3ef9cff168bfb89648e89413ee44f8c1077fa15a55e7dc61a0debe535325dbe8
                                                                                                              • Instruction Fuzzy Hash: 7D91B071A0020DAFCB10DFA4DC49BAEBBB8FF55314F144259F919B7291DB70AA44CBA0
                                                                                                              Function 00E26C60 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 245fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E43060: GetSystemTimeAsFileTime.KERNEL32(?,?,00E24C18), ref: 00E4306A
                                                                                                              • PathFindFileNameW.SHLWAPI(?,?,?,00F01560,0164EDB0), ref: 00E26D74
                                                                                                              • PathFindExtensionW.SHLWAPI(?,00000000), ref: 00E26D8A
                                                                                                              • GdipSaveImageToFile.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E26E65
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$FindPathTime$ExtensionGdipImageNameSaveSystem
                                                                                                              • String ID: %lld$.bmp$.gif$.png$.tif$d$image/bmp$image/gif$image/jpeg$image/png$image/tiff
                                                                                                              • API String ID: 3564452765-3188911716
                                                                                                              • Opcode ID: dcba2600598748cee5be18f2fecaa9a1054c32c8fe49f497d984e7d9da6fed81
                                                                                                              • Instruction ID: 8a1b08ae6a3455e12ddf62bc516ab567b29f4affb71d4e42cafd60a3ede43f31
                                                                                                              • Opcode Fuzzy Hash: dcba2600598748cee5be18f2fecaa9a1054c32c8fe49f497d984e7d9da6fed81
                                                                                                              • Instruction Fuzzy Hash: 7E91AF71E0125CDBDB00DFA8DD45BAEBBB4FF04314F148269E814BB292DB749A05DBA1
                                                                                                              Function 00DF44B0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 162COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,EEAE26D7), ref: 00DF44F6
                                                                                                              • curl_easy_init.LIBCURL ref: 00DF4506
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00002712,00000000,?,?,?,00000003), ref: 00DF45B5
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00004E2B,Function_00034470,?,?,?,00000003), ref: 00DF45C2
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00002711,00000000,?,?,?,00000003), ref: 00DF45CD
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00000044,00000005,?,?,?,00000003), ref: 00DF45D4
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00000034,00000001,?,?,?,00000003), ref: 00DF45DB
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,0000002B,00000000,?,?,?,00000003), ref: 00DF45E2
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00000040,00000000), ref: 00DF45EC
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00000051,00000000), ref: 00DF45F3
                                                                                                              • curl_easy_perform.LIBCURL(00000000), ref: 00DF45F6
                                                                                                              • curl_easy_strerror.LIBCURL(00000000), ref: 00DF4606
                                                                                                              • curl_easy_cleanup.LIBCURL(00000000), ref: 00DF4653
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: curl_easy_setopt$CreateGlobalStreamcurl_easy_cleanupcurl_easy_initcurl_easy_performcurl_easy_strerror
                                                                                                              • String ID: CURL Error CODE:
                                                                                                              • API String ID: 171543683-4205966572
                                                                                                              • Opcode ID: bb92200777657b0799def2e50e051055b730b0e813823bb12e727d15fcb1b605
                                                                                                              • Instruction ID: 371788bf76a6f327461411d7618f180ab6489f91785a60a0cb2d6a1b7a307b5b
                                                                                                              • Opcode Fuzzy Hash: bb92200777657b0799def2e50e051055b730b0e813823bb12e727d15fcb1b605
                                                                                                              • Instruction Fuzzy Hash: 4051B471A00208ABDB10EB65DC45FBF7B68EF44724F158519FA06FB2C1DA759A04CBB1
                                                                                                              Function 00E289A0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 328memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipGetImageWidth.GDIPLUS(?,?,EEAE26D7), ref: 00E289F8
                                                                                                              • GdipGetImageHeight.GDIPLUS(?,?,?,?,EEAE26D7), ref: 00E28A18
                                                                                                              • GdipAlloc.GDIPLUS(00000010,?,?,?,?,EEAE26D7), ref: 00E28A5E
                                                                                                              • GdipFillRectangleI.GDIPLUS(?,?,00000000,00000000,?,00000000), ref: 00E28B00
                                                                                                              • GdipSetSmoothingMode.GDIPLUS(00000000,00000002,?,?,00000000,00000000,?,00000000), ref: 00E28B1A
                                                                                                              • GdipCreatePen1.GDIPLUS(000000FF,?,00000000,?,00000001,00000000,00000000,?,00000000,00000002,?,?,00000000,00000000), ref: 00E28C3B
                                                                                                              • GdipSetPenStartCap.GDIPLUS(00000000,00000002,000000FF,?,00000000,?,00000001,00000000,00000000,?,00000000,00000002,?,?,00000000,00000000), ref: 00E28C4C
                                                                                                              • GdipSetPenEndCap.GDIPLUS(00000000,00000002,00000000,00000002,000000FF,?,00000000,?,00000001,00000000,00000000,?,00000000,00000002,?,?), ref: 00E28C61
                                                                                                              • GdipDeletePen.GDIPLUS(00000000,00000000,00000002,00000000,00000002,000000FF,?,00000000,?,00000001,00000000,00000000,?,00000000,00000002,?), ref: 00E28C8E
                                                                                                              • GdipFillRectangle.GDIPLUS(?,?,00000000,00000000,?,00000000), ref: 00E28D5B
                                                                                                              • GdipDeleteBrush.GDIPLUS(?,?,?,00000000,00000000,?,00000000), ref: 00E28D7A
                                                                                                              • GdipDeleteBrush.GDIPLUS(?,FFFFFFFF,?,00000000,.png,00000000,00000002,?,?,00000000,00000000,?,00000000), ref: 00E28DCC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$Delete$BrushFillImageRectangle$AllocCreateHeightModePen1SmoothingStartWidth
                                                                                                              • String ID: .png
                                                                                                              • API String ID: 3267241231-502324627
                                                                                                              • Opcode ID: 5c93ef221cee24ae4291747c3183c452f4671c662c4a95ba520f6e567076ba8f
                                                                                                              • Instruction ID: 38ebbee9e4f6c899b595f49c6fb0c560e5e22b3abaf3833530ce8560df841a4a
                                                                                                              • Opcode Fuzzy Hash: 5c93ef221cee24ae4291747c3183c452f4671c662c4a95ba520f6e567076ba8f
                                                                                                              • Instruction Fuzzy Hash: 8BD1A870901219EFDB11DFA5C981BEEBBF4FF48304F149269E815BB291EB30A945DB90
                                                                                                              Function 00DF4A70 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 311COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,EEAE26D7), ref: 00DF4AF8
                                                                                                              • curl_easy_init.LIBCURL(EEAE26D7), ref: 00DF4B16
                                                                                                              • curl_easy_setopt.LIBCURL(?,00002712,00000000,?,?,?,00000003), ref: 00DF4C3E
                                                                                                              • curl_easy_setopt.LIBCURL(?,00002715,?,?,?,?,00000003), ref: 00DF4C49
                                                                                                              • curl_easy_setopt.LIBCURL(?,00004E2B,Function_00035F10,?,?,?,00000003), ref: 00DF4C56
                                                                                                              • curl_easy_setopt.LIBCURL(?,00002711,?,?,?,?,00000003), ref: 00DF4C61
                                                                                                              • curl_easy_setopt.LIBCURL(?,0000000D,00000014,?,?,?,00000003), ref: 00DF4C68
                                                                                                              • curl_easy_setopt.LIBCURL(?,00000040,00000000,?,?,?,00000003), ref: 00DF4C6F
                                                                                                              • curl_easy_setopt.LIBCURL(?,00000051,00000000), ref: 00DF4C79
                                                                                                              • curl_easy_perform.LIBCURL(?), ref: 00DF4C7C
                                                                                                              • curl_easy_cleanup.LIBCURL(?), ref: 00DF4CEC
                                                                                                                • Part of subcall function 00DF4170: WideCharToMultiByte.KERNEL32(80004005,00000000,?,000000FF,?,EEAE26D7,00000000,00000000,?,?,?,00F2AD98,?,?,00E056AD,80004005), ref: 00DF4195
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: curl_easy_setopt$ByteCharMultiWide$curl_easy_cleanupcurl_easy_initcurl_easy_perform
                                                                                                              • String ID: %s:%s$CURL Error CODE:
                                                                                                              • API String ID: 3350456867-2876294989
                                                                                                              • Opcode ID: cca02121c114a9020a8854bc88a6e80ca37437985c4e42656cf870b903ecfc9e
                                                                                                              • Instruction ID: 58d59f1ed028daea9220565ebe4dab26d5950848728cb2849cdc1e12d45ca705
                                                                                                              • Opcode Fuzzy Hash: cca02121c114a9020a8854bc88a6e80ca37437985c4e42656cf870b903ecfc9e
                                                                                                              • Instruction Fuzzy Hash: CFB1D171A016099BD710DF6CCC49B6FBBB8EF85324F198258E915EB292DB75DD00CBA0
                                                                                                              Function 00DF60A0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 288COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,EEAE26D7), ref: 00DF611F
                                                                                                              • curl_easy_init.LIBCURL(EEAE26D7), ref: 00DF613D
                                                                                                              • curl_easy_setopt.LIBCURL(?,00002712,00000000,?,?,?,00000003), ref: 00DF61F0
                                                                                                              • curl_easy_setopt.LIBCURL(?,00002715,?,?,?,?,00000003), ref: 00DF61FB
                                                                                                              • curl_easy_setopt.LIBCURL(?,00004E2B,Function_00035F10,?,?,?,00000003), ref: 00DF6208
                                                                                                              • curl_easy_setopt.LIBCURL(?,00002711,?,?,?,?,00000003), ref: 00DF6213
                                                                                                              • curl_easy_setopt.LIBCURL(?,0000000D,00000014,?,?,?,00000003), ref: 00DF621A
                                                                                                              • curl_easy_setopt.LIBCURL(?,00000040,00000000,?,?,?,00000003), ref: 00DF6221
                                                                                                              • curl_easy_setopt.LIBCURL(?,00000051,00000000), ref: 00DF622B
                                                                                                              • curl_easy_perform.LIBCURL(?), ref: 00DF622E
                                                                                                              • curl_easy_cleanup.LIBCURL(?), ref: 00DF62A8
                                                                                                                • Part of subcall function 00DF4170: WideCharToMultiByte.KERNEL32(80004005,00000000,?,000000FF,?,EEAE26D7,00000000,00000000,?,?,?,00F2AD98,?,?,00E056AD,80004005), ref: 00DF4195
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: curl_easy_setopt$ByteCharMultiWide$curl_easy_cleanupcurl_easy_initcurl_easy_perform
                                                                                                              • String ID: %s:%s$CURL Error CODE:
                                                                                                              • API String ID: 3350456867-2876294989
                                                                                                              • Opcode ID: 17346ca7cec2dd7a48e58cd4c44d10ed1aa46ffeaa24bce1ac46e2b6cfc4f159
                                                                                                              • Instruction ID: dc1574c6fafaeaf312f1c067c67febaba1de118162666382849c479d2a4f3593
                                                                                                              • Opcode Fuzzy Hash: 17346ca7cec2dd7a48e58cd4c44d10ed1aa46ffeaa24bce1ac46e2b6cfc4f159
                                                                                                              • Instruction Fuzzy Hash: 9DA13970A003499BDB00DF69CC45BAEBBB4EF85314F19C258F915AB2D2DB75D901CBA0
                                                                                                              Function 00E38930 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 281sleepwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(000001F5,EEAE26D7), ref: 00E3896F
                                                                                                              • ?IsDlgButtonChecked@WindowImplBase@DuiLib@@QAEIPB_W@Z.YCOMUIU(optSaveCustomPath,?,?), ref: 00E38A1C
                                                                                                              • ?GetDlgItemTextW@WindowImplBase@DuiLib@@QAE?AVCStdString@2@PB_W_N@Z.YCOMUIU(?,editCustomPath,00000000), ref: 00E38A37
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU(?,?,?,?), ref: 00E38A4C
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 00E38A67
                                                                                                              • PostMessageW.USER32(00000001,00000413,00000000,00000000), ref: 00E38D0F
                                                                                                                • Part of subcall function 00E44970: IsWindow.USER32(?), ref: 00E449D5
                                                                                                                • Part of subcall function 00E44970: ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(?,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E449FD
                                                                                                                • Part of subcall function 00E44970: ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00E44A05
                                                                                                                • Part of subcall function 00E44970: ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 00E44A0D
                                                                                                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 00E38BCA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Window$Wnd@$Base@ImplString@$ButtonCenterChecked@Create@D__@@FileItemMessageModal@PathPostRemoveShowSleepSpecString@2@TextU__@@@Window@
                                                                                                              • String ID: %s%s_%s\$%s\%s_%s\$OutputPath$\$editCustomPath$optSaveCustomPath
                                                                                                              • API String ID: 2260372878-786459245
                                                                                                              • Opcode ID: eae4dfa4f7cca25425c2ef3fcce729d5f702ecc5803617fa329d796c8bacdf5c
                                                                                                              • Instruction ID: a79464872e870d0a4f2d0e113261e77f1f7864a1a8da61fb754a2435c1ee5259
                                                                                                              • Opcode Fuzzy Hash: eae4dfa4f7cca25425c2ef3fcce729d5f702ecc5803617fa329d796c8bacdf5c
                                                                                                              • Instruction Fuzzy Hash: 6EB1D2705403099BCB24DF60CD89BEABBB4FF51304F205299F51AAB2D1EF706A45CB91
                                                                                                              Function 00DF4DC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,EEAE26D7,00000000), ref: 00DF4E42
                                                                                                              • curl_easy_init.LIBCURL(EEAE26D7,00000000), ref: 00DF4E5A
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00002712,00000000), ref: 00DF4EBA
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00002715,root:pass), ref: 00DF4EC7
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00004E2B,00DF5F10), ref: 00DF4ED4
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00002711,?), ref: 00DF4EDD
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,0000004E,00000005), ref: 00DF4EE4
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00000040,00000000), ref: 00DF4EEB
                                                                                                              • curl_easy_setopt.LIBCURL(00000000,00000051,00000000), ref: 00DF4EF5
                                                                                                              • curl_easy_perform.LIBCURL(00000000), ref: 00DF4EF8
                                                                                                              • curl_easy_cleanup.LIBCURL(00000000), ref: 00DF4F67
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: curl_easy_setopt$ByteCharMultiWidecurl_easy_cleanupcurl_easy_initcurl_easy_perform
                                                                                                              • String ID: CURL Error CODE: $root:pass
                                                                                                              • API String ID: 2215102362-2816247451
                                                                                                              • Opcode ID: 7e9978a7009c09bae151a133c5f0c1028a736a12aeff548fad8825b1b6a60766
                                                                                                              • Instruction ID: db78da743d0609328b37cb55d22f3421a2016d9175e79723ac37d9635ca58d4c
                                                                                                              • Opcode Fuzzy Hash: 7e9978a7009c09bae151a133c5f0c1028a736a12aeff548fad8825b1b6a60766
                                                                                                              • Instruction Fuzzy Hash: 8F51E571900609ABD710DF68CC49B7FBBB4EF85724F158259FA15EB2C2DB759900CBA0
                                                                                                              Function 00DD0650 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 180networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 00DD0661
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpToolW::EndRequest: hRequest can not be NULL.,00000000,00000000,?,00000199,00000000), ref: 00DD0679
                                                                                                              Strings
                                                                                                              • CHttpToolW::FileExists: szFilePath can not be NULL., xrefs: 00DD07B9
                                                                                                              • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00DD06FC
                                                                                                              • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00DD071C
                                                                                                              • CHttpClientMapT::Exists: szName can not be NULL., xrefs: 00DD06B2
                                                                                                              • CHttpToolA::FileExists: szFilePath can not be NULL., xrefs: 00DD0767
                                                                                                              • CHttpToolW::EndRequest: hRequest can not be NULL., xrefs: 00DD066D
                                                                                                              • CHttpClientMapT::Exists: szName can not be NULL., xrefs: 00DD06E2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHttpLastRequest
                                                                                                              • String ID: CHttpClientMapT::Exists: szName can not be NULL.$CHttpClientMapT::Exists: szName can not be NULL.$CHttpPostStatT::FileCount: The post context is not active.$CHttpPostStatT::FileCount: The post context is not active.$CHttpToolA::FileExists: szFilePath can not be NULL.$CHttpToolW::EndRequest: hRequest can not be NULL.$CHttpToolW::FileExists: szFilePath can not be NULL.
                                                                                                              • API String ID: 4268994570-2375225463
                                                                                                              • Opcode ID: d43bd92b3ab2f1f75681c09034bcbb46d518a1f9da1926fa9035d1218219aa98
                                                                                                              • Instruction ID: a6a743f34fd32750e7b476e543b96c4fe0647a496024576aa1c2930107d16419
                                                                                                              • Opcode Fuzzy Hash: d43bd92b3ab2f1f75681c09034bcbb46d518a1f9da1926fa9035d1218219aa98
                                                                                                              • Instruction Fuzzy Hash: 0931623038030C7BEA246AA8DC4AFA5375CDB80B15F248522F718EE6D1D6B5F994C675
                                                                                                              Function 00E02020 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E41EB0: SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000000,00000000,?), ref: 00E41EDD
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(ProductName,?), ref: 00E020CD
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(LabelVersion,?), ref: 00E020DA
                                                                                                              • ?SetControlBkImage@WindowImplBase@DuiLib@@QAEXPB_W0@Z.YCOMUIU(AboutLogo,00F4E7C0), ref: 00E020EF
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(buttonSite,00F4E7C0), ref: 00E02108
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(CompanyName,00F4E7C0), ref: 00E0211D
                                                                                                              • ?SetControlBkImage@WindowImplBase@DuiLib@@QAEXPB_W0@Z.YCOMUIU(DlgFrame,00F4E7C0), ref: 00E02132
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Base@ImplLib@@Window$ItemText$ControlImage@$Value
                                                                                                              • String ID: %s.%d$AboutLogo$CompanyName$DlgFrame$LabelVersion$ProductName$buttonSite
                                                                                                              • API String ID: 828941793-949621626
                                                                                                              • Opcode ID: cc2c4710303f248ed0f0e2edc944bf3512328e2300f34b07aef0e0a0bd8662ff
                                                                                                              • Instruction ID: b335f9f868fc1dc64252f1d8e6d8a4f8633470f117f6476661e13bc780e13476
                                                                                                              • Opcode Fuzzy Hash: cc2c4710303f248ed0f0e2edc944bf3512328e2300f34b07aef0e0a0bd8662ff
                                                                                                              • Instruction Fuzzy Hash: 2541BC31601608AFD710DB69CC4DB6EB7E9FF84325F048269EA25A72E1CB749C40DB61
                                                                                                              Function 00DF4330 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: %d.%d.%d.%d
                                                                                                              • API String ID: 0-3491811756
                                                                                                              • Opcode ID: 0eaec226d5660520d0de514691439823850c5f615a5d9b8e33900420d5d46efd
                                                                                                              • Instruction ID: 392152dd8dc0e5edcea2cd0c1a1a624011ab50aad1ef61b91fd444d46f132e30
                                                                                                              • Opcode Fuzzy Hash: 0eaec226d5660520d0de514691439823850c5f615a5d9b8e33900420d5d46efd
                                                                                                              • Instruction Fuzzy Hash: 5331283694011DABCB20EB95EC84AFFB7A8EF54722F058167EE04E2241D7315918D7B1
                                                                                                              Function 00E411A0 Relevance: 22.7, APIs: 2, Strings: 13, Instructions: 224COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,EEAE26D7), ref: 00E411DE
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00E41262
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide
                                                                                                              • String ID: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$\skin$\skin_ar$\skin_de$\skin_en$\skin_es$\skin_fr$\skin_id$\skin_jp$\skin_ko$\skin_pt$\skin_ru$\skin_tr
                                                                                                              • API String ID: 626452242-1509154452
                                                                                                              • Opcode ID: b0aef0a21ae62abecd63b122a2236ff5e3e0d84b818460c67ea22c80d6635de4
                                                                                                              • Instruction ID: 0ff749a94008fda9a531664ab1379339b6059d21c534484c756dcb045cda3fde
                                                                                                              • Opcode Fuzzy Hash: b0aef0a21ae62abecd63b122a2236ff5e3e0d84b818460c67ea22c80d6635de4
                                                                                                              • Instruction Fuzzy Hash: 66713A31780608ABEF109F58EC06BAE77A4FB10719F20C259F955FB2D1CBB5A9409751
                                                                                                              Function 00DFF120 Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 381synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(?,00000000,EEAE26D7,?,?), ref: 00DFF166
                                                                                                              • CloseHandle.KERNEL32(?,?,?), ref: 00DFF17D
                                                                                                                • Part of subcall function 00DF5150: FindResourceExW.KERNEL32(00000000,00000006,00DF5E74,00000000,00000000,00000000,00000000,?,00DF5E74,-00000010), ref: 00DF518E
                                                                                                                • Part of subcall function 00DF5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00DF51D7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindResource$CloseHandleObjectSingleWait
                                                                                                              • String ID: AdId$AppApiId$AppId$ChannelCode$MachineCode$OsBit$TypeId$Version$action.ashx$http://
                                                                                                              • API String ID: 327101899-1947157355
                                                                                                              • Opcode ID: 00a9d62f55611a53bcab90b40d19e5bb8dbe11a840b93505da40d5e4b732a389
                                                                                                              • Instruction ID: 128ad8e6a00f496d19c9d7d05aa6ff54a86eb6d53a055b5945bbe208f18149aa
                                                                                                              • Opcode Fuzzy Hash: 00a9d62f55611a53bcab90b40d19e5bb8dbe11a840b93505da40d5e4b732a389
                                                                                                              • Instruction Fuzzy Hash: 4BF1B031D01288DBDF00EBA4CC55BEEBBB4EF15300F54816CE555A7292DB74AA08DBB2
                                                                                                              Function 00DC91B0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 193COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetErrorInfo.OLEAUT32(?,?,EEAE26D7), ref: 00DC91F6
                                                                                                              • __fassign.LIBCMT ref: 00DC9288
                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 00DC939B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFreeInfoString__fassign
                                                                                                              • String ID: Failed to allocate memory$Failed to convert a COM error message to ANSI$Failed to get a IErrorInfo interface.$Failed to get a error message from IErrorInfo$Object does not support the ISupportErrorInfo interface.$This COM error message is a invalid unicode string.
                                                                                                              • API String ID: 3858576792-1879321028
                                                                                                              • Opcode ID: 68ee10c3024fdd08ae8e62ff2262d7e76b98d994b6ccbb463f5bdf913f98cd76
                                                                                                              • Instruction ID: 8b42ffed7de0d0eefd46493e13683802b8082bebb850c1c88508152eb40fbaa0
                                                                                                              • Opcode Fuzzy Hash: 68ee10c3024fdd08ae8e62ff2262d7e76b98d994b6ccbb463f5bdf913f98cd76
                                                                                                              • Instruction Fuzzy Hash: F261A07160424AEFDB10CFA9C898FBEFBB9EB85710F15412DE855A7290D731D905CBA0
                                                                                                              Function 00E3A090 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 191timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(edtTextWatermark), ref: 00E3A0ED
                                                                                                              • ?GetDlgItemTextW@WindowImplBase@DuiLib@@QAE?AVCStdString@2@PB_W_N@Z.YCOMUIU(?,edtTextWatermark,00000000), ref: 00E3A10D
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E3A119
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 00E3A135
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(edtFontSize), ref: 00E3A200
                                                                                                              • ?GetDlgItemTextW@WindowImplBase@DuiLib@@QAE?AVCStdString@2@PB_W_N@Z.YCOMUIU(?,edtFontSize,00000000), ref: 00E3A21A
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E3A226
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 00E3A242
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 00E3A2B1
                                                                                                              • ?OnTimer@WindowImplBase@DuiLib@@UAEJIIJAAH@Z.YCOMUIU(?,?,?,?,?,?,80004005), ref: 00E3A2F2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$Base@ImplWindow$ItemString@2@Text$Timer@
                                                                                                              • String ID: edtFontSize$edtTextWatermark
                                                                                                              • API String ID: 465539673-2727772412
                                                                                                              • Opcode ID: 8232527f1474e1b57f7d3b40e6753f8dd327236b26c375afc4fe20d932b08b8f
                                                                                                              • Instruction ID: b0d6edfb393cf2bf79209d2a56768e0e6e9cf58a053abf3e3b8dd129a39e38bd
                                                                                                              • Opcode Fuzzy Hash: 8232527f1474e1b57f7d3b40e6753f8dd327236b26c375afc4fe20d932b08b8f
                                                                                                              • Instruction Fuzzy Hash: 4461D5716002089FDB14DF64CC49BEABBF5EF98714F0441B8E95AA7291EF31AE84CB51
                                                                                                              Function 00DC7260 Relevance: 21.1, APIs: 6, Strings: 8, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC733C
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC734D
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC735E
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC736F
                                                                                                              • VirtualFree.KERNEL32(00000002,00000000,00008000), ref: 00DC737D
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00DC738C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID: %02x $Issuer Name: %s$More Info Link: %s$Program Name: %s$Publisher Link: %s$Serial Number: $Subject Name: %s$Usage: SignedFileInfo <filename>
                                                                                                              • API String ID: 1263568516-3142567262
                                                                                                              • Opcode ID: c3b83a618ce4767777bc3287fd74a6be5c4c108a7cb7f51b3c34b00d61a97eaa
                                                                                                              • Instruction ID: c6a1fe44c2bc751c71653b62e004a2c5cf740319c9fa7f343ee6212227257f81
                                                                                                              • Opcode Fuzzy Hash: c3b83a618ce4767777bc3287fd74a6be5c4c108a7cb7f51b3c34b00d61a97eaa
                                                                                                              • Instruction Fuzzy Hash: 3E31B531F4834E7ADB20ABE48C03FAEB768AF40B10F244159BE54B7181DA75A9149FB5
                                                                                                              Function 00E133F0 Relevance: 19.7, APIs: 13, Instructions: 208COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipGraphicsClear.GDIPLUS(?,05000000,EEAE26D7), ref: 00E13431
                                                                                                              • GdipSetSmoothingMode.GDIPLUS(?,00000002,?,05000000,EEAE26D7), ref: 00E1345E
                                                                                                              • GdipCreatePen1.GDIPLUS(FFFF0000,?,00000000,?,?,00000002,?,05000000,EEAE26D7), ref: 00E134CC
                                                                                                              • GdipDrawRectangle.GDIPLUS(?,00000000,05000000,EEAE26D7), ref: 00E1350E
                                                                                                              • GdipDeletePen.GDIPLUS(00000000,?,00000000,05000000,EEAE26D7), ref: 00E13524
                                                                                                              • ??9CDuiPoint@DuiLib@@QBEHUtagPOINT@@@Z.YCOMUIU(EEAE26D7,05000000,?,05000000,EEAE26D7), ref: 00E13542
                                                                                                              • GdipCreatePen1.GDIPLUS(FFFF0000,?,00000000,?), ref: 00E135F7
                                                                                                              • GdipDrawRectangle.GDIPLUS(?,00000000), ref: 00E13639
                                                                                                              • GdipDeletePen.GDIPLUS(00000000,?,00000000), ref: 00E1364F
                                                                                                              • GetDC.USER32(?), ref: 00E13657
                                                                                                              • GetWindowRect.USER32(?,?), ref: 00E13674
                                                                                                              • UpdateLayeredWindow.USER32(?,00000000,?,?,?,00000002,00000000,01FF0000,00000002), ref: 00E136BC
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00E136C6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$CreateDeleteDrawPen1RectangleWindow$ClearGraphicsLayeredLib@@ModePoint@RectReleaseSmoothingT@@@UpdateUtag
                                                                                                              • String ID:
                                                                                                              • API String ID: 2187001624-0
                                                                                                              • Opcode ID: e4ece45a50545b126a8d7e36ae88d9506f84c4befd72d611d50d7520dfa6e634
                                                                                                              • Instruction ID: 8cb06cfc23655c17b2e1a1d0762729bff8d6de4039b9a6439a7fd1f712ce6e8f
                                                                                                              • Opcode Fuzzy Hash: e4ece45a50545b126a8d7e36ae88d9506f84c4befd72d611d50d7520dfa6e634
                                                                                                              • Instruction Fuzzy Hash: FC917B71D11B49AFDB02DF76C941AADFBB4BF9A340F14931AF814B21A0EB306994DB40
                                                                                                              Function 00E13270 Relevance: 19.6, APIs: 13, Instructions: 117windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindowVisible.USER32(?), ref: 00E13296
                                                                                                              • ShowWindow.USER32(?,00000005), ref: 00E132A5
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E132C0
                                                                                                              • GetParent.USER32(?), ref: 00E132C9
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00E132DC
                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00E132FE
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E13307
                                                                                                              • GetClientRect.USER32(?,?), ref: 00E13314
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E1331D
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E13330
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E13347
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E13367
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00E133B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@Rect@$Window$Rect$Height@Width@$ClientInvalidateMoveParentShowVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 2402323508-0
                                                                                                              • Opcode ID: 9071e2ab3d7e5ea1d009397c92cd699fb825006a9c2b0e4bbfad5a632172f6dc
                                                                                                              • Instruction ID: 7fe83fc12e9784661f37f6b60089ef9ea1a034b0440ba2b9c8fc94aeda6767fc
                                                                                                              • Opcode Fuzzy Hash: 9071e2ab3d7e5ea1d009397c92cd699fb825006a9c2b0e4bbfad5a632172f6dc
                                                                                                              • Instruction Fuzzy Hash: 764183329002099FCB10DF7ADD8A9AEBBB5FF99750B144629F416B3161DB30B998CF50
                                                                                                              Function 00E062B0 Relevance: 19.6, APIs: 13, Instructions: 101windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetDPIObj@CPaintManagerUI@DuiLib@@QAEPAVCDPI@2@XZ.YCOMUIU ref: 00E062C8
                                                                                                              • ?GetScale@CDPI@DuiLib@@QAEIXZ.YCOMUIU(00000064), ref: 00E062DF
                                                                                                              • MulDiv.KERNEL32(?,00000000), ref: 00E062EB
                                                                                                              • ?GetScale@CDPI@DuiLib@@QAEIXZ.YCOMUIU(00000064), ref: 00E062F5
                                                                                                              • MulDiv.KERNEL32(?,00000000), ref: 00E062FB
                                                                                                              • GetClientRect.USER32(?,?), ref: 00E06318
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E06349
                                                                                                              • GetMenu.USER32(?), ref: 00E06355
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00E0636D
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E06376
                                                                                                              • AdjustWindowRectEx.USER32(?,00000000), ref: 00E0637D
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00E063A1
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00E063A9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Lib@@$Long$RectScale@$AdjustCenterClientI@2@ManagerMenuObj@PaintWindow@Wnd@
                                                                                                              • String ID:
                                                                                                              • API String ID: 3482706143-0
                                                                                                              • Opcode ID: b87de55e39ce5f6d492be996748350270e41a7e23db29377fb2239a30a3ac710
                                                                                                              • Instruction ID: 05e765889a017d70fce2e706bbf47f996c4d787b989cb63b25fcae4dc913614f
                                                                                                              • Opcode Fuzzy Hash: b87de55e39ce5f6d492be996748350270e41a7e23db29377fb2239a30a3ac710
                                                                                                              • Instruction Fuzzy Hash: 65313E31A00119EFDF10AF65DD45AAEBBB9FF84710F148255E815B72A1DB30DD54CBA0
                                                                                                              Function 00DE06D0 Relevance: 19.6, APIs: 13, Instructions: 77windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 00DE06D9
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00DE06F6
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00DE06FE
                                                                                                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00DE070D
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00DE0720
                                                                                                              • SelectObject.GDI32(?,?), ref: 00DE072A
                                                                                                              • SetStretchBltMode.GDI32(?,00000004), ref: 00DE0733
                                                                                                              • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00DE0756
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00DE0767
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00DE076D
                                                                                                              • DeleteDC.GDI32(?), ref: 00DE0776
                                                                                                              • DeleteDC.GDI32(?), ref: 00DE077B
                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 00DE0782
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectSelect$CompatibleCreate$DeleteStretch$BitmapModeRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 1499107227-0
                                                                                                              • Opcode ID: a00eac02d64d88d1edcb873c4ec31fbfe894a2b71b6dfaa36832fb1b07a48dea
                                                                                                              • Instruction ID: 9f4bc62dcc4c2550a8a78b82f73cf5ed0324c546fc818fbb4e6871b994639c27
                                                                                                              • Opcode Fuzzy Hash: a00eac02d64d88d1edcb873c4ec31fbfe894a2b71b6dfaa36832fb1b07a48dea
                                                                                                              • Instruction Fuzzy Hash: 4F21FC76900218FFDF119FA6DC45FAEBF79EF48251F104055FA1463260CA715910DBA0
                                                                                                              Function 00DD32D0 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 224COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpToolA::OpenRequest: szObjectName can not be an empty string.,CHttpToolA::OpenRequest: szObjectName can not be NULL.,00000000,CHttpToolA::OpenRequest: hConnection can not be NULL.,00000000,?,?,?,00000066,CHttpClientT::OpenRequest: hConnection can not be NULL.,00000000,EEAE26D7), ref: 00DD333E
                                                                                                              Strings
                                                                                                              • CHttpToolW::OpenRequest: szObjectName can not be an empty string., xrefs: 00DD3490
                                                                                                              • CHttpToolA::OpenRequest: szObjectName can not be NULL., xrefs: 00DD3328
                                                                                                              • CHttpToolW::OpenRequest: szObjectName can not be NULL., xrefs: 00DD3482
                                                                                                              • CHttpClientMapT::Exists: szName can not be NULL., xrefs: 00DD3566
                                                                                                              • CHttpToolA::OpenRequest: szObjectName can not be an empty string., xrefs: 00DD3332
                                                                                                              • CHttpToolA::OpenRequest: hConnection can not be NULL., xrefs: 00DD331C
                                                                                                              • CHttpToolW::OpenRequest: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DD3466
                                                                                                              • CHttpToolW::OpenRequest: hConnection can not be NULL., xrefs: 00DD3474
                                                                                                              • CHttpClientMapT::Exists: szName can not be NULL., xrefs: 00DD35A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: CHttpClientMapT::Exists: szName can not be NULL.$CHttpClientMapT::Exists: szName can not be NULL.$CHttpToolA::OpenRequest: hConnection can not be NULL.$CHttpToolA::OpenRequest: szObjectName can not be NULL.$CHttpToolA::OpenRequest: szObjectName can not be an empty string.$CHttpToolW::OpenRequest: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.$CHttpToolW::OpenRequest: hConnection can not be NULL.$CHttpToolW::OpenRequest: szObjectName can not be NULL.$CHttpToolW::OpenRequest: szObjectName can not be an empty string.
                                                                                                              • API String ID: 1452528299-1658706889
                                                                                                              • Opcode ID: 865c2410d1a7785d6d978ec5b795e5d613a1272561bd1c719b653bf98d27a682
                                                                                                              • Instruction ID: 7de15f731769fb9b73366534b451bc3e2c0cbaa630b5ae5b1bf6a801963f0715
                                                                                                              • Opcode Fuzzy Hash: 865c2410d1a7785d6d978ec5b795e5d613a1272561bd1c719b653bf98d27a682
                                                                                                              • Instruction Fuzzy Hash: 485134B1A403096BDF20EF65CC46FAF7AA8DF40B54F184026F914BA781D675EA048AF5
                                                                                                              Function 00E04580 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 203COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileStringW.KERNEL32(762212C0,BtnName,00EF8660,?,00000104,?), ref: 00E0463A
                                                                                                              • GetPrivateProfileStringW.KERNEL32(Payssion950,BtnIcon,00EF8660,?,00000104,?), ref: 00E046B3
                                                                                                              • GetPrivateProfileStringW.KERNEL32(762212C0,pmid,00EF8660,?,00000104,?), ref: 00E0471F
                                                                                                              • GetPrivateProfileStringW.KERNEL32(762212C0,currency,00EF8660,?,00000104,?), ref: 00E0478F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileString
                                                                                                              • String ID: BtnIcon$BtnName$Config.ini$Payssion%d$Payssion950$currency$pmid
                                                                                                              • API String ID: 1096422788-3233091370
                                                                                                              • Opcode ID: d1c9d4a9b5076e084a50a7854a7c3038e2769ab20cec0bed7f7e05042c805ab6
                                                                                                              • Instruction ID: d94ec8f7cabc1dd41386d568f1380a580f979f73af12dc1208824f188673bb9c
                                                                                                              • Opcode Fuzzy Hash: d1c9d4a9b5076e084a50a7854a7c3038e2769ab20cec0bed7f7e05042c805ab6
                                                                                                              • Instruction Fuzzy Hash: EE71A5B594021DAFCB24DF64DC89FEAB7B8EF54304F0442D9A906B7191DB309A85CFA0
                                                                                                              Function 00E53000 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 161COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?NeedParentUpdate@CControlUI@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,00E3AEF8,00000000,?,?), ref: 00E53046
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ControlLib@@NeedParentUpdate@
                                                                                                              • String ID: Button$Edit$ListHeaderItem$pos
                                                                                                              • API String ID: 3190494707-1293971654
                                                                                                              • Opcode ID: 3361e12df08ec94a5175ce6a184a8bb350bfef21595a028074a9c47c26f39fc4
                                                                                                              • Instruction ID: e38772a81daceb3ef5ddcddd60f933664c09bc60f6a882efde7e515aefa55dcf
                                                                                                              • Opcode Fuzzy Hash: 3361e12df08ec94a5175ce6a184a8bb350bfef21595a028074a9c47c26f39fc4
                                                                                                              • Instruction Fuzzy Hash: 8341B8363011019F8A149BBAEC8CD6EF799FFD43A6314182BF906D7290DB21DD15D661
                                                                                                              Function 00E52E60 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(listVideoSegment,EEAE26D7,?,6C47C8D0,00E34A64,00000000,00EEDEF0,000000FF,?,00E5323B), ref: 00E52E9F
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem1), ref: 00E52F2C
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem2), ref: 00E52F4E
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem3), ref: 00E52F70
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Control$FindI@2@Lib@@ManagerPaint$Name@V32@$Control@
                                                                                                              • String ID: ControlTimeListItem1$ControlTimeListItem2$ControlTimeListItem3$TimeListItem1$TimeListItem2$TimeListItem3$listVideoSegment
                                                                                                              • API String ID: 622653285-17963023
                                                                                                              • Opcode ID: d617730faaad908dfed1af686b785deaffcbff41606932e6ba77ddfaa5c6f0d6
                                                                                                              • Instruction ID: ba859b507d5f46553f11d08315bcf4cb9219c668df8488b38ff542f45e7c466a
                                                                                                              • Opcode Fuzzy Hash: d617730faaad908dfed1af686b785deaffcbff41606932e6ba77ddfaa5c6f0d6
                                                                                                              • Instruction Fuzzy Hash: 35515C30B016069FD700DB68DC48A6AB7F5EF89715B1442A9E912EB3E1DB70DC04DBA1
                                                                                                              Function 00E5E420 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 135COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(labelPlayTime,?,?,6C494480), ref: 00E5E4DD
                                                                                                              • ??0CStdString@DuiLib@@QAE@XZ.YCOMUIU(?,?,6C494480), ref: 00E5E4F3
                                                                                                              • _strftime.LIBCMT ref: 00E5E53E
                                                                                                              • _strftime.LIBCMT ref: 00E5E55B
                                                                                                              • ?Format@CStdString@DuiLib@@QAAHPB_WZZ.YCOMUIU(?,%s/%s,?,?,?,00000104,00F05EDC,?,?,00000104,00F05EDC,?,?,?,?,6C494480), ref: 00E5E57A
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E5E58B
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 00E5E5A4
                                                                                                              • ?GetMaxValue@CProgressUI@DuiLib@@QBEHXZ.YCOMUIU(?,?,6C494480), ref: 00E5E5B6
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000,?,?,6C494480), ref: 00E5E60D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$ProgressValue@_strftime$ControlControl@FindFormat@I@2@ManagerPaint
                                                                                                              • String ID: %s/%s$labelPlayTime
                                                                                                              • API String ID: 3878013293-3311479159
                                                                                                              • Opcode ID: 9f069cf80346245e9b49843bb8235e718e1a9c392fb296f9de3e053ffafbcb28
                                                                                                              • Instruction ID: 18e4b0c6b6013bee276da78c1e4383f147139a42473ccd60353af645d7defca1
                                                                                                              • Opcode Fuzzy Hash: 9f069cf80346245e9b49843bb8235e718e1a9c392fb296f9de3e053ffafbcb28
                                                                                                              • Instruction Fuzzy Hash: 6A5174B1A4061E9FCB15DB64DC45BAEB3B8FF89305F0046A9E519F3251EB306A84CF54
                                                                                                              Function 00E38660 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetCurSel@CTileLayoutUI@DuiLib@@QBEHXZ.YCOMUIU(EEAE26D7,?,6C494A20), ref: 00E386D5
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picSelectIcon), ref: 00E38706
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picSelectBg), ref: 00E38725
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picThumbnail), ref: 00E38744
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E38769
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 00E38785
                                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 00E38791
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ControlLib@@$FindI@2@ManagerName@PaintV32@$String@$ExistsFileLayoutPathSel@Tile
                                                                                                              • String ID: JIl$picSelectBg$picSelectIcon$picThumbnail
                                                                                                              • API String ID: 1695393328-461281805
                                                                                                              • Opcode ID: faca2b4d72a08012e068896a4c68de242b39dd42c786d5a4cf8c6b9d138fc822
                                                                                                              • Instruction ID: b42cb91df17bce721ac839668c6a67095a67274067276b60dc814b59a705511e
                                                                                                              • Opcode Fuzzy Hash: faca2b4d72a08012e068896a4c68de242b39dd42c786d5a4cf8c6b9d138fc822
                                                                                                              • Instruction Fuzzy Hash: B0419F316006049FDB24DB34DA99BAABBB5FF91714F20161EE41AE3691EF30AD44CB51
                                                                                                              Function 00DD6718 Relevance: 18.4, APIs: 12, Instructions: 359COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00DD6733
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00DD675E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 626452242-0
                                                                                                              • Opcode ID: a20bb4caf28e0af69c7e0571f56c8e6853724e21907fa7caaec478bbf24e6c5e
                                                                                                              • Instruction ID: ff3bfaaa20e344157540aa52b52cb7c1fd3806dfae98178ba56f45d0467ce36a
                                                                                                              • Opcode Fuzzy Hash: a20bb4caf28e0af69c7e0571f56c8e6853724e21907fa7caaec478bbf24e6c5e
                                                                                                              • Instruction Fuzzy Hash: 57A18071A40209AFEB10DFA59C46FBEB7B8EB45B11F18016AFA15E62C1DB70D904C7B1
                                                                                                              Function 00DC8BE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 146networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetOpenW.WININET(MyDownLoad,00000000,00000000,00000000,00000000), ref: 00DC8C1F
                                                                                                              • InternetConnectW.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00DC8C41
                                                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,00400000,00000000), ref: 00DC8C6B
                                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DC8C84
                                                                                                              • HttpQueryInfoW.WININET(00000000,00000013,?,?,00000000), ref: 00DC8CAF
                                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,00000200,00000000), ref: 00DC8D0D
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 00DC8D5D
                                                                                                              • InternetCloseHandle.WININET(?), ref: 00DC8D6D
                                                                                                              • InternetCloseHandle.WININET(?), ref: 00DC8D75
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Internet$Http$CloseHandle$InfoOpenQueryRequest$ConnectSend
                                                                                                              • String ID: MyDownLoad
                                                                                                              • API String ID: 831660043-2427584921
                                                                                                              • Opcode ID: 7e3304e7e8847268447e2c0cb97ff8f4ffa0c29d8b701ed2a2c88a47c76c62ba
                                                                                                              • Instruction ID: 4bfa30e72e1d762b06bb26755f1aeb5642f3f3eb9819eecd149d3d0807053215
                                                                                                              • Opcode Fuzzy Hash: 7e3304e7e8847268447e2c0cb97ff8f4ffa0c29d8b701ed2a2c88a47c76c62ba
                                                                                                              • Instruction Fuzzy Hash: C45182B464031AAFDB309F65DC89F9A77B8AF04700F1445A8B606BB2D1DB70AE44DF64
                                                                                                              Function 00E36D30 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 115libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?OnCreate@WindowImplBase@DuiLib@@UAEJIIJAAH@Z.YCOMUIU(?,?,?,?), ref: 00E36D4B
                                                                                                              • DragAcceptFiles.SHELL32(?,00000001), ref: 00E36D56
                                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter), ref: 00E36D6C
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00E36D75
                                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter), ref: 00E36D8E
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00E36D91
                                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter), ref: 00E36DA7
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00E36DAA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc$AcceptBase@Create@DragFilesImplLib@@Window
                                                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                              • API String ID: 1460113494-2498399450
                                                                                                              • Opcode ID: 7e516106cad0d2d93bd4a579194deaf76fc50ac97c0e221693de009b92cef5f9
                                                                                                              • Instruction ID: 018b7382a69eff220d17a1d926b760908ad5afd4a5fdcd01d529239ddb8d10a8
                                                                                                              • Opcode Fuzzy Hash: 7e516106cad0d2d93bd4a579194deaf76fc50ac97c0e221693de009b92cef5f9
                                                                                                              • Instruction Fuzzy Hash: D33194713803157AEF21AF909C47FAA3A68AB44F14F544065BF04BE0C2D6E5F814EA7A
                                                                                                              Function 00E3E2F0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(btnClose), ref: 00E3E34C
                                                                                                              • ?Close@CWindowWnd@DuiLib@@QAEXI@Z.YCOMUIU(00000001), ref: 00E3E356
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(btnSubmit), ref: 00E3E369
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(btnSubmitMobile), ref: 00E3E37A
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 00E3E3AE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$Close@WindowWnd@
                                                                                                              • String ID: btnClose$btnSendCaptcha_Step1$btnSubmit$btnSubmitMobile
                                                                                                              • API String ID: 1507982089-1210267763
                                                                                                              • Opcode ID: 3e34fbdfb9f190b4c0e7e38f9657f1c0dec1f80ff0550eef79248395efeb83e1
                                                                                                              • Instruction ID: ae02c1cf7e4b32ac92a87b625ae46e7fab31365651f5ab822e595cbc0da50a3c
                                                                                                              • Opcode Fuzzy Hash: 3e34fbdfb9f190b4c0e7e38f9657f1c0dec1f80ff0550eef79248395efeb83e1
                                                                                                              • Instruction Fuzzy Hash: 51218071A00218DBCB14EB25DC49FED77B1EB45B14F0042A9E819B73D1DF726A49DB90
                                                                                                              Function 00E2ABD0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E5E3B0: ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000096,?,00E2ABE1), ref: 00E5E3BA
                                                                                                                • Part of subcall function 00E5E3B0: KillTimer.USER32(00000000,?,00E2ABE1), ref: 00E5E3C1
                                                                                                                • Part of subcall function 00E5E3B0: ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(wndMedia,00000000,?,00E2ABE1), ref: 00E5E3D0
                                                                                                                • Part of subcall function 00E5E3B0: WaitForSingleObject.KERNEL32(?,000249F0,?,00E2ABE1), ref: 00E5E3F7
                                                                                                                • Part of subcall function 00E5E3B0: CloseHandle.KERNEL32(?,?,00E2ABE1), ref: 00E5E405
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(picMedia,00000000), ref: 00E2ABF0
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(labelPlayTime), ref: 00E2ABFC
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00E2AC22
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000001), ref: 00E2AC31
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000000), ref: 00E2AC3C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Window$Base@ImplShowWindow@$CloseControlControl@D__@@FindHandleI@2@KillManagerObjectPaintProgressSingleTimerValue@WaitWnd@
                                                                                                              • String ID: 00:00:00/00:00:00$btnPause$btnPlay$labelPlayTime$picMedia
                                                                                                              • API String ID: 2759231128-2578747953
                                                                                                              • Opcode ID: a7a0c68db5470633bffd9fb350ec64460c949372a655932543a109141bf21778
                                                                                                              • Instruction ID: 32461d91cc36f91e14a1df408703d95ed8fe9a45b2d29bec1a2dd18e1dc5aa5a
                                                                                                              • Opcode Fuzzy Hash: a7a0c68db5470633bffd9fb350ec64460c949372a655932543a109141bf21778
                                                                                                              • Instruction Fuzzy Hash: 2CF06D343802015FD318AB59DC6AB25B3A5AFC8700F250429E5C2A73D0CEA09C40DA61
                                                                                                              Function 00E20330 Relevance: 16.8, APIs: 11, Instructions: 332stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E21700: CharNextW.USER32(?,?,?,?), ref: 00E2173E
                                                                                                                • Part of subcall function 00E21700: CharNextW.USER32(00000000,?,?), ref: 00E2176B
                                                                                                                • Part of subcall function 00E21700: CharNextW.USER32(7693A7D0,?,?), ref: 00E21784
                                                                                                                • Part of subcall function 00E21700: CharNextW.USER32(7693A7D0,?,?), ref: 00E2178F
                                                                                                                • Part of subcall function 00E21700: CharNextW.USER32(?,?,?), ref: 00E217FE
                                                                                                              • lstrcmpiW.KERNEL32(?,00EFE5E0,?,EEAE26D7,?,?,?,?,?,00EE46C1,000000FF), ref: 00E203B3
                                                                                                              • lstrcmpiW.KERNEL32(?,00EFE600,?,?,?,?,?,00EE46C1,000000FF), ref: 00E203CA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharNext$lstrcmpi
                                                                                                              • String ID:
                                                                                                              • API String ID: 3586774192-0
                                                                                                              • Opcode ID: bc522b7cf675e62596cb8b2217b1d4871792be672702f3ae5b85d3c1f475e380
                                                                                                              • Instruction ID: ae71ac8572ff232bdd6a5448d5d3d461b81dd7a874e0df20d1de63a227091257
                                                                                                              • Opcode Fuzzy Hash: bc522b7cf675e62596cb8b2217b1d4871792be672702f3ae5b85d3c1f475e380
                                                                                                              • Instruction Fuzzy Hash: DBD1BE71900229DBDB24DB24DC89BE9B7B4AF14314F1151EAEA09B72D2E7306E95CF90
                                                                                                              Function 00E08330 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E0836D
                                                                                                              • GetCursorPos.USER32(00000000), ref: 00E08377
                                                                                                              • ScreenToClient.USER32(00000007,00000000), ref: 00E08384
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E0838D
                                                                                                              • GetClientRect.USER32(00000007,00000000), ref: 00E0839A
                                                                                                              • ?PtInRect@CDuiRect@DuiLib@@QBEHUtagPOINT@@@Z.YCOMUIU(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00E083A9
                                                                                                              • GdipCreateSolidFill.GDIPLUS(96FF0000,?,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000), ref: 00E0849C
                                                                                                              • GdipFillEllipse.GDIPLUS(?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,00000000,00000000), ref: 00E084DD
                                                                                                              • ??9CDuiPoint@DuiLib@@QBEHUtagPOINT@@@Z.YCOMUIU(?,00000000,EEAE26D7,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00E0851F
                                                                                                              • GdipFillRectangle.GDIPLUS(?,00000000,?,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00E08586
                                                                                                              • GdipDeleteBrush.GDIPLUS(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?), ref: 00E085A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GdipLib@@$FillRect@$ClientPoint@T@@@Utag$BrushCreateCursorDeleteEllipseRectRectangleScreenSolid
                                                                                                              • String ID:
                                                                                                              • API String ID: 3572262594-0
                                                                                                              • Opcode ID: 99cc0c531e88a5b91865b4b3df07f770f124ba16a7ac2eb805aa2a362414cb6b
                                                                                                              • Instruction ID: 38d61b452c08443a2609ead853ce16aad17ba14094f56b4ce35ec5307af22417
                                                                                                              • Opcode Fuzzy Hash: 99cc0c531e88a5b91865b4b3df07f770f124ba16a7ac2eb805aa2a362414cb6b
                                                                                                              • Instruction Fuzzy Hash: 1A717B71A0160AEFCB01DFB6C980AADFBB5FF49304F149319E455B21A1EB30A9A4DB50
                                                                                                              Function 00EA06B9 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,00000234), ref: 00EA0711
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000234), ref: 00EA071E
                                                                                                              • __dosmaperr.LIBCMT ref: 00EA0725
                                                                                                              • MultiByteToWideChar.KERNEL32(00000234,00000000,?,000000FF,00000000,00000000,?,?,00000000,00000000,?,?,?,00000000,00000234), ref: 00EA0751
                                                                                                              • GetLastError.KERNEL32(?,?,00000000,00000000,?,?,?,00000000,00000234), ref: 00EA075B
                                                                                                              • __dosmaperr.LIBCMT ref: 00EA0762
                                                                                                              • WideCharToMultiByte.KERNEL32(00000234,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,00000000,00000000,?), ref: 00EA07A5
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,?,00000000,00000234), ref: 00EA07AF
                                                                                                              • __dosmaperr.LIBCMT ref: 00EA07B6
                                                                                                              • _free.LIBCMT ref: 00EA07C2
                                                                                                              • _free.LIBCMT ref: 00EA07C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2441525078-0
                                                                                                              • Opcode ID: 375d2b95f0eab0857c4510526bb06d9b255689e3f8b75d65fd9f8ad08818a15c
                                                                                                              • Instruction ID: fce244f5f8670398be13ecd42f7a6417bd2e42f09b1d6cb52cca3df9af789aa1
                                                                                                              • Opcode Fuzzy Hash: 375d2b95f0eab0857c4510526bb06d9b255689e3f8b75d65fd9f8ad08818a15c
                                                                                                              • Instruction Fuzzy Hash: EF319332805109BFDF11AFA4DC85DBF3BA8EF4A324B14115AF910BA151DB31AD50DFA0
                                                                                                              Function 00E0A410 Relevance: 16.6, APIs: 11, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00E0A430
                                                                                                              • GetCursorPos.USER32(?), ref: 00E0A43A
                                                                                                              • ScreenToClient.USER32(?,?), ref: 00E0A447
                                                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00E0A4A0
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0A4A7
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00E0A4C0
                                                                                                              • GetCursorPos.USER32(?), ref: 00E0A4CA
                                                                                                              • ScreenToClient.USER32(?,?), ref: 00E0A4D7
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0A52B
                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00E0A542
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0A549
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$ClientLib@@LoadPoint@Screen
                                                                                                              • String ID:
                                                                                                              • API String ID: 702515206-0
                                                                                                              • Opcode ID: c56a2e273f7ea29681ac9a59b1be9bce662d1a85826c54b31243d4973b9c306e
                                                                                                              • Instruction ID: a53d53596509460d64dc8fac610e1a11740a76c6cea23f724ad22c5d9565d2c9
                                                                                                              • Opcode Fuzzy Hash: c56a2e273f7ea29681ac9a59b1be9bce662d1a85826c54b31243d4973b9c306e
                                                                                                              • Instruction Fuzzy Hash: EF31913281470D9FD712EB77E849BA9B764BF58701F088B16E86AF2092D7603598CB51
                                                                                                              Function 00DFE0D0 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 352synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(?,00000000,EEAE26D7), ref: 00DFE11C
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00DFE133
                                                                                                                • Part of subcall function 00DF5150: FindResourceExW.KERNEL32(00000000,00000006,00DF5E74,00000000,00000000,00000000,00000000,?,00DF5E74,-00000010), ref: 00DF518E
                                                                                                                • Part of subcall function 00DF5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00DF51D7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindResource$CloseHandleObjectSingleWait
                                                                                                              • String ID: AppId$ChannelCode$Content$OsBit$Version$error.ashx$http://
                                                                                                              • API String ID: 327101899-1057271210
                                                                                                              • Opcode ID: bc53e2c4b7cafb190e632ba16f59198a63c48232258e45aec7b5a749cfd65ed3
                                                                                                              • Instruction ID: 0235ab15dfffd763fb442f52cdb2abad4ee5606b9dff4e4136476448e3c9665a
                                                                                                              • Opcode Fuzzy Hash: bc53e2c4b7cafb190e632ba16f59198a63c48232258e45aec7b5a749cfd65ed3
                                                                                                              • Instruction Fuzzy Hash: B4E1A330901289DAEB10EB64CC45BEEBBB5FF15300F1481D8E549A7292DBB49F84DBB1
                                                                                                              Function 00E3E5B0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 224windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetDlgItemTextW@WindowImplBase@DuiLib@@QAE?AVCStdString@2@PB_W_N@Z.YCOMUIU(?,edtMobile_Step1,00000000,EEAE26D7,6C494A20), ref: 00E3E5EE
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E3E5FD
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 00E3E619
                                                                                                              • ?SetFocus@WindowImplBase@DuiLib@@QAEXPB_W@Z.YCOMUIU(edtMobile_Step1), ref: 00E3E65D
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Base@ImplString@Window$Exception@8Focus@ItemString@2@TextThrow
                                                                                                              • String ID: Error$Message$VerifySendByPhone$edtMobile_Step1
                                                                                                              • API String ID: 2466937631-1834485651
                                                                                                              • Opcode ID: bf55ae9ea45568ace9eea4f109b14424e01c05654407c79fb66241a8e868fe7d
                                                                                                              • Instruction ID: 2ba81e65ff7e7ec9f24fc386a73abc8e75ecf8029b70bcdaf75c6335903f035f
                                                                                                              • Opcode Fuzzy Hash: bf55ae9ea45568ace9eea4f109b14424e01c05654407c79fb66241a8e868fe7d
                                                                                                              • Instruction Fuzzy Hash: 83818270A00248EFDB10DB68DC4AB5EBBB4EF45314F148298F559A73D2DB709E44CBA2
                                                                                                              Function 00E5E060 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 126synchronizationthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetValue@CProgressUI@DuiLib@@QBEHXZ.YCOMUIU(?), ref: 00E5E082
                                                                                                              • ?GetMaxValue@CProgressUI@DuiLib@@QBEHXZ.YCOMUIU ref: 00E5E09C
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000000), ref: 00E5E0E7
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000001), ref: 00E5E0F6
                                                                                                              • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00E5E145
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00E5E153
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00E5E310,?,00000000,?), ref: 00E5E1A7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Base@ImplProgressShowValue@WindowWindow@$CloseCreateHandleObjectSingleThreadWait
                                                                                                              • String ID: btnPause$btnPlay
                                                                                                              • API String ID: 2347155664-2951056387
                                                                                                              • Opcode ID: 9f7e4e0fe1bf9da11e77111e2d7a6204868bb852c0c7b95a5f64f2891e8eceaf
                                                                                                              • Instruction ID: 1cb41380836dc793f97a3d3fc4cd3332c5e02fdf276b0c19ea1900cdc69a740e
                                                                                                              • Opcode Fuzzy Hash: 9f7e4e0fe1bf9da11e77111e2d7a6204868bb852c0c7b95a5f64f2891e8eceaf
                                                                                                              • Instruction Fuzzy Hash: 1E41CF70B0170AAFD714CF26DD85B25F3A4BF44316F144B6AE809A3790EB70B9A8CB40
                                                                                                              Function 00E2E9D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(labelPlayTime,?,?,?), ref: 00E2EA51
                                                                                                              • _strftime.LIBCMT ref: 00E2EAAB
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000,?,?), ref: 00E2EAD2
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000001,?,?), ref: 00E2EAE7
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000000), ref: 00E2EAF2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Base@ImplShowWindowWindow@$ControlControl@FindI@2@ManagerPaintProgressValue@_strftime
                                                                                                              • String ID: 00:00:00/%X$btnPause$btnPlay$labelPlayTime
                                                                                                              • API String ID: 827822990-879858253
                                                                                                              • Opcode ID: 7d0de35ef5b324df5e7d73154ef3f1b76291e373b5e719dc1f6131348a90e5d1
                                                                                                              • Instruction ID: 19cbbbe4f736b413a2a6698eb9caf8f7744d0fbab1fc72413072c33fd3f5f570
                                                                                                              • Opcode Fuzzy Hash: 7d0de35ef5b324df5e7d73154ef3f1b76291e373b5e719dc1f6131348a90e5d1
                                                                                                              • Instruction Fuzzy Hash: AB31A671B413359BCB24DB68DC89BAAB3E8FF44704F1415AAE446B7281DB70ED44CB51
                                                                                                              Function 00E2C2E0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(labelPlayTime,?,?), ref: 00E2C358
                                                                                                              • _strftime.LIBCMT ref: 00E2C3B2
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00E2C3D9
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000001), ref: 00E2C3EE
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000000), ref: 00E2C3F9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Base@ImplShowWindowWindow@$ControlControl@FindI@2@ManagerPaintProgressValue@_strftime
                                                                                                              • String ID: 00:00:00/%X$btnPause$btnPlay$labelPlayTime
                                                                                                              • API String ID: 827822990-879858253
                                                                                                              • Opcode ID: 0412e82df45bdbb3b421fab1736556cf54fdf5149d5b44b571413d95f3dfd7dd
                                                                                                              • Instruction ID: dd95d4509355ee90f0444733e1780c8129a73498a5e64cbd9d6d05c502839157
                                                                                                              • Opcode Fuzzy Hash: 0412e82df45bdbb3b421fab1736556cf54fdf5149d5b44b571413d95f3dfd7dd
                                                                                                              • Instruction Fuzzy Hash: 7A31A871B413259BCB24EB54DC85BAEB3E8EF44704F1055AAE845B7281DB70ED44CB91
                                                                                                              Function 00E44670 Relevance: 15.2, APIs: 10, Instructions: 222windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindow.USER32(00000001), ref: 00E4470A
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(00000001,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E44734
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,00F4E7C0,00EEABB4,000000FF,?,00E389C9,00000001,00000001), ref: 00E4473C
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,00F4E7C0,00EEABB4,000000FF,?,00E389C9,00000001,00000001), ref: 00E44744
                                                                                                              • PostMessageW.USER32(00000001,00000404,00000000,00000000), ref: 00E4476A
                                                                                                              • IsWindow.USER32 ref: 00E447E0
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(00000001,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E4480A
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,00F4E7C0,00EEABB4,000000FF), ref: 00E44812
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,00F4E7C0,00EEABB4,000000FF), ref: 00E4481A
                                                                                                              • SendMessageW.USER32(00000001,00000403,00000000,00000000), ref: 00E44832
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Lib@@Wnd@$CenterCreate@D__@@MessageModal@ShowU__@@@Window@$PostSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 99327597-0
                                                                                                              • Opcode ID: e475046f68a2f68e1774a284de7db8dd9b86d9bd746b3fa29d698ce163352b36
                                                                                                              • Instruction ID: b7eed1c7c377cce535bd3381ac478d11b5b915f4f0727df92d9e36309c699f50
                                                                                                              • Opcode Fuzzy Hash: e475046f68a2f68e1774a284de7db8dd9b86d9bd746b3fa29d698ce163352b36
                                                                                                              • Instruction Fuzzy Hash: E381D3B1E00249AFDB20DFB5E848BAEBBF4EB49714F105219E912B72D1DF745A04DB90
                                                                                                              Function 00DDA140 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpClientT::_ProceedUploadContext: nDesired can not be zero.,00000000,CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.,00000000,00000068), ref: 00DDA597
                                                                                                              Strings
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL., xrefs: 00DDA0E6
                                                                                                              • CHttpPostStatT::PostedFileCount: The post context is not active., xrefs: 00DD36EC
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL., xrefs: 00DDA573
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL., xrefs: 00DDA567
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL., xrefs: 00DDA57F
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL., xrefs: 00DDA0FE
                                                                                                              • CHttpClientT::_ProceedUploadContext: nDesired can not be zero., xrefs: 00DDA58B
                                                                                                              • CHttpClientT::_ProceedUploadContext: nDesired can not be zero., xrefs: 00DDA10A
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL., xrefs: 00DDA0F2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.$CHttpClientT::_ProceedUploadContext: nDesired can not be zero.$CHttpClientT::_ProceedUploadContext: nDesired can not be zero.$CHttpPostStatT::PostedFileCount: The post context is not active.
                                                                                                              • API String ID: 1452528299-2067851693
                                                                                                              • Opcode ID: 9b478df4511163c84fdfcaa1646b9d2f679195a35c9a8ba4b7abef78cee603b7
                                                                                                              • Instruction ID: 5401a778f0a900ca1009bc1e8e5f4512cd6b34179c232040d15ca76260cae696
                                                                                                              • Opcode Fuzzy Hash: 9b478df4511163c84fdfcaa1646b9d2f679195a35c9a8ba4b7abef78cee603b7
                                                                                                              • Instruction Fuzzy Hash: 4641C170740305ABDB14EBA8DC46BADB6A9FF44704F08822BF915A63C1DF74A944C7B6
                                                                                                              Function 00EBF002 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 274COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC3000: GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                                • Part of subcall function 00EC3000: _free.LIBCMT ref: 00EC3037
                                                                                                                • Part of subcall function 00EC3000: SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                                • Part of subcall function 00EC3000: _abort.LIBCMT ref: 00EC307E
                                                                                                              • _memcmp.LIBVCRUNTIME ref: 00EBF2AC
                                                                                                              • _free.LIBCMT ref: 00EBF31D
                                                                                                              • _free.LIBCMT ref: 00EBF336
                                                                                                              • _free.LIBCMT ref: 00EBF368
                                                                                                              • _free.LIBCMT ref: 00EBF371
                                                                                                              • _free.LIBCMT ref: 00EBF37D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                              • String ID: C$[J
                                                                                                              • API String ID: 1679612858-3152763874
                                                                                                              • Opcode ID: 2a9838b08f94f056fa651a35524168476e40e7a3016ba5b21cc361f3cab9becf
                                                                                                              • Instruction ID: 555c93657eb6ed9e006f55701867132b854f64175c30b3119e8ca8376b360945
                                                                                                              • Opcode Fuzzy Hash: 2a9838b08f94f056fa651a35524168476e40e7a3016ba5b21cc361f3cab9becf
                                                                                                              • Instruction Fuzzy Hash: 4EC13775A01619DFDB24DF18CC85AEEB7B4FB08304F2085AAE949A7361D731AE90CF40
                                                                                                              Function 00E2B0A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 268COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E2B670: PathFileExistsW.SHLWAPI(?,EEAE26D7,00000001), ref: 00E2B6DD
                                                                                                              • PathFileExistsW.SHLWAPI(?,?,00000001,EEAE26D7,?,?,?), ref: 00E2B13B
                                                                                                              • PathFindExtensionW.SHLWAPI(?), ref: 00E2B14F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Path$ExistsFile$ExtensionFind
                                                                                                              • String ID: %lld%s$%s%s$%s_%lld%s
                                                                                                              • API String ID: 2703110767-715824524
                                                                                                              • Opcode ID: 5f244a1822fa67e64e5d17c9c7f588d6a9c8c8a70325d821e30d4ff909455139
                                                                                                              • Instruction ID: 5ae7c20ec1d07eade3c03abd1d985d4e965b4635298ab1b174f1064a1e818a51
                                                                                                              • Opcode Fuzzy Hash: 5f244a1822fa67e64e5d17c9c7f588d6a9c8c8a70325d821e30d4ff909455139
                                                                                                              • Instruction Fuzzy Hash: ABB19B3180029CEFDB01EBA4CD49BEEBBB8FF15304F648058E541B7192DB756A58DBA1
                                                                                                              Function 00DCE380 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 240networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HttpAddRequestHeadersA.WININET(?,?,?,20000000), ref: 00DCE4E7
                                                                                                              • GetLastError.KERNEL32(00000000,?,000000FF,?,00DD302E), ref: 00DCE53D
                                                                                                              Strings
                                                                                                              • CHttpToolA::AddHeader: hRequest can not be NULL., xrefs: 00DCE516
                                                                                                              • CHttpToolW::AddHeader: szName can not be NULL., xrefs: 00DCE634
                                                                                                              • CHttpToolW::AddHeader: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DCE618
                                                                                                              • CHttpToolA::AddHeader: szName can not be NULL., xrefs: 00DCE522
                                                                                                              • CHttpToolW::AddHeader: hRequest can not be NULL., xrefs: 00DCE626
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHeadersHttpLastRequest
                                                                                                              • String ID: CHttpToolA::AddHeader: hRequest can not be NULL.$CHttpToolA::AddHeader: szName can not be NULL.$CHttpToolW::AddHeader: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.$CHttpToolW::AddHeader: hRequest can not be NULL.$CHttpToolW::AddHeader: szName can not be NULL.
                                                                                                              • API String ID: 2189517503-3693341011
                                                                                                              • Opcode ID: b0c70f92fd83cfcae2523d1f8f2de90bdcee4b0fd7bafa9fdc955d45a8487e20
                                                                                                              • Instruction ID: 6945be6539c5eb4bb72f7c96bfbd1b9b7a6539111c510e70093453da614be093
                                                                                                              • Opcode Fuzzy Hash: b0c70f92fd83cfcae2523d1f8f2de90bdcee4b0fd7bafa9fdc955d45a8487e20
                                                                                                              • Instruction Fuzzy Hash: 7181F4B0A042469BDF149F64CC06FBEBBA5EF51704F18416CE815AB282DB71AA05CBB1
                                                                                                              Function 00DC88B0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(C:\Users\user\AppData\Roaming\EasePaintWatermarkRemover\run.dat,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00DC891E
                                                                                                              • _strftime.LIBCMT ref: 00DC896C
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00DC89DE
                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00DC8A42
                                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00DC8A6C
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DC8A73
                                                                                                              Strings
                                                                                                              • %Y-%m-%d %H:%M:%S, xrefs: 00DC895B
                                                                                                              • C:\Users\user\AppData\Roaming\EasePaintWatermarkRemover\run.dat, xrefs: 00DC8919
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$ByteCharCloseCreateHandleMultiPointerWideWrite_strftime
                                                                                                              • String ID: %Y-%m-%d %H:%M:%S$C:\Users\user\AppData\Roaming\EasePaintWatermarkRemover\run.dat
                                                                                                              • API String ID: 3725919317-2092113679
                                                                                                              • Opcode ID: 83c9999b3f9b9b99c8a396abbdc8843c2613fa9786d7853e840170ebb3a478a6
                                                                                                              • Instruction ID: d141b463df2b607d2a4c4b0faae243c032c7b7c1de7e3167fb39d830c7267033
                                                                                                              • Opcode Fuzzy Hash: 83c9999b3f9b9b99c8a396abbdc8843c2613fa9786d7853e840170ebb3a478a6
                                                                                                              • Instruction Fuzzy Hash: FA511430500306AFDF249B208C46FFAB769AF85704F1442D8F559BB1D2DF726A4ACB64
                                                                                                              Function 00E82C90 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00E82CBB
                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00E82CC3
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00E82D51
                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00E82D7C
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00E82DD1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                              • String ID: 0F$[J$csm
                                                                                                              • API String ID: 1170836740-3971779719
                                                                                                              • Opcode ID: 7c79e67f321e1889df0857d90956bf6d6f4ffe363ae6d24807a377bb0d095529
                                                                                                              • Instruction ID: 36bc1241e242cf172d0e0a2bc31d05f5e022f98f51c490d51ee0435edb58ab32
                                                                                                              • Opcode Fuzzy Hash: 7c79e67f321e1889df0857d90956bf6d6f4ffe363ae6d24807a377bb0d095529
                                                                                                              • Instruction Fuzzy Hash: A8516134A00209DFCB14EF68C844A9EBFE5FF45314F149199EA1CAB392D771E906CB91
                                                                                                              Function 00E303A3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E303AF
                                                                                                                • Part of subcall function 00E83E56: RaiseException.KERNEL32(?,?,EEAE26D7,?,?,?,?,?,?,00E056AD,80004005,EEAE26D7), ref: 00E83EB6
                                                                                                              • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7,?,?,00000000), ref: 00E30412
                                                                                                              • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 00E3043C
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00F047B0,?,?,.xml,00000004,ConverCtrl), ref: 00E304EE
                                                                                                              • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,00F047B0,?,?,.xml,00000004,ConverCtrl), ref: 00E3053D
                                                                                                              • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00F047B0,?,?,.xml,00000004,ConverCtrl), ref: 00E30557
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Dialog$Builder@ContainerControlI@2@$Add@BuilderCallback@2@Create@D@2@ExceptionException@8FindI@2@@ManagerMarkup@PaintRaiseResourceThrowV32@@
                                                                                                              • String ID: .xml$ConverCtrl
                                                                                                              • API String ID: 1872500732-3714082515
                                                                                                              • Opcode ID: 1465dc1de651140cc8e1383c62a940757b311ac012931ed665b4439423ca37a5
                                                                                                              • Instruction ID: 7daf4d50ec268a5a3f85a44ba63d5503173d421211ec4f33178b319f339140e8
                                                                                                              • Opcode Fuzzy Hash: 1465dc1de651140cc8e1383c62a940757b311ac012931ed665b4439423ca37a5
                                                                                                              • Instruction Fuzzy Hash: D8518970A00218DFDB24DF68CC09BEABBF4EF46314F108199A919A72D1CB716A44DF91
                                                                                                              Function 00E56460 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 120synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,00000000,EEAE26D7,6C494B50,00F5161C,00000000,00EEE838,000000FF,?,00E36577,FFFFFFFF,00000000,?,769523D0,?), ref: 00E56490
                                                                                                              • CloseHandle.KERNEL32(00000000,?,00E36577,FFFFFFFF,00000000,?,769523D0,?), ref: 00E564A4
                                                                                                              • PathFileExistsW.SHLWAPI(?,769523D0), ref: 00E564DE
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 00E56528
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseExecuteExistsFileHandleObjectPathShellSingleWait
                                                                                                              • String ID: EasePaintSetup.exe$SGFzVXBkYXRl$VXBkYXRpbmc=$open
                                                                                                              • API String ID: 544071753-1735040884
                                                                                                              • Opcode ID: 1522fb094afd5efeaa4b2f6fbf4c984ebd263d4bd44a8841d9dfff9c5bd0ecaf
                                                                                                              • Instruction ID: 9bad52afc412ae59bdc79df48054a64f61b1743608e6300cc27ac157e4a22858
                                                                                                              • Opcode Fuzzy Hash: 1522fb094afd5efeaa4b2f6fbf4c984ebd263d4bd44a8841d9dfff9c5bd0ecaf
                                                                                                              • Instruction Fuzzy Hash: 9041D571A40704AFDB20DF64DC46B59BBF4FB05721F108619FC15A72D1EB75AA08CB91
                                                                                                              Function 00E303C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7,?,?,00000000), ref: 00E30412
                                                                                                              • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 00E3043C
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00F047B0,?,?,.xml,00000004,ConverCtrl), ref: 00E304EE
                                                                                                              • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,00F047B0,?,?,.xml,00000004,ConverCtrl), ref: 00E3053D
                                                                                                              • ?RemoveAll@CContainerUI@DuiLib@@UAEX_N@Z.YCOMUIU(00000001,?,00000000,00F047B0,?,?,.xml,00000004,ConverCtrl), ref: 00E30547
                                                                                                              • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00F047B0,?,?,.xml,00000004,ConverCtrl), ref: 00E30557
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$ContainerDialog$Builder@ControlI@2@$Add@All@BuilderCallback@2@Create@D@2@FindI@2@@ManagerMarkup@PaintRemoveResourceV32@@
                                                                                                              • String ID: .xml$ConverCtrl
                                                                                                              • API String ID: 3263322241-3714082515
                                                                                                              • Opcode ID: 46dea715fcd1fa374a7ce5de566b583560bdb19ade83feb7b77bde75c9f6e586
                                                                                                              • Instruction ID: 7c1997a903da86591681554de608c5dd94b25ae393b66cf821b62f5ca2459c63
                                                                                                              • Opcode Fuzzy Hash: 46dea715fcd1fa374a7ce5de566b583560bdb19ade83feb7b77bde75c9f6e586
                                                                                                              • Instruction Fuzzy Hash: E2517970A00218DFDB24DF68CC09BEABBF4EF45314F108199E919A72D1DB716A84DF91
                                                                                                              Function 00E30D90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7,?,00000000,00000000), ref: 00E30DE2
                                                                                                              • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 00E30E0C
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00F04144,00000000,?,.xml,00000004,WatermarkVideoCtrl), ref: 00E30EBE
                                                                                                              • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,00F04144,00000000,?,.xml,00000004,WatermarkVideoCtrl), ref: 00E30F0D
                                                                                                              • ?RemoveAll@CContainerUI@DuiLib@@UAEX_N@Z.YCOMUIU(00000001,?,00000000,00F04144,00000000,?,.xml,00000004,WatermarkVideoCtrl), ref: 00E30F17
                                                                                                              • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00F04144,00000000,?,.xml,00000004,WatermarkVideoCtrl), ref: 00E30F27
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$ContainerDialog$Builder@ControlI@2@$Add@All@BuilderCallback@2@Create@D@2@FindI@2@@ManagerMarkup@PaintRemoveResourceV32@@
                                                                                                              • String ID: .xml$WatermarkVideoCtrl
                                                                                                              • API String ID: 3263322241-3282192309
                                                                                                              • Opcode ID: ef695f44ef1cfc73fe2da16ae3204907aab0bca7c5c732a280821482549cd8c9
                                                                                                              • Instruction ID: 9c696e4cce54dda23583ade6242f29f001a76a24b3f579017b8f0f3e1e7c09a7
                                                                                                              • Opcode Fuzzy Hash: ef695f44ef1cfc73fe2da16ae3204907aab0bca7c5c732a280821482549cd8c9
                                                                                                              • Instruction Fuzzy Hash: 95519A70A00218DFDB24DF68CC09BEABBB4EF45314F1081D9E919A72D1DB716A84DFA1
                                                                                                              Function 00E30590 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7), ref: 00E305E2
                                                                                                              • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 00E3060C
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,00F047B0,00000000,.xml,00000004,HomeCtrl), ref: 00E30699
                                                                                                              • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,00000000,00F047B0,00000000,.xml,00000004,HomeCtrl), ref: 00E306E8
                                                                                                              • ?RemoveAll@CContainerUI@DuiLib@@UAEX_N@Z.YCOMUIU(00000001,?,00000000,00000000,00F047B0,00000000,.xml,00000004,HomeCtrl), ref: 00E306F2
                                                                                                              • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00000000,00F047B0,00000000,.xml,00000004,HomeCtrl), ref: 00E30702
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$ContainerDialog$Builder@ControlI@2@$Add@All@BuilderCallback@2@Create@D@2@FindI@2@@ManagerMarkup@PaintRemoveResourceV32@@
                                                                                                              • String ID: .xml$HomeCtrl
                                                                                                              • API String ID: 3263322241-172366358
                                                                                                              • Opcode ID: be22526cd4df4c12b71e2fbff41019102c9fe1adc6383e7f5cda5545534006e7
                                                                                                              • Instruction ID: 52dced1470d2cb8a0f80172088e27ba896ae46ec5ed72282b7aaa6b97375794a
                                                                                                              • Opcode Fuzzy Hash: be22526cd4df4c12b71e2fbff41019102c9fe1adc6383e7f5cda5545534006e7
                                                                                                              • Instruction Fuzzy Hash: 41419D70A00718DFDB24DF68CC09BEABBB4EF56314F108199E919A72D1CB716A44CF91
                                                                                                              Function 00E30A30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7,00000AF8), ref: 00E30A82
                                                                                                              • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 00E30AAC
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,?,00000000,.xml,00000004,WatermarkPicCtrl), ref: 00E30B39
                                                                                                              • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,00000000,?,00000000,.xml,00000004,WatermarkPicCtrl), ref: 00E30B88
                                                                                                              • ?RemoveAll@CContainerUI@DuiLib@@UAEX_N@Z.YCOMUIU(00000001,?,00000000,00000000,?,00000000,.xml,00000004,WatermarkPicCtrl), ref: 00E30B92
                                                                                                              • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00000000,?,00000000,.xml,00000004,WatermarkPicCtrl), ref: 00E30BA2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$ContainerDialog$Builder@ControlI@2@$Add@All@BuilderCallback@2@Create@D@2@FindI@2@@ManagerMarkup@PaintRemoveResourceV32@@
                                                                                                              • String ID: .xml$WatermarkPicCtrl
                                                                                                              • API String ID: 3263322241-3967185736
                                                                                                              • Opcode ID: 7f4a1bb7367a1da7658e1555f86df8a617e643c18e2d6bf8400737ff5ab1ef94
                                                                                                              • Instruction ID: 87096c3ad33cda66d17ae8823a403ae77356734807804fdb23ab627575b166ab
                                                                                                              • Opcode Fuzzy Hash: 7f4a1bb7367a1da7658e1555f86df8a617e643c18e2d6bf8400737ff5ab1ef94
                                                                                                              • Instruction Fuzzy Hash: F1419C70A003189FDB14DF68CC09BEAFBB4EF55314F108299E919A72D1DB716A44CF91
                                                                                                              Function 00E30BE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7), ref: 00E30C32
                                                                                                              • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 00E30C5C
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,00000000,00000000,.xml,00000004,WatermarkTypeCtrl), ref: 00E30CE9
                                                                                                              • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,00000000,00000000,00000000,.xml,00000004,WatermarkTypeCtrl), ref: 00E30D38
                                                                                                              • ?RemoveAll@CContainerUI@DuiLib@@UAEX_N@Z.YCOMUIU(00000001,?,00000000,00000000,00000000,00000000,.xml,00000004,WatermarkTypeCtrl), ref: 00E30D42
                                                                                                              • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00000000,00000000,00000000,.xml,00000004,WatermarkTypeCtrl), ref: 00E30D52
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$ContainerDialog$Builder@ControlI@2@$Add@All@BuilderCallback@2@Create@D@2@FindI@2@@ManagerMarkup@PaintRemoveResourceV32@@
                                                                                                              • String ID: .xml$WatermarkTypeCtrl
                                                                                                              • API String ID: 3263322241-2072692479
                                                                                                              • Opcode ID: c7cb87b10a784242ae3dffdff741e71468d87a7bc29f8baa7645dc7250767ef5
                                                                                                              • Instruction ID: efa72e7799c6b3d0f4f84f300968cf0a8763660854d58f8807b6dcda3f8e2018
                                                                                                              • Opcode Fuzzy Hash: c7cb87b10a784242ae3dffdff741e71468d87a7bc29f8baa7645dc7250767ef5
                                                                                                              • Instruction Fuzzy Hash: AA41AB70A003189FDB24DF69CC09BEABBB4EF45314F108299E919A72D1CB716A44CF91
                                                                                                              Function 00DD0B90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HttpQueryInfoW.WININET(?,20000005,?,?,00000000), ref: 00DD0BB1
                                                                                                              • GetLastError.KERNEL32 ref: 00DD0BBB
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpResponseT::GetContentLength: m_hRequest can not be NULL.,00000000), ref: 00DD0BE7
                                                                                                              • HttpQueryInfoW.WININET(?,20000005,?,?,00000000), ref: 00DD0C21
                                                                                                              • GetLastError.KERNEL32(?,?,00000190,00000000), ref: 00DD0C2B
                                                                                                              Strings
                                                                                                              • CHttpResponseT::GetContentLength: m_hRequest can not be NULL., xrefs: 00DD0C4B
                                                                                                              • CHttpResponseT::GetContentLength: m_hRequest can not be NULL., xrefs: 00DD0BDB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$HttpInfoQuery
                                                                                                              • String ID: CHttpResponseT::GetContentLength: m_hRequest can not be NULL.$CHttpResponseT::GetContentLength: m_hRequest can not be NULL.
                                                                                                              • API String ID: 3138400422-3209998596
                                                                                                              • Opcode ID: 30c108b435abd7a5a899b6fc39658936cf79c12445add1465f9ef5aa4b1b17e5
                                                                                                              • Instruction ID: 65380c74844851b6a1462ee609864eb807866d0aa1bb7875b97e2618d3762d40
                                                                                                              • Opcode Fuzzy Hash: 30c108b435abd7a5a899b6fc39658936cf79c12445add1465f9ef5aa4b1b17e5
                                                                                                              • Instruction Fuzzy Hash: 5E11B2B1644208AFE714DBD5DC0AF7A7A68EB98705F00056AFB08E6280EA72DD10C6B5
                                                                                                              Function 00E326E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetMarkup@CDialogBuilder@DuiLib@@QAEPAVCMarkup@2@XZ.YCOMUIU ref: 00E326FB
                                                                                                              • ?IsValid@CMarkup@DuiLib@@QBE_NXZ.YCOMUIU ref: 00E32703
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,?,00000000), ref: 00E3271F
                                                                                                              • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(00000000,?,00000000), ref: 00E32729
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picThumbnail), ref: 00E3273D
                                                                                                              • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtFileName), ref: 00E32767
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ControlI@2@Lib@@$Dialog$ManagerPaint$Builder@$BuilderCallback@2@Create@FindMarkup@Name@V32@V32@@$D@2@Markup@2@Valid@
                                                                                                              • String ID: picThumbnail$txtFileName
                                                                                                              • API String ID: 542575031-1082530807
                                                                                                              • Opcode ID: 6cd8e6050506daee8209eede05d7eae5d32008b84a854afe2e3b27f24455e365
                                                                                                              • Instruction ID: 61c9ddaa8c0da8c8f340833be6f993d464356d89395bdfb78cd09acc1464bf7a
                                                                                                              • Opcode Fuzzy Hash: 6cd8e6050506daee8209eede05d7eae5d32008b84a854afe2e3b27f24455e365
                                                                                                              • Instruction Fuzzy Hash: 5D219F353012159FDB045B65AC9CBBA3BA5FF84709F10002AF642EB291CBB09C05CB91
                                                                                                              Function 00E650C3 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DecodePointer.KERNEL32(?,?,?,00E654E4,00F51A74,?,?,00E32F22), ref: 00E650D5
                                                                                                              • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,00000000,?,?,00E654E4,00F51A74,?,?,00E32F22), ref: 00E650EA
                                                                                                              • DecodePointer.KERNEL32(?), ref: 00E65166
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DecodePointer$LibraryLoad
                                                                                                              • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                              • API String ID: 1423960858-1745123996
                                                                                                              • Opcode ID: 5c3a4f80234574280ce708ba4731d59744a70655b5be0b3a6820eb49dac970a5
                                                                                                              • Instruction ID: 336baa323bde616da8ed247b741d6a6e5e79dbaf5b37d12e0320b56de0534b1e
                                                                                                              • Opcode Fuzzy Hash: 5c3a4f80234574280ce708ba4731d59744a70655b5be0b3a6820eb49dac970a5
                                                                                                              • Instruction Fuzzy Hash: DF01C433782B057BDB029B20BD02B9A3B956B0379AF085250FC01761E2D795EA0CE683
                                                                                                              Function 00E65013 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DecodePointer.KERNEL32(?,?,?,00E65546,00F51A7C,?,?,00000000,?,00E34C64,?,?,?,00000000), ref: 00E65025
                                                                                                              • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00E65546,00F51A7C,?,?,00000000,?,00E34C64,?,?,?), ref: 00E6503A
                                                                                                              • DecodePointer.KERNEL32(?), ref: 00E650B6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DecodePointer$LibraryLoad
                                                                                                              • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                              • API String ID: 1423960858-1745123996
                                                                                                              • Opcode ID: 5c3a4f80234574280ce708ba4731d59744a70655b5be0b3a6820eb49dac970a5
                                                                                                              • Instruction ID: b696a1f0772dc7c0ed649782fc92db4b5c29bfc58d108257118c3b0b1782e902
                                                                                                              • Opcode Fuzzy Hash: 5c3a4f80234574280ce708ba4731d59744a70655b5be0b3a6820eb49dac970a5
                                                                                                              • Instruction Fuzzy Hash: FE01C4337867057BDB12AB20BD52B993B956B0279AF045190FD01762E2D796EA0CE2C3
                                                                                                              Function 00E65173 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DecodePointer.KERNEL32(?,?,?,00E65595,00F51A80,?,?,?,00E068B7,?,EEAE26D7,?,?,00EE2E8E,000000FF), ref: 00E65185
                                                                                                              • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00E65595,00F51A80,?,?,?,00E068B7,?,EEAE26D7), ref: 00E6519A
                                                                                                              • DecodePointer.KERNEL32(?), ref: 00E65216
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DecodePointer$LibraryLoad
                                                                                                              • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                              • API String ID: 1423960858-1745123996
                                                                                                              • Opcode ID: 5c3a4f80234574280ce708ba4731d59744a70655b5be0b3a6820eb49dac970a5
                                                                                                              • Instruction ID: 41fb185833e34afa9ed3c1e7dcdb2a2043dfa456012fc269f8fc30998bc91d30
                                                                                                              • Opcode Fuzzy Hash: 5c3a4f80234574280ce708ba4731d59744a70655b5be0b3a6820eb49dac970a5
                                                                                                              • Instruction Fuzzy Hash: 6001C4327C2B057BDB129B20BD16B9A3FA56B027DAF045150FD01765F2D795EA0CE283
                                                                                                              Function 00E65223 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DecodePointer.KERNEL32(?,?,?,00E655EE,00F51A78,?,?,?,00E32F43,?,00000000,00000000), ref: 00E65235
                                                                                                              • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00E655EE,00F51A78,?,?,?,00E32F43,?,00000000,00000000), ref: 00E6524A
                                                                                                              • DecodePointer.KERNEL32(?), ref: 00E652C6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DecodePointer$LibraryLoad
                                                                                                              • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                              • API String ID: 1423960858-1745123996
                                                                                                              • Opcode ID: 5c3a4f80234574280ce708ba4731d59744a70655b5be0b3a6820eb49dac970a5
                                                                                                              • Instruction ID: ed4f7ce0e3aaf3b59ba90a55640231fb6e405634413576e2bf7fc5cdf752ef1d
                                                                                                              • Opcode Fuzzy Hash: 5c3a4f80234574280ce708ba4731d59744a70655b5be0b3a6820eb49dac970a5
                                                                                                              • Instruction Fuzzy Hash: 8201C4327857057BDB029B60BD13B993BA56B027DAF045150FC01761F2D795EA0CE683
                                                                                                              Function 00DD6700 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 173COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpToolW::Unicode2Ansi: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.,00000000,00000000,?,?,?,00000258,00000000), ref: 00DD677F
                                                                                                              • GetLastError.KERNEL32(00000000,00000258,00000000), ref: 00DD67A2
                                                                                                              Strings
                                                                                                              • CHttpEncoderA::UrlDecodeA: szBuff can not be NULL., xrefs: 00DD68BB
                                                                                                              • CHttpToolW::Unicode2Ansi: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DD6773
                                                                                                              • CHttpEncoderW::UrlDecodeA: szBuff can not be NULL., xrefs: 00DD69FB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: CHttpEncoderA::UrlDecodeA: szBuff can not be NULL.$CHttpEncoderW::UrlDecodeA: szBuff can not be NULL.$CHttpToolW::Unicode2Ansi: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.
                                                                                                              • API String ID: 1452528299-4273146919
                                                                                                              • Opcode ID: 94fc0f51af0a9d8d828dc57aa56601f694ececb06eac81a765380ef300674915
                                                                                                              • Instruction ID: b34245ae84ce89f250b0c02e50899b70eb2010e1f8e26b6bdabbe59eac6eee28
                                                                                                              • Opcode Fuzzy Hash: 94fc0f51af0a9d8d828dc57aa56601f694ececb06eac81a765380ef300674915
                                                                                                              • Instruction Fuzzy Hash: BC415371A44308BFDB00AFA9DC46F6E77B8EB85F11F54051AFA14A7281DA70E90487B5
                                                                                                              Function 00DDE330 Relevance: 13.6, APIs: 9, Instructions: 111memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcessHeap.KERNEL32 ref: 00DDE344
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,80000000,00000000,00000000,00000000,00000000), ref: 00DDE3AF
                                                                                                              • HeapAlloc.KERNEL32(?,00000000,00000000), ref: 00DDE3BF
                                                                                                              • SetLastError.KERNEL32(00000008), ref: 00DDE3D2
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00DDE3EF
                                                                                                              • GetLastError.KERNEL32 ref: 00DDE3F9
                                                                                                              • HeapFree.KERNEL32(?,00000000,?), ref: 00DDE409
                                                                                                              • SetLastError.KERNEL32(00000000), ref: 00DDE410
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHeapLast$ByteCharMultiWide$AllocFreeProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1914750029-0
                                                                                                              • Opcode ID: af73268bf783988d5af593d70892a1638b4446e993d2f2098aaf30f5b8f9e4a0
                                                                                                              • Instruction ID: 1306fa44048b0dad24ae150a413058efcf5637bda201aa29970f34fcde9fc5bf
                                                                                                              • Opcode Fuzzy Hash: af73268bf783988d5af593d70892a1638b4446e993d2f2098aaf30f5b8f9e4a0
                                                                                                              • Instruction Fuzzy Hash: 8931B632340205ABE7205B99EC45B7A77A9EBC5772F184166F60DDF3E0D760EC048764
                                                                                                              Function 00DDE470 Relevance: 13.6, APIs: 9, Instructions: 111memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcessHeap.KERNEL32 ref: 00DDE484
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,80000000,00000000,00000000,00000000,00000000), ref: 00DDE4F2
                                                                                                              • HeapAlloc.KERNEL32(?,00000000,00000000), ref: 00DDE502
                                                                                                              • SetLastError.KERNEL32(00000008), ref: 00DDE515
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00DDE535
                                                                                                              • GetLastError.KERNEL32 ref: 00DDE53F
                                                                                                              • HeapFree.KERNEL32(?,00000000,?), ref: 00DDE54F
                                                                                                              • SetLastError.KERNEL32(00000000), ref: 00DDE556
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHeapLast$ByteCharMultiWide$AllocFreeProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1914750029-0
                                                                                                              • Opcode ID: f373f9e3fe65f2f616b73775c216f55cf27063e741a187dea3ccb5a2b800137f
                                                                                                              • Instruction ID: 759c0e14e013cfa3f1729cfc8fe770a0488ab6693932694115e1eecbb424a853
                                                                                                              • Opcode Fuzzy Hash: f373f9e3fe65f2f616b73775c216f55cf27063e741a187dea3ccb5a2b800137f
                                                                                                              • Instruction Fuzzy Hash: 6C31B436340205ABE7206B5DEC05BBA77A9EBC5775F18416AF609EE3E0DB60EC048764
                                                                                                              Function 00DDA920 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 338COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • CHttpClientT::_ReleasePostResponse: The post context is not active., xrefs: 00DDAC4E
                                                                                                              • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00DDAB71
                                                                                                              • CHttpClientT::_ReleasePostResponse: The post context is not active., xrefs: 00DDAB65, 00DDAD3E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: CHttpClientT::_ReleasePostResponse: The post context is not active.$CHttpClientT::_ReleasePostResponse: The post context is not active.$CHttpPostStatT::FileCount: The post context is not active.
                                                                                                              • API String ID: 0-2324406382
                                                                                                              • Opcode ID: f008c279142244cb30f485412726f1372854797a470bc09e92a19961e8c6b794
                                                                                                              • Instruction ID: 6a114d1b4c38513ab982c721b39c585254d5a21fadb3dd1ee42937cbbd05eeed
                                                                                                              • Opcode Fuzzy Hash: f008c279142244cb30f485412726f1372854797a470bc09e92a19961e8c6b794
                                                                                                              • Instruction Fuzzy Hash: B0C17DB1900209ABDF10EFA4CC46BEEBBB9EF08714F14412AF515B6381D7799A44CBB5
                                                                                                              Function 00E26020 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 313COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?,?,00000001,EEAE26D7), ref: 00E2632B
                                                                                                              • ?SetMaxValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?), ref: 00E2633D
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtMaxEraserSize,00000000), ref: 00E263B7
                                                                                                              • ?CheckDlgButton@WindowImplBase@DuiLib@@QAEHPB_W_N@Z.YCOMUIU(optSelectWhiteWatermark,?), ref: 00E263CA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Base@ImplProgressValue@Window$Button@CheckItemText
                                                                                                              • String ID: EraserSize$optSelectWhiteWatermark$txtMaxEraserSize
                                                                                                              • API String ID: 1793807238-3372194902
                                                                                                              • Opcode ID: f19f06f11b3f8570f2f4d16b6004c9455e4bdf24de437c52b738630435d347d5
                                                                                                              • Instruction ID: 4661b292b9264b263a2b6c520f0d08bb068b800bf64fe7072cbcac38002529a1
                                                                                                              • Opcode Fuzzy Hash: f19f06f11b3f8570f2f4d16b6004c9455e4bdf24de437c52b738630435d347d5
                                                                                                              • Instruction Fuzzy Hash: 1FD13D70A016159FDB10CF69D884B6AB7F5FF48314F1882A9E819AB392D735EC44CFA0
                                                                                                              Function 00E44F80 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 276windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _wcsstr.LIBVCRUNTIME ref: 00E44FD1
                                                                                                              • _wcsstr.LIBVCRUNTIME ref: 00E45002
                                                                                                              • FindWindowW.USER32(EasePaintWndClass,00000000), ref: 00E45298
                                                                                                              • PostMessageW.USER32(00000000,00000406,00000000,00000000), ref: 00E452AC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsstr$FindMessagePostWindow
                                                                                                              • String ID: EasePaintWndClass$[Error1]:%s$[Error2]:%s-%s
                                                                                                              • API String ID: 303501467-2663925825
                                                                                                              • Opcode ID: 6add1399dc98ecf2d86352403ddcca74cd4688c429167772e2778514cdbaa4fe
                                                                                                              • Instruction ID: 0327dfcb8134bfc9d6a474080a645d1ddef7f599b094a1f35c4038dd73a9a3cd
                                                                                                              • Opcode Fuzzy Hash: 6add1399dc98ecf2d86352403ddcca74cd4688c429167772e2778514cdbaa4fe
                                                                                                              • Instruction Fuzzy Hash: BCB18C71D0024DEFDF00DBE4D845BEEBBB8AF14304F145129E615B7192EB74AA08CBA1
                                                                                                              Function 00E0C030 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 258COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00E0C19D
                                                                                                              • CallWindowProcW.USER32(?,?,?,00000000,00000000), ref: 00E0C246
                                                                                                              • GetWindowLongW.USER32(?,000000FC), ref: 00E0C25A
                                                                                                              • CallWindowProcW.USER32(?,?,00000082,00000000,00000000), ref: 00E0C270
                                                                                                              • GetWindowLongW.USER32(?,000000FC), ref: 00E0C289
                                                                                                              • SetWindowLongW.USER32(?,000000FC,?), ref: 00E0C298
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Long$CallProc$InvalidateRect
                                                                                                              • String ID: $
                                                                                                              • API String ID: 1142338884-3993045852
                                                                                                              • Opcode ID: c595bc3f613303da91c14e0402f696a141fc26ebbb7cf2518b47c07a5d44a94b
                                                                                                              • Instruction ID: 5ce86977b1d0e02da101f62e1301c5dad6c216e0d5b6c649d996be8e2263cfac
                                                                                                              • Opcode Fuzzy Hash: c595bc3f613303da91c14e0402f696a141fc26ebbb7cf2518b47c07a5d44a94b
                                                                                                              • Instruction Fuzzy Hash: B091C731A01609DFDB20CF58D980AABB7F5FF98308F20975DE895A7691D731E984CB90
                                                                                                              Function 00E26FA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 242COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?,?,00000001,?,EEAE26D7,?,?,?,?,?,00EE5590,000000FF), ref: 00E27269
                                                                                                              • ?SetMaxValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?,?,?,?,?,?,00EE5590,000000FF), ref: 00E2727B
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtMaxEraserSize,?), ref: 00E272CF
                                                                                                              • ?CheckDlgButton@WindowImplBase@DuiLib@@QAEHPB_W_N@Z.YCOMUIU(optSelectWhiteWatermark,?), ref: 00E272E2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Base@ImplProgressValue@Window$Button@CheckItemText
                                                                                                              • String ID: EraserSize$optSelectWhiteWatermark$txtMaxEraserSize
                                                                                                              • API String ID: 1793807238-3372194902
                                                                                                              • Opcode ID: 74c75d35807f5fcfd610f013381c2e5da92ac35406aeb0dfe47ecfbcc70bddc0
                                                                                                              • Instruction ID: 54c844091f9bb43aeb501f89229eeb07fa0b3dd7ad04c08579f4842681aa7098
                                                                                                              • Opcode Fuzzy Hash: 74c75d35807f5fcfd610f013381c2e5da92ac35406aeb0dfe47ecfbcc70bddc0
                                                                                                              • Instruction Fuzzy Hash: 6FB169B0A00605AFD714CF55D885B6ABBF4FF08314F04866AE859AB792D770F994CBA0
                                                                                                              Function 00EC4809 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F14C64), ref: 00EC4873
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00F52C6C,000000FF,00000000,0000003F,00000000,?,?), ref: 00EC48EB
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00F52CC0,000000FF,?,0000003F,00000000,?), ref: 00EC4918
                                                                                                              • _free.LIBCMT ref: 00EC4861
                                                                                                                • Part of subcall function 00EC101F: HeapFree.KERNEL32(00000000,00000000,?,00ECF916,?,00000000,?,00000000,?,00ECFC38,?,00000007,?,?,00ED0104,?), ref: 00EC1035
                                                                                                                • Part of subcall function 00EC101F: GetLastError.KERNEL32(?,?,00ECF916,?,00000000,?,00000000,?,00ECFC38,?,00000007,?,?,00ED0104,?,?), ref: 00EC1047
                                                                                                              • _free.LIBCMT ref: 00EC4A2D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                              • String ID: $J$,J
                                                                                                              • API String ID: 1286116820-1731701030
                                                                                                              • Opcode ID: fa5bc1f0b5f25dbcb5405f7b9631a727704d3d0a5756898f285a26093314677d
                                                                                                              • Instruction ID: 11d217a671c20677ad34d70790548a106885381738bc73a7d74c56a522706931
                                                                                                              • Opcode Fuzzy Hash: fa5bc1f0b5f25dbcb5405f7b9631a727704d3d0a5756898f285a26093314677d
                                                                                                              • Instruction Fuzzy Hash: BF512BB19002199BCB11EF68DD91EAE77F8EF46320B10126DE560F32D1EB319E46DB50
                                                                                                              Function 00E2E490 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 149filewindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(0000040A,00000000,00000001,?), ref: 00E2E4F0
                                                                                                              • SendMessageW.USER32(00000000), ref: 00E2E4F7
                                                                                                              • PathFindFileNameW.SHLWAPI(?,?), ref: 00E2E53A
                                                                                                              • PathFindExtensionW.SHLWAPI(?,00000000), ref: 00E2E550
                                                                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,EEAE26D7), ref: 00E2E5FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFindPath$CopyD__@@ExtensionLib@@MessageNameSendWindowWnd@
                                                                                                              • String ID: %s%s$%s_%d%s
                                                                                                              • API String ID: 222731410-3529308290
                                                                                                              • Opcode ID: b0bfb2a78519789e1b95b60d3aa150e8670d25415167fd79ca4f791258057d11
                                                                                                              • Instruction ID: 5d19ca51af15808776e0ff38fc6692f5e1a24e478b724370a299dce00e26a3da
                                                                                                              • Opcode Fuzzy Hash: b0bfb2a78519789e1b95b60d3aa150e8670d25415167fd79ca4f791258057d11
                                                                                                              • Instruction Fuzzy Hash: D751BE31A00259AFDB14EBA4DC49BFEB7B4EF14308F108068E511A7292DB759A08DB61
                                                                                                              Function 00E5E230 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75synchronizationthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000000,?,?,?,00E37F7C,000000FF,000000FF,?,?,?,?,?,EEAE26D7), ref: 00E5E240
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000001,?,?,?,00E37F7C,000000FF,000000FF,?,?,?,?,?,EEAE26D7), ref: 00E5E24F
                                                                                                              • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00E5E297
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00E5E2A5
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00E5E310,?,00000000,?), ref: 00E5E2FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Base@ImplLib@@ShowWindowWindow@$CloseCreateHandleObjectSingleThreadWait
                                                                                                              • String ID: btnPause$btnPlay
                                                                                                              • API String ID: 2458250209-2951056387
                                                                                                              • Opcode ID: cdc595b88e02cd9b392e02ce8c9a59fc90a24f2bdea9de246291d0e20a51d5b7
                                                                                                              • Instruction ID: da47665581d6b950ef5df90ec18087804169ed2afadc370b4d9b56b12b8b9606
                                                                                                              • Opcode Fuzzy Hash: cdc595b88e02cd9b392e02ce8c9a59fc90a24f2bdea9de246291d0e20a51d5b7
                                                                                                              • Instruction Fuzzy Hash: 3321A170340706ABE728CF65D849B25F7A8BB40725F108619F918A77E0DBB0E968CB90
                                                                                                              Function 00E56380 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpdateDay,00000000,00000000,?,00000000), ref: 00E563BA
                                                                                                              • GetLocalTime.KERNEL32(?), ref: 00E563CA
                                                                                                              • GetLocalTime.KERNEL32(?), ref: 00E563DE
                                                                                                              • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpdateDay,00000004,?,00000004), ref: 00E56402
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LocalTimeValue
                                                                                                              • String ID: N0$Software\EasePaintWatermarkRemover$UpdateDay
                                                                                                              • API String ID: 3740244869-1955174364
                                                                                                              • Opcode ID: 689ae7c94609fa03e6965719ab22482a971c995336a715608f2893f5826ff475
                                                                                                              • Instruction ID: b953dca759fca6f1b3efbb887f6fd3f0868d74e431caf62174005547fa3063e0
                                                                                                              • Opcode Fuzzy Hash: 689ae7c94609fa03e6965719ab22482a971c995336a715608f2893f5826ff475
                                                                                                              • Instruction Fuzzy Hash: CB2124B1941208AFDB10EFA0DD45FEEB7F8EB08711F50051AFD01B6181D7B1A548DBA5
                                                                                                              Function 00E00630 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(USER32.DLL), ref: 00E00648
                                                                                                              • GetProcAddress.KERNEL32(00000000,UpdateLayeredWindow), ref: 00E00654
                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00E006B9
                                                                                                              • RegisterClassExW.USER32(00000030), ref: 00E006E3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressClassCursorHandleLoadModuleProcRegister
                                                                                                              • String ID: 0$USER32.DLL$UpdateLayeredWindow
                                                                                                              • API String ID: 3327453341-2940827406
                                                                                                              • Opcode ID: 7bc444a7a5d17826bc49da1342f017dfac9b12916210c74161e8d6afd19f14c3
                                                                                                              • Instruction ID: 7e3b7a0bff40a47959e8ff8a63518e8041a30c0ecc58efede050a5b0094715be
                                                                                                              • Opcode Fuzzy Hash: 7bc444a7a5d17826bc49da1342f017dfac9b12916210c74161e8d6afd19f14c3
                                                                                                              • Instruction Fuzzy Hash: F71113B0D013099FEB00DFA1E8587AEBBF8BB58305F10515AE814B6290D7B95688DF91
                                                                                                              Function 00E2C770 Relevance: 12.3, APIs: 8, Instructions: 254windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(0000040A,00000000,?,?,?), ref: 00E2C7B2
                                                                                                              • SendMessageW.USER32(00000000,?,?), ref: 00E2C7B9
                                                                                                              • MessageBeep.USER32(00000040), ref: 00E2C82C
                                                                                                              • MessageBeep.USER32(00000040), ref: 00E2C9E0
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(0000040A,00000001,?), ref: 00E2CA20
                                                                                                              • SendMessageW.USER32(00000000), ref: 00E2CA27
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(0000040A,00000000,?,?,?,?), ref: 00E2CA46
                                                                                                              • SendMessageW.USER32(00000000,?,?,?), ref: 00E2CA4D
                                                                                                                • Part of subcall function 00DE07C0: RaiseException.KERNEL32(00000000,00000000,00000000,00000000,?,00E64D65,C000008C,00000001,?,00E64E4B,00000000,?,00DF5167,00000000,00000000,00000000), ref: 00DE07CD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$D__@@Lib@@SendWindowWnd@$Beep$ExceptionRaise
                                                                                                              • String ID:
                                                                                                              • API String ID: 3087868877-0
                                                                                                              • Opcode ID: 4612efa42f6ca7e16b1411d0e5e8a1c4d4224bbc422121798f1d932c220e4f60
                                                                                                              • Instruction ID: 14e35bc61a6ebac5699434878e26f2eef31c72f6519da88dbfc113df5a408f7c
                                                                                                              • Opcode Fuzzy Hash: 4612efa42f6ca7e16b1411d0e5e8a1c4d4224bbc422121798f1d932c220e4f60
                                                                                                              • Instruction Fuzzy Hash: 20A15C70A0071A9FDB24CF69D584A6EFBF0FF48304F24965AE94AA7641D770F885CB90
                                                                                                              Function 00E46B80 Relevance: 12.3, APIs: 8, Instructions: 251synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0WindowImplBase@DuiLib@@QAE@XZ.YCOMUIU(EEAE26D7,?,0000040A,?,?,0000040A), ref: 00E46BAD
                                                                                                              • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 00E46DBB
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 00E46DC8
                                                                                                              • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00E46DEC
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00E46DF9
                                                                                                              • WaitForSingleObject.KERNEL32(?,00003A98,?,0000040A), ref: 00E46E24
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00E46E31
                                                                                                                • Part of subcall function 00E03FF0: GetProcessHeap.KERNEL32 ref: 00E0406E
                                                                                                                • Part of subcall function 00E03FF0: __Init_thread_footer.LIBCMT ref: 00E040A0
                                                                                                                • Part of subcall function 00E03FF0: __Init_thread_footer.LIBCMT ref: 00E04124
                                                                                                              • ??1WindowImplBase@DuiLib@@UAE@XZ.YCOMUIU ref: 00E46F0A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleObjectSingleWait$Base@ImplInit_thread_footerLib@@Window$HeapProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 2318069157-0
                                                                                                              • Opcode ID: 982ad36b81af104a1a4ca557d74fe6fc5382652f17f9adfabf522e26146861ab
                                                                                                              • Instruction ID: 68ff5f6c619baba623dd72d008db5b279f9f46ac4c6df06ad2bdabad2e926c10
                                                                                                              • Opcode Fuzzy Hash: 982ad36b81af104a1a4ca557d74fe6fc5382652f17f9adfabf522e26146861ab
                                                                                                              • Instruction Fuzzy Hash: 4EB18D70A01B45CFD720DF68C948B9BBBF4FF05318F14859DD45AAB292DB71AA04CB91
                                                                                                              Function 00E08110 Relevance: 12.1, APIs: 8, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@HHHH@Z.YCOMUIU(00000000,00000000,?,?), ref: 00E08143
                                                                                                              • GdipGetImageWidth.GDIPLUS(?,?), ref: 00E0815A
                                                                                                              • GdipGetImageHeight.GDIPLUS(?,00000000,?,?), ref: 00E0819F
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(?,00000000,?,?), ref: 00E081D5
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E081FE
                                                                                                              • GdipGetImageHeight.GDIPLUS(?,?), ref: 00E08278
                                                                                                              • GdipGetImageWidth.GDIPLUS(?,00000000,?,?), ref: 00E08295
                                                                                                              • GdipDrawImageRectRect.GDIPLUS(?,?), ref: 00E0830E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GdipImage$Lib@@Rect@$HeightRectWidth$DrawHeight@Width@
                                                                                                              • String ID:
                                                                                                              • API String ID: 422700835-0
                                                                                                              • Opcode ID: f64488e7fe5f9fc70cfeaab281ba0f2f3ee916f66471406285f99c2e09a4f5c9
                                                                                                              • Instruction ID: 0f9fbaa88c104bed933ccad2a0d8d0d31dd74f6fabe1140c6109550925645082
                                                                                                              • Opcode Fuzzy Hash: f64488e7fe5f9fc70cfeaab281ba0f2f3ee916f66471406285f99c2e09a4f5c9
                                                                                                              • Instruction Fuzzy Hash: AF518831810B0A9EDB12DFB6C980BAAF7B4BF5D340F148719E859B61A1FB34A491DB50
                                                                                                              Function 00DC6D60 Relevance: 12.1, APIs: 8, Instructions: 129encryptionmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CertFindCertificateInStore.CRYPT32(?,00010001,00000000,000B0000,EEAE26D7,00000000), ref: 00DC6DD7
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00DC6E00
                                                                                                              • CertGetNameStringW.CRYPT32(00000000,00000004,00000001,00000000,00000000,00000000), ref: 00DC6E31
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00DC6E46
                                                                                                              • CertGetNameStringW.CRYPT32(00000000,00000004,00000001,00000000,00000000,00000000,?,00001000,00000004), ref: 00DC6E5F
                                                                                                              • CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00DC6E7F
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00DC6E94
                                                                                                              • CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000,?,00001000,00000004), ref: 00DC6EAF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cert$NameString$AllocVirtual$CertificateFindStore
                                                                                                              • String ID:
                                                                                                              • API String ID: 3065990527-0
                                                                                                              • Opcode ID: f99d872bc51983ed375d041d01c33187a420ca6f340053f26e89b0ce1f1c1db0
                                                                                                              • Instruction ID: 21ce6f562ff1b9c217f3e848a1c7d3bf94478bc7dc5fcfaeedec08d924f09212
                                                                                                              • Opcode Fuzzy Hash: f99d872bc51983ed375d041d01c33187a420ca6f340053f26e89b0ce1f1c1db0
                                                                                                              • Instruction Fuzzy Hash: 6F41F3B5A40305BFEB20DF55CC86FAA77B8EB44B14F204159FA04AB2C1DBB1D945CB64
                                                                                                              Function 00E34D30 Relevance: 12.1, APIs: 8, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetObj@CDelegateBase@DuiLib@@QBEPAXXZ.YCOMUIU(EEAE26D7), ref: 00E34D63
                                                                                                              • ?GetNotifyTypeName@CDelegateBase@DuiLib@@IAE?AVCStdString@2@XZ.YCOMUIU(?), ref: 00E34D95
                                                                                                              • ?IsEmpty@CStdString@DuiLib@@QBE_NXZ.YCOMUIU ref: 00E34DA4
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 00E34DB9
                                                                                                              • ?GetNotifyTypeName@CDelegateBase@DuiLib@@IAE?AVCStdString@2@XZ.YCOMUIU(?), ref: 00E34DF1
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E34E00
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(00000000), ref: 00E34E09
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 00E34E1E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$Base@Delegate$Name@NotifyString@2@Type$Empty@Obj@
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535946894-0
                                                                                                              • Opcode ID: f2cedd8bbce827dcb798849eabbb79ecc631c45c59fb4a7c899125e75ac41467
                                                                                                              • Instruction ID: bcb33a7c385bb983f5e713709dc9e1c24ff79820fd1c7dba0c1244a84dc970bd
                                                                                                              • Opcode Fuzzy Hash: f2cedd8bbce827dcb798849eabbb79ecc631c45c59fb4a7c899125e75ac41467
                                                                                                              • Instruction Fuzzy Hash: 7D317C75A00218DFCB14DF75D858BAEBBB8FB89711F004569E81AA73D1DB31AE48CB50
                                                                                                              Function 00E54680 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 361COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E54B70: GetTempPathA.KERNEL32(00000104,?), ref: 00E54C07
                                                                                                                • Part of subcall function 00E54B70: PathFileExistsA.SHLWAPI(00000000,easePaint,00000009,?), ref: 00E54C4E
                                                                                                                • Part of subcall function 00E54B70: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00E54C6F
                                                                                                                • Part of subcall function 00E55390: std::locale::_Init.LIBCPMT ref: 00E55420
                                                                                                                • Part of subcall function 00E55390: std::ios_base::_Addstd.LIBCPMT ref: 00E554B7
                                                                                                                • Part of subcall function 00E53D10: std::locale::_Init.LIBCPMT ref: 00E53D52
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E549BC
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E549FE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8InitPathThrowstd::locale::_$AddstdCreateDirectoryExistsFileTempstd::ios_base::_
                                                                                                              • String ID: 0$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 807024382-4292773081
                                                                                                              • Opcode ID: 406b7b85d8d70313eff8873e67d8729e1acb32bde40bc8e11084fd648c041d19
                                                                                                              • Instruction ID: 32d8afcd1334f56b5ca073ea0d071fc7a17fead5fd66fd9a585f2437be3df203
                                                                                                              • Opcode Fuzzy Hash: 406b7b85d8d70313eff8873e67d8729e1acb32bde40bc8e11084fd648c041d19
                                                                                                              • Instruction Fuzzy Hash: 78E1C171D00248DBCB15DFA8C845BDEB7F4FF15308F1459A9E959B7281E7B09A88CB90
                                                                                                              Function 00E5C870 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 288COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00DF4FD0: GetProcessHeap.KERNEL32 ref: 00DF504E
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5080
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5104
                                                                                                                • Part of subcall function 00E5BCA0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,EEAE26D7), ref: 00E5BE26
                                                                                                              • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000), ref: 00E5CA4C
                                                                                                              • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00E5CBF2
                                                                                                                • Part of subcall function 00E409C0: ?IsTextUTF8@DuiString@DuiLib@@SAHPAD_K@Z.YCOMUIU(?,00000000), ref: 00E40A1C
                                                                                                              Strings
                                                                                                              • errMsg, xrefs: 00E5CB3B, 00E5CF29
                                                                                                              • adid=%s&lc=%s&partner_id=%s&password=%s&product_id=%d&reg_type=%d&uid=%s&username=%s&verify=%s&version=%d, xrefs: 00E5CD46
                                                                                                              • by_pass=%d&email=%s&lc=%s&mobile=%s&newpass=%s&password=%s&product_id=%d&username=%s&verify=%s&version=%d, xrefs: 00E5C952
                                                                                                              • result, xrefs: 00E5CAE8, 00E5CED5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Cursor@Init_thread_footerWait$ByteCharD__@@@HeapMultiProcessString@TextWide
                                                                                                              • String ID: adid=%s&lc=%s&partner_id=%s&password=%s&product_id=%d&reg_type=%d&uid=%s&username=%s&verify=%s&version=%d$by_pass=%d&email=%s&lc=%s&mobile=%s&newpass=%s&password=%s&product_id=%d&username=%s&verify=%s&version=%d$errMsg$result
                                                                                                              • API String ID: 2324603089-2275649183
                                                                                                              • Opcode ID: 485527b197f61fde80c80d967680b5ad8e8d16aef6b21299ac66abb1cb4c58b2
                                                                                                              • Instruction ID: 625343f97373c26b3a04285e918fb17f7964b11a0cf46fd8630e59a30a51dbdc
                                                                                                              • Opcode Fuzzy Hash: 485527b197f61fde80c80d967680b5ad8e8d16aef6b21299ac66abb1cb4c58b2
                                                                                                              • Instruction Fuzzy Hash: 45C1BC31901298DFEB11DBA8CC55F9EBBB9EF14304F1481E9E508A7292DB709E44DFA1
                                                                                                              Function 00E10000 Relevance: 10.8, APIs: 7, Instructions: 285COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E1002C
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E10039
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E10045
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E10052
                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00E103EA
                                                                                                              • SetCursor.USER32(00000000,?,C000008C,00000001), ref: 00E103F1
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000,?,C000008C,00000001), ref: 00E103FE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@Rect@$CursorHeight@Width@$InvalidateLoadRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 2894228844-0
                                                                                                              • Opcode ID: 49d407022c25194c7056f77218d68ca6be45fbe72a8b12033a824c4cd7e0d989
                                                                                                              • Instruction ID: 4fb1e8df4ecfe0effbb57f9230063e99580a3c39bce812656d546272a1a1e418
                                                                                                              • Opcode Fuzzy Hash: 49d407022c25194c7056f77218d68ca6be45fbe72a8b12033a824c4cd7e0d989
                                                                                                              • Instruction Fuzzy Hash: 80C17431920B488FD316DB378485AA5F7E0AFA9354B19E75AE445BB0B3EB60E4C5DB00
                                                                                                              Function 00DCED00 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 248COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?,?,?,?,CHttpUrlAnalyzerT::Analyze: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.,00000000,EEAE26D7), ref: 00DCEF3F
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,?), ref: 00DCEF68
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpToolA::Ansi2Unicode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.,00000000,?,?,?,?,CHttpUrlAnalyzerT::Analyze: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.,00000000,EEAE26D7), ref: 00DCEF87
                                                                                                              • GetLastError.KERNEL32(00000000), ref: 00DCEFAA
                                                                                                              Strings
                                                                                                              • CHttpToolA::Ansi2Unicode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DCEF7B
                                                                                                              • :, xrefs: 00DCEDC8
                                                                                                              • CHttpUrlAnalyzerT::Analyze: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DCEEF3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorLastMultiWide
                                                                                                              • String ID: :$CHttpToolA::Ansi2Unicode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.$CHttpUrlAnalyzerT::Analyze: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.
                                                                                                              • API String ID: 203985260-1416075455
                                                                                                              • Opcode ID: 3b6ecc496ed8132ce61dfca65e2a4e1960cb81516191430c72b1ff11e63d5659
                                                                                                              • Instruction ID: fc3da7d3911064769b6951f0a6d59ff62db207ac8b0b10dc2ddd115c1e41c5b7
                                                                                                              • Opcode Fuzzy Hash: 3b6ecc496ed8132ce61dfca65e2a4e1960cb81516191430c72b1ff11e63d5659
                                                                                                              • Instruction Fuzzy Hash: DE71D3F16002069BDB209F58C845B7677A9EB45799F3C826EF8188F281D776C843DBA0
                                                                                                              Function 00E0D2E0 Relevance: 10.7, APIs: 7, Instructions: 225memoryfilewindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PathFileExistsW.SHLWAPI(?,EEAE26D7,?,00000000), ref: 00E0D318
                                                                                                              • GdipAlloc.GDIPLUS(00000010,?,00000000), ref: 00E0D32B
                                                                                                              • GdipCreateBitmapFromFile.GDIPLUS(?,?,00000010,?,00000000), ref: 00E0D35C
                                                                                                                • Part of subcall function 00E08D50: GdipGetImageHeight.GDIPLUS(00000000,00000000), ref: 00E08D65
                                                                                                              • ?GetWidth@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000010,?,00000000), ref: 00E0D387
                                                                                                              • ?GetHeight@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(?,00000000), ref: 00E0D3A6
                                                                                                              • GdipGetImageWidth.GDIPLUS(?,00000000,?,00000000), ref: 00E0D3D0
                                                                                                              • GdipGetImageHeight.GDIPLUS(?,00000000,?,00000000,?,00000000), ref: 00E0D416
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$Image$FileHeightLib@@Rect@$AllocBitmapCreateExistsFromHeight@PathWidthWidth@
                                                                                                              • String ID:
                                                                                                              • API String ID: 3672269178-0
                                                                                                              • Opcode ID: ba930221a968a2aea520b59b1bca06bedff26a3682f3d8d0f30b071ad9b22797
                                                                                                              • Instruction ID: 847287373748dacbbc99fb7cd0ff6a472bd92c5301950ed1a77aba3ceef2fb00
                                                                                                              • Opcode Fuzzy Hash: ba930221a968a2aea520b59b1bca06bedff26a3682f3d8d0f30b071ad9b22797
                                                                                                              • Instruction Fuzzy Hash: B7919E71D14B0D8EC712DBB6C840AAEF7B4BF9A344F15872AE816B3291EB3065D1DB40
                                                                                                              Function 00E40760 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 215COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _wcsstr.LIBVCRUNTIME ref: 00E40904
                                                                                                              • WritePrivateProfileStringW.KERNEL32(Upload,Info,?,?), ref: 00E40959
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileStringWrite_wcsstr
                                                                                                              • String ID: %s_$Info$Upload$oem.ini
                                                                                                              • API String ID: 2436656274-2876984242
                                                                                                              • Opcode ID: 7fdfca25fbd77a4fa6f18e15bf2612c1777d49765e7993436d0b3853469834d9
                                                                                                              • Instruction ID: f67e268628213ac10f0d5d734288606df9897a31d3ac201a1be03814c43c7110
                                                                                                              • Opcode Fuzzy Hash: 7fdfca25fbd77a4fa6f18e15bf2612c1777d49765e7993436d0b3853469834d9
                                                                                                              • Instruction Fuzzy Hash: 16718271A00609AFDB14DF68DC45BAEB7F9FF84314F108569EA15AB391DB31A900CBA1
                                                                                                              Function 00E01090 Relevance: 10.7, APIs: 7, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShowWindow.USER32(?,00000008,?), ref: 00E01135
                                                                                                              • ShowWindow.USER32(?,00000000,?), ref: 00E0114F
                                                                                                              • GetWindowRect.USER32(?,?), ref: 00E01175
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000011), ref: 00E0119E
                                                                                                              • DestroyWindow.USER32(?,?), ref: 00E011AC
                                                                                                              • ShowWindow.USER32(?,?,?), ref: 00E012B4
                                                                                                              • ShowWindow.USER32(?,00000008,?), ref: 00E012CD
                                                                                                                • Part of subcall function 00E01440: GetWindowRect.USER32(?,?), ref: 00E01460
                                                                                                                • Part of subcall function 00E01440: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00E014C8
                                                                                                                • Part of subcall function 00E01440: CreateCompatibleDC.GDI32(00000000), ref: 00E014F4
                                                                                                                • Part of subcall function 00E01440: SelectObject.GDI32(00000000,00000000), ref: 00E01505
                                                                                                                • Part of subcall function 00E01440: MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E01555
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Show$CreateRect$CompatibleDestroyMoveObjectSectionSelect
                                                                                                              • String ID:
                                                                                                              • API String ID: 367168227-0
                                                                                                              • Opcode ID: 5a9c0bb3dbd74b80ef13b14abcb43728b0d93189bb6f1a03c1df0dd7bb87b5db
                                                                                                              • Instruction ID: 1d6f7ab02259ec47070cd552491ee35f15c125e75f8368ea4522a531e04b47c7
                                                                                                              • Opcode Fuzzy Hash: 5a9c0bb3dbd74b80ef13b14abcb43728b0d93189bb6f1a03c1df0dd7bb87b5db
                                                                                                              • Instruction Fuzzy Hash: EA71C6306006459FD725CF69C845BBB7BF5AB42318F149098E596AB6F2C734EC84DB50
                                                                                                              Function 00DD0ED0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 171networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HttpQueryInfoA.WININET(00000000,0000FFFF,00000000,00000000,00000000), ref: 00DD0F9A
                                                                                                              • GetLastError.KERNEL32 ref: 00DD0FD0
                                                                                                              • GetLastError.KERNEL32 ref: 00DD0FD7
                                                                                                              • HttpQueryInfoA.WININET(00000000,0000FFFF,00000000,00000000,00000000), ref: 00DD102C
                                                                                                              Strings
                                                                                                              • CHttpToolA::GetHeader: szName can not be NULL., xrefs: 00DD1060
                                                                                                              • CHttpToolA::GetHeader: hRequest can not be NULL., xrefs: 00DD1054
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHttpInfoLastQuery
                                                                                                              • String ID: CHttpToolA::GetHeader: hRequest can not be NULL.$CHttpToolA::GetHeader: szName can not be NULL.
                                                                                                              • API String ID: 4218848986-4273943213
                                                                                                              • Opcode ID: d3b84020bb6ea66f768f90c4d8d78b56f7ccad42b38f64a48d8174aeadbaad9d
                                                                                                              • Instruction ID: 45dab705a703932035d7b2da2f30e4a644574856a0f5c9e4adf8359b07495eeb
                                                                                                              • Opcode Fuzzy Hash: d3b84020bb6ea66f768f90c4d8d78b56f7ccad42b38f64a48d8174aeadbaad9d
                                                                                                              • Instruction Fuzzy Hash: 6651E471A04249AFDB10DF68CC42BBEBBB4EF45710F14417AE905A7391DB72A905CBB1
                                                                                                              Function 00DD10A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 168networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HttpQueryInfoW.WININET(00000000,0000FFFF,00000000,00000000,?), ref: 00DD116F
                                                                                                              • GetLastError.KERNEL32 ref: 00DD11A5
                                                                                                              • GetLastError.KERNEL32 ref: 00DD11AC
                                                                                                              • HttpQueryInfoW.WININET(00000000,0000FFFF,00000000,00000000,?), ref: 00DD1201
                                                                                                              Strings
                                                                                                              • CHttpToolW::GetHeader: szName can not be NULL., xrefs: 00DD1239
                                                                                                              • CHttpToolW::GetHeader: hRequest can not be NULL., xrefs: 00DD122B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHttpInfoLastQuery
                                                                                                              • String ID: CHttpToolW::GetHeader: hRequest can not be NULL.$CHttpToolW::GetHeader: szName can not be NULL.
                                                                                                              • API String ID: 4218848986-3692346498
                                                                                                              • Opcode ID: de38367fedb87aa5a2bff556da512f7ee7930c64a7fd085d76e93b35f3d9ec96
                                                                                                              • Instruction ID: 2bf115d15dbe0bcb9188bb74c83d11ae929f206b8365c66a6bf52553599ef447
                                                                                                              • Opcode Fuzzy Hash: de38367fedb87aa5a2bff556da512f7ee7930c64a7fd085d76e93b35f3d9ec96
                                                                                                              • Instruction Fuzzy Hash: 1451C575A0420AABDB109F94CC42BBE77B8EB44B10F14413AF905E73D0EB72A905C7B1
                                                                                                              Function 00E02460 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcessHeap.KERNEL32 ref: 00E025D9
                                                                                                              • __Init_thread_footer.LIBCMT ref: 00E02608
                                                                                                                • Part of subcall function 00E63D26: EnterCriticalSection.KERNEL32(00F519F4,?,?,?,00E0405B,00F4E7A4,EEAE26D7,?,?,00EE26D8,000000FF,?,00E053DC,EEAE26D7), ref: 00E63D31
                                                                                                                • Part of subcall function 00E63D26: LeaveCriticalSection.KERNEL32(00F519F4,?,?,00E0405B,00F4E7A4,EEAE26D7,?,?,00EE26D8,000000FF,?,00E053DC,EEAE26D7), ref: 00E63D6E
                                                                                                              • __Init_thread_footer.LIBCMT ref: 00E0268C
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(optNoShowAgain,80070057,80070057,?,?), ref: 00E026B8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalInit_thread_footerSection$ControlControl@EnterFindHeapI@2@LeaveLib@@ManagerPaintProcess
                                                                                                              • String ID: .xml$optNoShowAgain
                                                                                                              • API String ID: 2721581611-522237678
                                                                                                              • Opcode ID: 3824d80ed83ffa63bbafbf70b81bf3b9920583d9bbf16239231c53f36ea9ab13
                                                                                                              • Instruction ID: 03ad9e8010a4c5406e7c491973ab6595641393cfd2aef8a2a9cb5de452b2d132
                                                                                                              • Opcode Fuzzy Hash: 3824d80ed83ffa63bbafbf70b81bf3b9920583d9bbf16239231c53f36ea9ab13
                                                                                                              • Instruction Fuzzy Hash: 4A510374A00208DFD710DF68EC49B6EBBE4FB54324F10455CEA25AB3D1DB756900EBA2
                                                                                                              Function 00E38F10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(comboFontSize,EEAE26D7,?,6C494A20), ref: 00E38F48
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E38FA0
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 00E38FBC
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(edtFontSize,00000000), ref: 00E39044
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$Base@ControlControl@FindI@2@ImplItemManagerPaintTextWindow
                                                                                                              • String ID: comboFontSize$edtFontSize
                                                                                                              • API String ID: 724193978-672181069
                                                                                                              • Opcode ID: 3f433a109b44297bfec274755440f0dfb51318171be0775687709e5bb7b3444f
                                                                                                              • Instruction ID: 8b0e43a5e217b53bd63cb69fc33d99dab1d4fbf908a54b250aea665af2994b82
                                                                                                              • Opcode Fuzzy Hash: 3f433a109b44297bfec274755440f0dfb51318171be0775687709e5bb7b3444f
                                                                                                              • Instruction Fuzzy Hash: 2941C430A01609DFD714DB78CC59BAAFBB4FF45714F0482A8E41AA7292DB74AD44CF91
                                                                                                              Function 00E3C220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(?,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,EEAE26D7), ref: 00E3C351
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00E3C369
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 00E3C371
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@WindowWnd@$CenterCreate@D__@@Modal@ShowU__@@@Window@
                                                                                                              • String ID: Message$NoSelectedArea$Title
                                                                                                              • API String ID: 4232685419-1162752447
                                                                                                              • Opcode ID: f3763fa133f740338b334dca353100e310d8832fb21a1365eefed56f94a73156
                                                                                                              • Instruction ID: aff28899534c2fb5e0db571c9d316ecaaaf5caa92d75698e369224cf2152ad71
                                                                                                              • Opcode Fuzzy Hash: f3763fa133f740338b334dca353100e310d8832fb21a1365eefed56f94a73156
                                                                                                              • Instruction Fuzzy Hash: 6E418F71A00609AFCB11CFA9CC49B9EFBB5FF45724F248269E825B72D1C7759A00CB80
                                                                                                              Function 00DC8DB0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99stringnetworkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00DC8E70
                                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 00DC8E9C
                                                                                                              • lstrcatW.KERNEL32(?,.upd), ref: 00DC8EAE
                                                                                                                • Part of subcall function 00DC8BE0: InternetOpenW.WININET(MyDownLoad,00000000,00000000,00000000,00000000), ref: 00DC8C1F
                                                                                                                • Part of subcall function 00DC8BE0: InternetConnectW.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00DC8C41
                                                                                                                • Part of subcall function 00DC8BE0: HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,00400000,00000000), ref: 00DC8C6B
                                                                                                                • Part of subcall function 00DC8BE0: HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DC8C84
                                                                                                                • Part of subcall function 00DC8BE0: HttpQueryInfoW.WININET(00000000,00000013,?,?,00000000), ref: 00DC8CAF
                                                                                                                • Part of subcall function 00DC8BE0: HttpQueryInfoW.WININET(00000000,00000005,?,00000200,00000000), ref: 00DC8D0D
                                                                                                              • MoveFileExW.KERNEL32(?,?,00000001), ref: 00DC8EE4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Http$Internet$InfoOpenQueryRequest$ConnectCrackFileMoveSendlstrcatlstrcpy
                                                                                                              • String ID: .upd$<
                                                                                                              • API String ID: 2930631969-1194390555
                                                                                                              • Opcode ID: 2723cdd23fd178c2ed6e84158350ef19a505707f117d709c1d290cd80f7329a2
                                                                                                              • Instruction ID: 9bce6d6eda745f1847ac554e9579f8a93433c95f1d84d5ebd7ca499eac4718ef
                                                                                                              • Opcode Fuzzy Hash: 2723cdd23fd178c2ed6e84158350ef19a505707f117d709c1d290cd80f7329a2
                                                                                                              • Instruction Fuzzy Hash: 854140B190021D9BDB20DB61DC85FDAB3FCBB49704F1082DAA648A7141DF759A84CFA4
                                                                                                              Function 00E2C540 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000,EEAE26D7,?,?,?,80004005), ref: 00E2C56E
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,80004005), ref: 00E2C58A
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,?,?,?,?,?,80004005), ref: 00E2C5D2
                                                                                                              • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00E2C64B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Wait$Cursor@Lib@@$CreateD__@@@DirectoryException@8ObjectSingleThrow
                                                                                                              • String ID: %s//%s//$data2
                                                                                                              • API String ID: 3658049664-229016458
                                                                                                              • Opcode ID: 4bc7277ad2a272f28bb08def22e907db8c391bcbc5ebfab927852eec1e3b489a
                                                                                                              • Instruction ID: 663b651737ff67fc879e69e0e013aab23ba04ffa6259f63b63cdb4c5367d409d
                                                                                                              • Opcode Fuzzy Hash: 4bc7277ad2a272f28bb08def22e907db8c391bcbc5ebfab927852eec1e3b489a
                                                                                                              • Instruction Fuzzy Hash: 1631E670500709AFD710DF69DC09B9ABBF4FF05724F208219E924A76D1DB75A514CB91
                                                                                                              Function 00E2EC40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000,EEAE26D7,?,?,?,80004005), ref: 00E2EC6E
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,80004005), ref: 00E2EC8A
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,?,?,?,?,?,80004005), ref: 00E2ECD2
                                                                                                              • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00E2ED4B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Wait$Cursor@Lib@@$CreateD__@@@DirectoryException@8ObjectSingleThrow
                                                                                                              • String ID: %s//%s//$data2
                                                                                                              • API String ID: 3658049664-229016458
                                                                                                              • Opcode ID: 9bcef1be407429373aa71677ac2725365219e0bd05abb7d341a95a28bc9a192c
                                                                                                              • Instruction ID: 1ae52b7d2c43ebab841344db3346e1034bed65d8155407ffc79d308ae099fd93
                                                                                                              • Opcode Fuzzy Hash: 9bcef1be407429373aa71677ac2725365219e0bd05abb7d341a95a28bc9a192c
                                                                                                              • Instruction Fuzzy Hash: 1531E270A00709AFD710DF68DC09BAABBF4FF01324F104219E924A77D1DBB1A904CBA1
                                                                                                              Function 00E2C410 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 94synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000,EEAE26D7), ref: 00E2C43E
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E2C45A
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E2C4A2
                                                                                                              • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00E2C51C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Wait$Cursor@Lib@@$CreateD__@@@DirectoryException@8ObjectSingleThrow
                                                                                                              • String ID: %s//%s//$data2
                                                                                                              • API String ID: 3658049664-229016458
                                                                                                              • Opcode ID: 6443bc48f85ebf126f90465b686b1743f3bdb83af83a04526375a5be9ff806de
                                                                                                              • Instruction ID: b677560c2eda6e299deea61ac368a054d787236eb8e64ddd46a2003a28e06ba9
                                                                                                              • Opcode Fuzzy Hash: 6443bc48f85ebf126f90465b686b1743f3bdb83af83a04526375a5be9ff806de
                                                                                                              • Instruction Fuzzy Hash: 9631D670600709EFD710DF69DC09BAABBF4FF01724F248218E528A76D1DBB5A514CB95
                                                                                                              Function 00E2EB10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 94synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000,EEAE26D7), ref: 00E2EB3E
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E2EB5A
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E2EBA2
                                                                                                              • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00E2EC1C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Wait$Cursor@Lib@@$CreateD__@@@DirectoryException@8ObjectSingleThrow
                                                                                                              • String ID: %s//%s//$data2
                                                                                                              • API String ID: 3658049664-229016458
                                                                                                              • Opcode ID: 21f45ed8c4b584dbaf8930c54607e94d252816818fb3ce516f2e3445e04cc7e2
                                                                                                              • Instruction ID: a1b217542b886177707fa94400d49da2cf4cc2e0d247071a7a03fb76c40911af
                                                                                                              • Opcode Fuzzy Hash: 21f45ed8c4b584dbaf8930c54607e94d252816818fb3ce516f2e3445e04cc7e2
                                                                                                              • Instruction Fuzzy Hash: EF31D270A00709AFD710DF69DC09BAABBF4FF01324F204218E924A77D1DBB5A914CBA5
                                                                                                              Function 00E10930 Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindowVisible.USER32(?), ref: 00E10956
                                                                                                              • ShowWindow.USER32(?,00000005), ref: 00E10965
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E10980
                                                                                                              • GetParent.USER32(?), ref: 00E10989
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00E10998
                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00E109BA
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000,?,?), ref: 00E109EC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Rect$InvalidateLib@@MoveParentRect@ShowVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 1983427349-0
                                                                                                              • Opcode ID: c064353b1820107d6cd8fda48c9145751ba9e4cc314f32f31f4ae39fda515400
                                                                                                              • Instruction ID: b1611a6ec6c9fcfae5eec7c9a8ee83c21b181bc51aaf17f56718c55656a74d7d
                                                                                                              • Opcode Fuzzy Hash: c064353b1820107d6cd8fda48c9145751ba9e4cc314f32f31f4ae39fda515400
                                                                                                              • Instruction Fuzzy Hash: 39314B71A00608AFCB20EF69DD85AAEBBF8FF48710F00441DF95AE7251DB31A954CB60
                                                                                                              Function 00E332A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CWndUI@DuiLib@@QAE@XZ.YCOMUIU ref: 00E33322
                                                                                                              • ?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000000,00000000,00000000), ref: 00E33342
                                                                                                              • CreateWindowExW.USER32(00000000,#32770,WndMediaDisplay,50000000,00000000,00000000,00000000,00000000,00000000), ref: 00E33362
                                                                                                              • ?Attach@CWndUI@DuiLib@@QAEHPAUHWND__@@@Z.YCOMUIU(00000000), ref: 00E3336B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Paint$Attach@CreateD__@@D__@@@ManagerWindowWindow@
                                                                                                              • String ID: #32770$WndMediaDisplay
                                                                                                              • API String ID: 3125959125-3767642318
                                                                                                              • Opcode ID: c8033c29b021a70d6627a24bb0f4b548abf5d02c21ef3f98b8ab7429d94f229b
                                                                                                              • Instruction ID: 4b411c3e0562f308732eb3de32d8e33b46730f01fc5d6ad35a88e0cabe5474de
                                                                                                              • Opcode Fuzzy Hash: c8033c29b021a70d6627a24bb0f4b548abf5d02c21ef3f98b8ab7429d94f229b
                                                                                                              • Instruction Fuzzy Hash: 0021C476744204ABD3209F64DC06FAABBA4FB55F24F10822AF911F76D0E7B0AA00C794
                                                                                                              Function 00E3C3A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,Guide,00000000,00000001,?,EEAE26D7,?,00000000,?,?,?,00EE8A82,000000FF), ref: 00E3C3F6
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(FFFFFFFF,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E3C456
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 00E3C45E
                                                                                                              • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,Guide,00000004,?), ref: 00E3C486
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@ValueWindowWnd@$Create@D__@@Modal@ShowU__@@@
                                                                                                              • String ID: Guide$Software\EasePaintWatermarkRemover
                                                                                                              • API String ID: 1895500408-2466343132
                                                                                                              • Opcode ID: 270e54dbbedb34eb3f823a5c888647f6fc00c8b785f0a3d9bc4c89cde5aad6ab
                                                                                                              • Instruction ID: 85975bc7b7ec28ee75dbdb64bdf5c8acf0058fc1e883b20ff42db7d203c35669
                                                                                                              • Opcode Fuzzy Hash: 270e54dbbedb34eb3f823a5c888647f6fc00c8b785f0a3d9bc4c89cde5aad6ab
                                                                                                              • Instruction Fuzzy Hash: 392190B1640318BFDB109F50CD19FBABBA8EB44B54F104219FD25B62C0D7B19904D794
                                                                                                              Function 00DFCE90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetValueW.SHLWAPI(80000000,HTTP\shell\open\command,00000000,00000000,?,00000208), ref: 00DFCEE7
                                                                                                              • PathRemoveArgsW.SHLWAPI(?), ref: 00DFCEF8
                                                                                                              • PathUnquoteSpacesW.SHLWAPI(?), ref: 00DFCF05
                                                                                                              • PathFindFileNameW.SHLWAPI(?,?), ref: 00DFCF13
                                                                                                              • lstrcpynW.KERNEL32(?,00000000), ref: 00DFCF1B
                                                                                                              Strings
                                                                                                              • HTTP\shell\open\command, xrefs: 00DFCEDD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Path$ArgsFileFindNameRemoveSpacesUnquoteValuelstrcpyn
                                                                                                              • String ID: HTTP\shell\open\command
                                                                                                              • API String ID: 3594999989-1610516749
                                                                                                              • Opcode ID: 97f0e951380bc9417779f1dd67e52e706eaaba64d3e5df15b4dc5bbbf7ec458a
                                                                                                              • Instruction ID: e8f556d91dcaae085ae3562457bf8cd036ea14943841d3acbe05b946a548c6b5
                                                                                                              • Opcode Fuzzy Hash: 97f0e951380bc9417779f1dd67e52e706eaaba64d3e5df15b4dc5bbbf7ec458a
                                                                                                              • Instruction Fuzzy Hash: 95114271A4121CAFDF10DFA4DC49FEE73BCEF95701F104196B909E6141DA70AA488B54
                                                                                                              Function 00E24410 Relevance: 10.6, APIs: 7, Instructions: 59synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ReleaseMutex.KERNEL32(?,EEAE26D7,?,?,?,?,00EE4DCB,000000FF), ref: 00E24444
                                                                                                              • SetEvent.KERNEL32(?,?,?,?,?,00EE4DCB,000000FF), ref: 00E2444D
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00EE4DCB,000000FF), ref: 00E2445C
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00EE4DCB,000000FF), ref: 00E24470
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00EE4DCB,000000FF), ref: 00E2447C
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00EE4DCB,000000FF), ref: 00E24486
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00EE4DCB,000000FF), ref: 00E24497
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$EventMutexObjectReleaseSingleWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 573140249-0
                                                                                                              • Opcode ID: 5a18d3c07de5f76d8af9081fecbd65a6a19f8b6941b875ee88c9263ef7f053bf
                                                                                                              • Instruction ID: ec261631fd6bb73994418fa447407712e49f0a9b0b194b0fa341fe95065ab7a3
                                                                                                              • Opcode Fuzzy Hash: 5a18d3c07de5f76d8af9081fecbd65a6a19f8b6941b875ee88c9263ef7f053bf
                                                                                                              • Instruction Fuzzy Hash: FA110671500A14AFD720AF6AEC04B56BBF8EB45720F104B1AE466A36A0DB74A908CB90
                                                                                                              Function 00E10A40 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipSaveImageToFile.GDIPLUS(?,?,?,00000001), ref: 00E10ACD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileGdipImageSave
                                                                                                              • String ID: d$image/bmp$image/gif$image/jpeg$image/png
                                                                                                              • API String ID: 1782942398-1483639712
                                                                                                              • Opcode ID: 9284fc36bbdee3835df6b57d14bf5604294e2091812906193c4aa2d0ba73cb43
                                                                                                              • Instruction ID: 25cb7b17e0c7cd7f9c3a55d1d04d1b764559e4b1c26903766ce25e325fb0798b
                                                                                                              • Opcode Fuzzy Hash: 9284fc36bbdee3835df6b57d14bf5604294e2091812906193c4aa2d0ba73cb43
                                                                                                              • Instruction Fuzzy Hash: 02115871A01208EBDB10DF94D941AEEB7F9FF45314F10915AE806B7241E7B1AEC4AB90
                                                                                                              Function 00E34030 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetFont@CPaintManagerUI@DuiLib@@QAEPAUHFONT__@@H@Z.YCOMUIU(00000000), ref: 00E34045
                                                                                                              • ?GetPaintDC@CPaintManagerUI@DuiLib@@QBEPAUHDC__@@XZ.YCOMUIU(00000000), ref: 00E34054
                                                                                                              • SelectObject.GDI32(00000000), ref: 00E34057
                                                                                                              • ?GetPaintDC@CPaintManagerUI@DuiLib@@QBEPAUHDC__@@XZ.YCOMUIU(?,?,?), ref: 00E34088
                                                                                                              • GetTextExtentPoint32W.GDI32(00000000), ref: 00E3408B
                                                                                                              • ?GetPaintDC@CPaintManagerUI@DuiLib@@QBEPAUHDC__@@XZ.YCOMUIU(?), ref: 00E340A0
                                                                                                              • SelectObject.GDI32(00000000), ref: 00E340A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Paint$Lib@@Manager$C__@@$ObjectSelect$ExtentFont@Point32T__@@Text
                                                                                                              • String ID:
                                                                                                              • API String ID: 2082224380-0
                                                                                                              • Opcode ID: 9d5781f4657bfc724b97df6125da6b13c41793314c6da6431a9cec72c3fc046d
                                                                                                              • Instruction ID: 6be0486ca25cf6b7284ac3857f744ee4e57c18d072ef71a28e88bd9fa61243a3
                                                                                                              • Opcode Fuzzy Hash: 9d5781f4657bfc724b97df6125da6b13c41793314c6da6431a9cec72c3fc046d
                                                                                                              • Instruction Fuzzy Hash: 220192B9B00208AFCB149F65DC88DBE7F79EF84394B144055ED05A7390DA31DE05CAA0
                                                                                                              Function 00E061E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(windowinit), ref: 00E061F2
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(DlgFrame), ref: 00E0620C
                                                                                                              • ?SetBorderSize@CControlUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00E0624B
                                                                                                              • ?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.YCOMUIU ref: 00E0625F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Control$BorderSize@$Control@FindI@2@ManagerPaintString@T@@@Utag
                                                                                                              • String ID: DlgFrame$windowinit
                                                                                                              • API String ID: 3871759311-3490495730
                                                                                                              • Opcode ID: 71066547386450fa8a99a575941458cd3a1663264d7f900d3aa4f9d06b99528d
                                                                                                              • Instruction ID: 202ce8ee592734b97852b50d0758e83d304f98af32cc4d7b38b35fc4a109ab46
                                                                                                              • Opcode Fuzzy Hash: 71066547386450fa8a99a575941458cd3a1663264d7f900d3aa4f9d06b99528d
                                                                                                              • Instruction Fuzzy Hash: FB11C130A00209DBCB01DF7CD908ABDF7B1FF98304F145268E805A72A1EB309EA4D791
                                                                                                              Function 00DDA54D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00DD8610: InternetCloseHandle.WININET(?), ref: 00DD863F
                                                                                                                • Part of subcall function 00DD8610: InternetCloseHandle.WININET(?), ref: 00DD8649
                                                                                                                • Part of subcall function 00DD8610: InternetCloseHandle.WININET(?), ref: 00DD8653
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DDA559
                                                                                                                • Part of subcall function 00E83E56: RaiseException.KERNEL32(?,?,EEAE26D7,?,?,?,?,?,?,00E056AD,80004005,EEAE26D7), ref: 00E83EB6
                                                                                                                • Part of subcall function 00DD6400: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD6427
                                                                                                                • Part of subcall function 00DD6590: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD65AF
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpClientT::_ProceedUploadContext: nDesired can not be zero.,00000000,CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.,00000000,00000068), ref: 00DDA597
                                                                                                                • Part of subcall function 00DD6430: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD6477
                                                                                                              Strings
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL., xrefs: 00DDA573
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL., xrefs: 00DDA567
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL., xrefs: 00DDA57F
                                                                                                              • CHttpClientT::_ProceedUploadContext: nDesired can not be zero., xrefs: 00DDA58B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw$CloseHandleInternet$ErrorExceptionLastRaise
                                                                                                              • String ID: CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.$CHttpClientT::_ProceedUploadContext: nDesired can not be zero.
                                                                                                              • API String ID: 3363223308-1511392354
                                                                                                              • Opcode ID: 715e7babae5b869efb907c7525f3bf26541a7cea3f6c0c6430d644ec59bd4dc8
                                                                                                              • Instruction ID: 675c2c43a740fbe7f8bb519a62b574aca1a0ad0e3f912dce079f081b9ad1a4f4
                                                                                                              • Opcode Fuzzy Hash: 715e7babae5b869efb907c7525f3bf26541a7cea3f6c0c6430d644ec59bd4dc8
                                                                                                              • Instruction Fuzzy Hash: 01014F30A84304BAE610B7A4DC07F6D3265DB84B09F14452BF3087D2D6CEB6A985867B
                                                                                                              Function 00E36E90 Relevance: 10.5, APIs: 7, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindow.USER32(?), ref: 00E36EA4
                                                                                                              • DestroyWindow.USER32(?), ref: 00E36EB6
                                                                                                              • IsWindow.USER32(?), ref: 00E36EBE
                                                                                                              • DestroyWindow.USER32(?), ref: 00E36ECA
                                                                                                              • IsWindow.USER32(?), ref: 00E36ED2
                                                                                                              • DestroyWindow.USER32(?), ref: 00E36EDE
                                                                                                              • ?OnDestroy@WindowImplBase@DuiLib@@UAEJIIJAAH@Z.YCOMUIU(?,?,?,?), ref: 00E36EEE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Destroy$Base@Destroy@ImplLib@@
                                                                                                              • String ID:
                                                                                                              • API String ID: 2472689208-0
                                                                                                              • Opcode ID: fcb1d0543c4de4f8d81de5e4eb3efe36731c3daaafa94e88852c37d91ff30f0c
                                                                                                              • Instruction ID: 6cb3da4e41f1bc24942a11c1d0666d347be910a7b57ebbf0e5ca6de13ef29d36
                                                                                                              • Opcode Fuzzy Hash: fcb1d0543c4de4f8d81de5e4eb3efe36731c3daaafa94e88852c37d91ff30f0c
                                                                                                              • Instruction Fuzzy Hash: A3F0FF31200646AFDB216F77EC44EAB7FAAFF84750F104425E859A1130CA73EC24EB60
                                                                                                              Function 00DDA0CC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00DD85C0: InternetCloseHandle.WININET(?), ref: 00DD85EF
                                                                                                                • Part of subcall function 00DD85C0: InternetCloseHandle.WININET(?), ref: 00DD85F9
                                                                                                                • Part of subcall function 00DD85C0: InternetCloseHandle.WININET(?), ref: 00DD8603
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DDA0D8
                                                                                                                • Part of subcall function 00E83E56: RaiseException.KERNEL32(?,?,EEAE26D7,?,?,?,?,?,?,00E056AD,80004005,EEAE26D7), ref: 00E83EB6
                                                                                                                • Part of subcall function 00DD61D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD61F7
                                                                                                                • Part of subcall function 00DD62B0: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD62CF
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpClientT::_ProceedUploadContext: nDesired can not be zero.,00000000,CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.,00000000,00000068), ref: 00DDA116
                                                                                                                • Part of subcall function 00DD6200: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD6247
                                                                                                              Strings
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL., xrefs: 00DDA0E6
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL., xrefs: 00DDA0FE
                                                                                                              • CHttpClientT::_ProceedUploadContext: nDesired can not be zero., xrefs: 00DDA10A
                                                                                                              • CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL., xrefs: 00DDA0F2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw$CloseHandleInternet$ErrorExceptionLastRaise
                                                                                                              • String ID: CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.$CHttpClientT::_ProceedUploadContext: nDesired can not be zero.
                                                                                                              • API String ID: 3363223308-1511392354
                                                                                                              • Opcode ID: a390ecf639695e266956bdebd1f5bd8bcc0e5a78e4a9c8020b95edc52f4fbf91
                                                                                                              • Instruction ID: 57e78aefdf2b0db0d885b2f0266edc8a323cd9068a22fd1814dc734bf1ad2571
                                                                                                              • Opcode Fuzzy Hash: a390ecf639695e266956bdebd1f5bd8bcc0e5a78e4a9c8020b95edc52f4fbf91
                                                                                                              • Instruction Fuzzy Hash: 8CF04E30B88318BAE6567BE49C07F6C2A26DF45F01F205502F705396D6CDD1B910AABE
                                                                                                              Function 00E5E3B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32synchronizationtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000096,?,00E2ABE1), ref: 00E5E3BA
                                                                                                              • KillTimer.USER32(00000000,?,00E2ABE1), ref: 00E5E3C1
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(wndMedia,00000000,?,00E2ABE1), ref: 00E5E3D0
                                                                                                              • WaitForSingleObject.KERNEL32(?,000249F0,?,00E2ABE1), ref: 00E5E3F7
                                                                                                              • CloseHandle.KERNEL32(?,?,00E2ABE1), ref: 00E5E405
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@Window$Base@CloseD__@@HandleImplKillObjectShowSingleTimerWaitWindow@Wnd@
                                                                                                              • String ID: wndMedia
                                                                                                              • API String ID: 1340191913-3868476417
                                                                                                              • Opcode ID: 1caa329eedd85e1127f716b41ecf294dd487fb253e3c44ddbd05ff8409ed64ae
                                                                                                              • Instruction ID: a9153205ff00d55005724294f0fce20791e3442b26d592c63eeb4745d2f45d74
                                                                                                              • Opcode Fuzzy Hash: 1caa329eedd85e1127f716b41ecf294dd487fb253e3c44ddbd05ff8409ed64ae
                                                                                                              • Instruction Fuzzy Hash: 0EF034303403119FEB289F65EE4DB2677E8BF44B02F104828F996E7690CE70E808DB14
                                                                                                              Function 00EA0073 Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __allrem.LIBCMT ref: 00EA0200
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA021C
                                                                                                              • __allrem.LIBCMT ref: 00EA0233
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0251
                                                                                                              • __allrem.LIBCMT ref: 00EA0268
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0286
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1992179935-0
                                                                                                              • Opcode ID: ac93dafefa184fc2443a2b6ba8d55c18c1fd927c944c74d6e144d83b47adcd08
                                                                                                              • Instruction ID: 0cc174ac9890a10ff0b27bf8a87cf369f08b21ce8f573e0e64587dc04b96724f
                                                                                                              • Opcode Fuzzy Hash: ac93dafefa184fc2443a2b6ba8d55c18c1fd927c944c74d6e144d83b47adcd08
                                                                                                              • Instruction Fuzzy Hash: B181F9726007069BE7249A68CC91B9B73E9EF5A324F14552EF451FF292E770F9018750
                                                                                                              Function 00EB6898 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __freea
                                                                                                              • String ID: a/p$am/pm$w
                                                                                                              • API String ID: 240046367-1420824374
                                                                                                              • Opcode ID: 85691b2572b45e3e211f1695feb7b8c7145026e25fed728926284d56e0133814
                                                                                                              • Instruction ID: f6dc44918c530298a4cfc8e1a57b83daafc5bf50b4d4b1d927f67d0e9bd947b1
                                                                                                              • Opcode Fuzzy Hash: 85691b2572b45e3e211f1695feb7b8c7145026e25fed728926284d56e0133814
                                                                                                              • Instruction Fuzzy Hash: 4CD1E231900206CADB289F68C995BFBFBB0FF05718F28615AE945BB251D3399D80CF91
                                                                                                              Function 00DE0B30 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00DE0B5D
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00DE0B80
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00DE0BA8
                                                                                                              • std::_Facet_Register.LIBCPMT ref: 00DE0C0D
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00DE0C37
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DE0C61
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2536120697-0
                                                                                                              • Opcode ID: a552bccbf3d656d73fcff2c5bd899b5ad6debb7d1e8382c85a7482bee483846d
                                                                                                              • Instruction ID: b9adc5319cc3758ed76a33e3b2bf5678cfe39281a75cf836b203e80a624af7a7
                                                                                                              • Opcode Fuzzy Hash: a552bccbf3d656d73fcff2c5bd899b5ad6debb7d1e8382c85a7482bee483846d
                                                                                                              • Instruction Fuzzy Hash: B8411531900388DFCB10EF55D841BAEBBF4FB14364F284659E804A7392D770AE45CBA1
                                                                                                              Function 00E10440 Relevance: 9.1, APIs: 6, Instructions: 79memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E0DCC0: GdipDeleteGraphics.GDIPLUS(?), ref: 00E0DCD0
                                                                                                                • Part of subcall function 00E0DCC0: GdipFree.GDIPLUS(?,?), ref: 00E0DCD6
                                                                                                                • Part of subcall function 00E0DCC0: SelectObject.GDI32(?,?), ref: 00E0DCF6
                                                                                                                • Part of subcall function 00E0DCC0: DeleteDC.GDI32(?), ref: 00E0DD11
                                                                                                              • GetDC.USER32(?), ref: 00E1048C
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00E10495
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00E104A5
                                                                                                                • Part of subcall function 00E05840: DeleteObject.GDI32(?), ref: 00E0584F
                                                                                                                • Part of subcall function 00E05840: GetDC.USER32(?), ref: 00E058D5
                                                                                                                • Part of subcall function 00E05840: CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00E058E6
                                                                                                                • Part of subcall function 00E05840: ReleaseDC.USER32(00000000,00000000), ref: 00E058F7
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00E104D6
                                                                                                              • GdipAlloc.GDIPLUS(00000008,?,?,?,?,?,00EE3E4B,000000FF), ref: 00E104EA
                                                                                                              • GdipCreateFromHDC.GDIPLUS(?,?,00000008,?,?,?,?,?,00EE3E4B,000000FF), ref: 00E1050B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$CreateDeleteObject$ReleaseSelect$AllocCompatibleFreeFromGraphicsSection
                                                                                                              • String ID:
                                                                                                              • API String ID: 645989474-0
                                                                                                              • Opcode ID: d514ccc9ef38b44b736ab9351ae2dbaa316fdb93d9eec140b0fc6e03b73475ca
                                                                                                              • Instruction ID: e69526a8be790c06ffc7b9e799e868b6378c6565160b9a032d7fb14036653236
                                                                                                              • Opcode Fuzzy Hash: d514ccc9ef38b44b736ab9351ae2dbaa316fdb93d9eec140b0fc6e03b73475ca
                                                                                                              • Instruction Fuzzy Hash: C2216872500749EFDB21DF65CC85BAABBA9FB48710F04467AFD19AB291DB719800CB60
                                                                                                              Function 00E12DF0 Relevance: 9.1, APIs: 6, Instructions: 79memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E12580: GdipDeleteGraphics.GDIPLUS(?), ref: 00E12590
                                                                                                                • Part of subcall function 00E12580: GdipFree.GDIPLUS(?,?), ref: 00E12596
                                                                                                                • Part of subcall function 00E12580: SelectObject.GDI32(?,?), ref: 00E125B6
                                                                                                                • Part of subcall function 00E12580: DeleteDC.GDI32(?), ref: 00E125D1
                                                                                                              • GetDC.USER32(?), ref: 00E12E3C
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00E12E45
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00E12E55
                                                                                                                • Part of subcall function 00E05840: DeleteObject.GDI32(?), ref: 00E0584F
                                                                                                                • Part of subcall function 00E05840: GetDC.USER32(?), ref: 00E058D5
                                                                                                                • Part of subcall function 00E05840: CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00E058E6
                                                                                                                • Part of subcall function 00E05840: ReleaseDC.USER32(00000000,00000000), ref: 00E058F7
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00E12E80
                                                                                                              • GdipAlloc.GDIPLUS(00000008,?,?,?,?,?,00EE418B,000000FF), ref: 00E12E94
                                                                                                              • GdipCreateFromHDC.GDIPLUS(?,?,00000008,?,?,?,?,?,00EE418B,000000FF), ref: 00E12EB5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$CreateDeleteObject$ReleaseSelect$AllocCompatibleFreeFromGraphicsSection
                                                                                                              • String ID:
                                                                                                              • API String ID: 645989474-0
                                                                                                              • Opcode ID: 6e56b3b21aec7147e19df96ad393ba31c8b18e6bde517e566341ab377fec8a84
                                                                                                              • Instruction ID: c1df9a3213978345bdf325d4fdb8c9f46408f273f48552cecc23f3f029194af3
                                                                                                              • Opcode Fuzzy Hash: 6e56b3b21aec7147e19df96ad393ba31c8b18e6bde517e566341ab377fec8a84
                                                                                                              • Instruction Fuzzy Hash: 60218D71500705EFDB119F65CC45BAA7BE8FF49710F04456AFD24AB291DB719910CB60
                                                                                                              Function 00E12400 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E12416
                                                                                                              • GetClientRect.USER32(?,?), ref: 00E12423
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E1242C
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E1243D
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E1245D
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E1247E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@Rect@$Height@Width@$ClientRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 1440935839-0
                                                                                                              • Opcode ID: 2e7227d2975db9c0a1dac1aa262dfbb6a85f74f52eeacf342dde13d253eaeb7f
                                                                                                              • Instruction ID: e0aa36002da5cc6226f7bd01d9c465f647e6e5904ae05a895208c3862291f99c
                                                                                                              • Opcode Fuzzy Hash: 2e7227d2975db9c0a1dac1aa262dfbb6a85f74f52eeacf342dde13d253eaeb7f
                                                                                                              • Instruction Fuzzy Hash: CF215332C0120D9FCB05EB7AD9454BEFB76EF6A740B588716A84172061EB302995CF80
                                                                                                              Function 00E869FF Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,00E869F6,00E841F7,?,?,00E23E2F,00E232D0,EEAE26D7), ref: 00E86A0D
                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E86A1B
                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E86A34
                                                                                                              • SetLastError.KERNEL32(00000000,00E869F6,00E841F7,?,?,00E23E2F,00E232D0,EEAE26D7), ref: 00E86A86
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                              • String ID:
                                                                                                              • API String ID: 3852720340-0
                                                                                                              • Opcode ID: 9afdddacfe39fda1fe7d71ff6ab1fc0b537223d355167f064632bd660a4231bf
                                                                                                              • Instruction ID: ea269efc9c8dffc1e08038e22efb8f171f2c00ab5ab7ef8c4a2d103f12fc8943
                                                                                                              • Opcode Fuzzy Hash: 9afdddacfe39fda1fe7d71ff6ab1fc0b537223d355167f064632bd660a4231bf
                                                                                                              • Instruction Fuzzy Hash: DB01247212A612EFE62837747C854272694EB26B7873053ADF92C740F2FF228C006340
                                                                                                              Function 00E12AB0 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12AD9
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12AE6
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12AF2
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12AFF
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@HH@Z.YCOMUIU(?,-00000001), ref: 00E12B17
                                                                                                              • ??4CDuiPoint@DuiLib@@QAEAAV01@$$QAV01@@Z.YCOMUIU(00000000), ref: 00E12B21
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Rect@$Height@Point@Width@$V01@$$V01@@
                                                                                                              • String ID:
                                                                                                              • API String ID: 2448439131-0
                                                                                                              • Opcode ID: 4eecfdef59b6b58ed3e70ebd4350d267ef97e8231592edbbe9c669cd80d8eac5
                                                                                                              • Instruction ID: aeb25bc6c5bc6f2dbc09045c3d45a1cd791a5604d3e737c5fe5b996378bf432f
                                                                                                              • Opcode Fuzzy Hash: 4eecfdef59b6b58ed3e70ebd4350d267ef97e8231592edbbe9c669cd80d8eac5
                                                                                                              • Instruction Fuzzy Hash: 30112B325047458FC720DB6AD988AABFBF5EB94304B40092DE486D3661EF71A949CB50
                                                                                                              Function 00E3C890 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 302sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000000), ref: 00E3C8E4
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E3C8F8
                                                                                                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 00E3C905
                                                                                                                • Part of subcall function 00E03870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00E038B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$FindModuleNamePathRemoveResourceSleepSpec
                                                                                                              • String ID: LmRsbA==$LmV4ZQ==
                                                                                                              • API String ID: 2130153851-71768200
                                                                                                              • Opcode ID: 17e7e1bb582add40e51e68574e5410c4e152fb7c31846cc2f0eb94e5dd6810f9
                                                                                                              • Instruction ID: f8dd24dc41414e7416cf3337420aa43ac644439570858ab30efea5e314dc0d08
                                                                                                              • Opcode Fuzzy Hash: 17e7e1bb582add40e51e68574e5410c4e152fb7c31846cc2f0eb94e5dd6810f9
                                                                                                              • Instruction Fuzzy Hash: B3D19C708016599BDB20DB68CC9C79EFBB4EF50314F1442D9E409A7292EB759F88CFA0
                                                                                                              Function 00EC3000 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,00E92F0B,?,?,?,00E8F0D7,?,?,?,?), ref: 00EC3004
                                                                                                              • _free.LIBCMT ref: 00EC3037
                                                                                                              • _free.LIBCMT ref: 00EC305F
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC306C
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,?), ref: 00EC3078
                                                                                                              • _abort.LIBCMT ref: 00EC307E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 3160817290-0
                                                                                                              • Opcode ID: a5ca8a029b3222390c5ab06d2716867bb187104b6b9763e1cd709b472cb0d4c4
                                                                                                              • Instruction ID: 17ce6bedeef2a0130f5577530efa1abce6a075e192ce1c8ed0c4fc446ea4cec7
                                                                                                              • Opcode Fuzzy Hash: a5ca8a029b3222390c5ab06d2716867bb187104b6b9763e1cd709b472cb0d4c4
                                                                                                              • Instruction Fuzzy Hash: CEF0A937100A016BC27133356E07F7A26999FE2BB6B24615CF914B2293DE2789479151
                                                                                                              Function 00E323A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(comboFont,EEAE26D7,?,?,?,?,00000000,00EE74BD,000000FF,?,C0000005,00000001,EEAE26D7), ref: 00E323D5
                                                                                                              • ?RemoveAll@CComboUI@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,00000000,00EE74BD,000000FF,?,C0000005,00000001,EEAE26D7), ref: 00E32401
                                                                                                                • Part of subcall function 00DF4FD0: GetProcessHeap.KERNEL32 ref: 00DF504E
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5080
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5104
                                                                                                              • ??0CListLabelElementUI@DuiLib@@QAE@XZ.YCOMUIU(?,?,?,?,?,00000000,00EE74BD,000000FF), ref: 00E32490
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Init_thread_footer$All@ComboControlControl@ElementFindHeapI@2@LabelListManagerPaintProcessRemove
                                                                                                              • String ID: DefSelectedFont$comboFont
                                                                                                              • API String ID: 3574563068-803840066
                                                                                                              • Opcode ID: dfe0efa55985adefb7c99e0d4127da3301511efc4f5da5015f045b40bf1ae546
                                                                                                              • Instruction ID: 72d4527386f1684145a23c620c2384860772e85935d97121ae6c12d8ffca744a
                                                                                                              • Opcode Fuzzy Hash: dfe0efa55985adefb7c99e0d4127da3301511efc4f5da5015f045b40bf1ae546
                                                                                                              • Instruction Fuzzy Hash: E5A18F70A01609DFDB00DF58C899BAABBF4FF45314F1481ADE955AB392DB70AD04CBA1
                                                                                                              Function 00E44A50 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00DF4FD0: GetProcessHeap.KERNEL32 ref: 00DF504E
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5080
                                                                                                                • Part of subcall function 00DF4FD0: __Init_thread_footer.LIBCMT ref: 00DF5104
                                                                                                                • Part of subcall function 00E5BCA0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,EEAE26D7), ref: 00E5BE26
                                                                                                              • IsWindow.USER32(?), ref: 00E44C1A
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(769523D0,00F4E7C0,10CF0000,00000100,80000000,80000000,80000000,80000000,00000000), ref: 00E44C50
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU(00000384,00000384,00000016), ref: 00E44C6B
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU(00000001), ref: 00E44C89
                                                                                                              Strings
                                                                                                              • count=%d&day=0&lc=%s&partner_id=%s&product_id=%d&uid=%s&username=%s&version=%d, xrefs: 00E44B08
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Lib@@Wnd@$Init_thread_footer$ByteCenterCharCreate@D__@@HeapModal@MultiProcessShowU__@@@WideWindow@
                                                                                                              • String ID: count=%d&day=0&lc=%s&partner_id=%s&product_id=%d&uid=%s&username=%s&version=%d
                                                                                                              • API String ID: 1933569612-1434483944
                                                                                                              • Opcode ID: 1ad52c09e731fc8f5df1802580308e3dbde0b4dc3183985236eca6faae7babfd
                                                                                                              • Instruction ID: c2d39b3a9c55afe18d01fc3e5db41206cd46da8d5ea1c152e68d4c789dee034b
                                                                                                              • Opcode Fuzzy Hash: 1ad52c09e731fc8f5df1802580308e3dbde0b4dc3183985236eca6faae7babfd
                                                                                                              • Instruction Fuzzy Hash: 7391E671A00208EFDB01DFA8DC45B9EBBF5FF48315F188168FA05A72A2DB71A904DB51
                                                                                                              Function 00E269C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 235fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PathFindFileNameW.SHLWAPI(?,?,00000001,EEAE26D7,00000001,?), ref: 00E26A4E
                                                                                                              • PathFindExtensionW.SHLWAPI(?,00000000), ref: 00E26A64
                                                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 00E26B76
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFindPath$CopyExtensionName
                                                                                                              • String ID: %s%s$%s_%lld%s
                                                                                                              • API String ID: 4215039933-368073126
                                                                                                              • Opcode ID: 7cedc56714ec38d740415242c7cb3c1446688522e6b395893492e544740620c7
                                                                                                              • Instruction ID: b4c680e51b46740e46257303d5c60c5d5bdeb376578287ad5e0988ed97cceeff
                                                                                                              • Opcode Fuzzy Hash: 7cedc56714ec38d740415242c7cb3c1446688522e6b395893492e544740620c7
                                                                                                              • Instruction Fuzzy Hash: 0291A0719016499FDB00DBACC849B9EFBB4EF44324F188299E415E7292DB759D04CBA0
                                                                                                              Function 00DECA60 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 178COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DECC89
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$null
                                                                                                              • API String ID: 2005118841-3565069842
                                                                                                              • Opcode ID: 73bd3d898f6f408dec4b3012a5d8ec51a6d1f793e6bf77220ae39066c75936ba
                                                                                                              • Instruction ID: 0a1d33349b563fda8a74509793e46f49adfa7f23d219e668aa0918f561d2f18c
                                                                                                              • Opcode Fuzzy Hash: 73bd3d898f6f408dec4b3012a5d8ec51a6d1f793e6bf77220ae39066c75936ba
                                                                                                              • Instruction Fuzzy Hash: 2B61A775A006888FCB10EFA9C481BADB7B1FF49714F29526DE919AB391D731DD01CBA0
                                                                                                              Function 00DC93F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetErrorInfo.OLEAUT32(00000000,00000000,EEAE26D7), ref: 00DC9437
                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 00DC9552
                                                                                                              Strings
                                                                                                              • Object does not support the ISupportErrorInfo interface., xrefs: 00DC944C
                                                                                                              • Failed to get a error message from IErrorInfo, xrefs: 00DC9470
                                                                                                              • Failed to get a IErrorInfo interface., xrefs: 00DC943F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFreeInfoString
                                                                                                              • String ID: Failed to get a IErrorInfo interface.$Failed to get a error message from IErrorInfo$Object does not support the ISupportErrorInfo interface.
                                                                                                              • API String ID: 2345281976-1230158062
                                                                                                              • Opcode ID: e0776dd1b27835ed9c39412c784a928a699afc39836e3e34ff53727e91da7d2d
                                                                                                              • Instruction ID: 7d9edfd4de06e84507f8b6332d6a6dec9a32a7ce809adc64300d21cef706a9b8
                                                                                                              • Opcode Fuzzy Hash: e0776dd1b27835ed9c39412c784a928a699afc39836e3e34ff53727e91da7d2d
                                                                                                              • Instruction Fuzzy Hash: 6341BF75604206DBCB14CF68C898FBAB7B9EF89314F59466DEC169B240D731DD02CB60
                                                                                                              Function 00DE2730 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00DE27AE
                                                                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00DE2812
                                                                                                              • __Getctype.LIBCPMT ref: 00DE285B
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DE28C6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: std::_$Exception@8GetctypeLocinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                              • String ID: bad locale name
                                                                                                              • API String ID: 2457221526-1405518554
                                                                                                              • Opcode ID: 8005c01a3c9f4c02c2b6ed6b36db943490854c2096feedb624e264d52973049e
                                                                                                              • Instruction ID: 52c4dfc986dbbc6a6a3c0c1d17ad14130cfbbab5cb2fcb3630ee1834e3dc3c0b
                                                                                                              • Opcode Fuzzy Hash: 8005c01a3c9f4c02c2b6ed6b36db943490854c2096feedb624e264d52973049e
                                                                                                              • Instruction Fuzzy Hash: E5518BB1D01388DEDB10DFA8C9447EDBFF4AF15314F248199E458BB281D7B59A08CBA1
                                                                                                              Function 00DDF040 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • %02X%02X%02X%02X%02X%02X, xrefs: 00DDF1B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Netbios$_strncat
                                                                                                              • String ID: %02X%02X%02X%02X%02X%02X
                                                                                                              • API String ID: 1122498394-722279150
                                                                                                              • Opcode ID: 4eec4b7cae4b6f0e4d66e16eee6b8f54500734900fd324d5bbeeccba83048aa1
                                                                                                              • Instruction ID: c76da9d193d3bb1e0aa7fb4a529f05c106ceb7a2407f406691cf4be753b7c979
                                                                                                              • Opcode Fuzzy Hash: 4eec4b7cae4b6f0e4d66e16eee6b8f54500734900fd324d5bbeeccba83048aa1
                                                                                                              • Instruction Fuzzy Hash: 3F412A74C0839CA9DB22A7749C41BEABBF86F0A300F4801D5FA8CB7243D6745B85CB65
                                                                                                              Function 00E54B70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTempPathA.KERNEL32(00000104,?), ref: 00E54C07
                                                                                                              • PathFileExistsA.SHLWAPI(00000000,easePaint,00000009,?), ref: 00E54C4E
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00E54C6F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Path$CreateDirectoryExistsFileTemp
                                                                                                              • String ID: \ato$easePaint
                                                                                                              • API String ID: 2786188043-1919105004
                                                                                                              • Opcode ID: 704ea017d93d387603a5a36a64d8cdc0636b2411c6730ceb5ced75d4c5e0a15b
                                                                                                              • Instruction ID: 8c72d13a62bcc48b7537161b73ef368e3beb70138e0e745e3d328f419944996d
                                                                                                              • Opcode Fuzzy Hash: 704ea017d93d387603a5a36a64d8cdc0636b2411c6730ceb5ced75d4c5e0a15b
                                                                                                              • Instruction Fuzzy Hash: 13414CB190025C9BEB20DF64CC46BDDB7F8EB19708F0045D9DA49A6281D7B59B88CFD0
                                                                                                              Function 00E570B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileStringW.KERNEL32(Config,SampleRatio,00EF8660,?,00000104,?), ref: 00E5718C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileString
                                                                                                              • String ID: Config$SampleRatio$cd.dat$
                                                                                                              • API String ID: 1096422788-1050651428
                                                                                                              • Opcode ID: 5123247fcf9fa01ce1a28cf4695724388cbcddf77bbaefa04f71b8d01072ff47
                                                                                                              • Instruction ID: e863a62f39146061bf3494a36c7d3bb400062009543f9cff028064374521ccd4
                                                                                                              • Opcode Fuzzy Hash: 5123247fcf9fa01ce1a28cf4695724388cbcddf77bbaefa04f71b8d01072ff47
                                                                                                              • Instruction Fuzzy Hash: 1B31E471D8161CABDB20DF64DC49BE9B7B8FB04720F1042E5F819A72C1DB705A449F90
                                                                                                              Function 00DC7100 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WinVerifyTrust.WINTRUST(00000000,?,?), ref: 00DC71A7
                                                                                                              • GetLastError.KERNEL32(00000000,?,?), ref: 00DC71CA
                                                                                                              • WinVerifyTrust.WINTRUST(00000000,00AAC56B,00000030,00000000,?,?), ref: 00DC720C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: TrustVerify$ErrorLast
                                                                                                              • String ID: 0$lStatus: 0x%x
                                                                                                              • API String ID: 1205338628-3784148924
                                                                                                              • Opcode ID: 43192827dec3f55e9a7cdb1351be5e0b4655ab3e362edbd07b6efe75ad76cd00
                                                                                                              • Instruction ID: ca238aa70f2f6a089b989ae8ce2a5e442aa3a2f3d6156cf01aeec4ea58ed33ed
                                                                                                              • Opcode Fuzzy Hash: 43192827dec3f55e9a7cdb1351be5e0b4655ab3e362edbd07b6efe75ad76cd00
                                                                                                              • Instruction Fuzzy Hash: 493107B5D0420D9BDB20DFD9C899BDEBBF8EB44304F24001AE415BB281D7B95A48CFA1
                                                                                                              Function 00E587A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PathFileExistsW.SHLWAPI(EEAE26D7,EEAE26D7,?,00E22F1F), ref: 00E587E1
                                                                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 00E58827
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExecuteExistsFilePathShell
                                                                                                              • String ID: EasePaintSetup.exe$SGFzVXBkYXRl$open
                                                                                                              • API String ID: 1078955612-319052967
                                                                                                              • Opcode ID: dfd707f894d08bea4b1fa66804c3832ab27b7b716d8645e01ef2d2e87f4d2721
                                                                                                              • Instruction ID: eb64d5f5f4a1fc7a79068025472aaccbbcbd3d314157ad9b6a4f093259ee71d2
                                                                                                              • Opcode Fuzzy Hash: dfd707f894d08bea4b1fa66804c3832ab27b7b716d8645e01ef2d2e87f4d2721
                                                                                                              • Instruction Fuzzy Hash: 68212031A40308ABCB00DBA8CC46BADBBB4FB12B21F604629F821B72D1DA719504CB51
                                                                                                              Function 00E38860 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindow.USER32 ref: 00E388D7
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(00000000,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E38902
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00E3890A
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 00E38912
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Lib@@Wnd@$CenterCreate@D__@@Modal@ShowU__@@@Window@
                                                                                                              • String ID: OnResetPass
                                                                                                              • API String ID: 1873043032-3814398335
                                                                                                              • Opcode ID: 13309a3d6f7dccc2881347f386114a83b702a4cd2048a9e3b523d33a3e1e17dc
                                                                                                              • Instruction ID: 1be3b536fa6bf72a94f3ee2a996c684384e94ff31c36ffe86cdfe100505308f7
                                                                                                              • Opcode Fuzzy Hash: 13309a3d6f7dccc2881347f386114a83b702a4cd2048a9e3b523d33a3e1e17dc
                                                                                                              • Instruction Fuzzy Hash: 9411BF71B40704AFD7249B659D0AB6AB7E8EB88B14F000229FA05F72D0DFB4A904D794
                                                                                                              Function 00E3C7B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64sleepwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000000), ref: 00E3C819
                                                                                                                • Part of subcall function 00DF7970: GetModuleHandleW.KERNEL32(00000000), ref: 00DF7997
                                                                                                                • Part of subcall function 00DF7970: GetLastError.KERNEL32 ref: 00DF79BE
                                                                                                                • Part of subcall function 00DF7970: OutputDebugStringA.KERNEL32(?), ref: 00DF79E5
                                                                                                              • FindWindowW.USER32(EasePaintWndClass,00000000), ref: 00E3C83E
                                                                                                              • PostMessageW.USER32(00000000,00000406,00000000,00000000), ref: 00E3C852
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugErrorFindHandleLastMessageModuleOutputPostSleepStringWindow
                                                                                                              • String ID: EasePaintWndClass$[Error3]:...
                                                                                                              • API String ID: 133635261-1934457172
                                                                                                              • Opcode ID: aaeaca16d2eb389c823b6e41e0a69d8d38e79b53b431d6928f4ca9a6467d65a5
                                                                                                              • Instruction ID: 2077ebe84ae45b0de160cfcd0c0d0c72dd985eef9d5444e7e1459d7a43cb6a72
                                                                                                              • Opcode Fuzzy Hash: aaeaca16d2eb389c823b6e41e0a69d8d38e79b53b431d6928f4ca9a6467d65a5
                                                                                                              • Instruction Fuzzy Hash: 2B11E971E402099BDB10BB64DD46BABB7B8EB44711F104129F516F71C1EE74A505CB64
                                                                                                              Function 00DD8160 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(000000FF,00000000,00EDCD10,000000FF,?,00000002,?,?,00DD7D2C,000000FF,00EDCD10), ref: 00DD817F
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000002,00000000,00000007,00000000,00000000,?,?,00DD7D2C,000000FF,00EDCD10), ref: 00DD819F
                                                                                                              • GetLastError.KERNEL32(00000000,?,?,00DD7D2C,000000FF,00EDCD10), ref: 00DD81AD
                                                                                                              • GetLastError.KERNEL32(00000000,00000259,00000000,?,?,00DD7D2C,000000FF,00EDCD10), ref: 00DD81C0
                                                                                                              Strings
                                                                                                              • CHttpEncoderA::_AnsiCharToUtf8Char: szUtf8Char and szAnsiChar can not be NULL., xrefs: 00DD81D3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorLastMultiWide
                                                                                                              • String ID: CHttpEncoderA::_AnsiCharToUtf8Char: szUtf8Char and szAnsiChar can not be NULL.
                                                                                                              • API String ID: 203985260-1887996956
                                                                                                              • Opcode ID: 223e0e03b996132692bda880bbd42d4eca9fa3077b278964befd8922a9051bdb
                                                                                                              • Instruction ID: 75a3db1b37fb40d7a32be3286dc177d531094b327aec582cc96fa9012366a904
                                                                                                              • Opcode Fuzzy Hash: 223e0e03b996132692bda880bbd42d4eca9fa3077b278964befd8922a9051bdb
                                                                                                              • Instruction Fuzzy Hash: CF011D30780309BFFB256B91CC0BF7A3628EB40B01F180515BB14A91D1DAB0A905D675
                                                                                                              Function 00E20B90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(Advapi32.dll,00F02714,00000000,?,C000008C,00000001,00F02728,00F02714,00E1FFBD), ref: 00E20BA8
                                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00E20BB8
                                                                                                              • RegDeleteKeyW.ADVAPI32(00F02714,00F02714), ref: 00E20BEB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressDeleteHandleModuleProc
                                                                                                              • String ID: Advapi32.dll$RegDeleteKeyTransactedW
                                                                                                              • API String ID: 588496660-2168864297
                                                                                                              • Opcode ID: 8e16f69bbe935b4ebb458e3311bd4fa5fd7b9ba53694be9bb584dd1ad65bc032
                                                                                                              • Instruction ID: be546260f05e26e7e4c7884b089ffbbeba995f1fc7fea1f62cc2b66ccd21e11c
                                                                                                              • Opcode Fuzzy Hash: 8e16f69bbe935b4ebb458e3311bd4fa5fd7b9ba53694be9bb584dd1ad65bc032
                                                                                                              • Instruction Fuzzy Hash: 97F06232240224ABDB301E99FC04FAAF768DB90B69F14402BF604B54E1C776D891E665
                                                                                                              Function 00ED25D8 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d1eb7c07ed0bec4950cda0a431a9dca7909b8d2647babf3029d33b4ca455416
                                                                                                              • Instruction ID: 4ddf06eb41be1f08fd7affd9464b90750f8f95f7f3e3838af34c3a9e75a4822d
                                                                                                              • Opcode Fuzzy Hash: 0d1eb7c07ed0bec4950cda0a431a9dca7909b8d2647babf3029d33b4ca455416
                                                                                                              • Instruction Fuzzy Hash: A671AF359002169BCF258B94C984ABEBBB5FF61324F14626FEA21B7390D7708D42D7A1
                                                                                                              Function 00EBEB84 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00EC264B: HeapAlloc.KERNEL32(00000000,?,00000004,?,00EC81BD,?,00000000,?,00EB2521,?,00000004,?,?,?,?,00EBCA2A), ref: 00EC267D
                                                                                                              • _free.LIBCMT ref: 00EBEC8F
                                                                                                              • _free.LIBCMT ref: 00EBECA6
                                                                                                              • _free.LIBCMT ref: 00EBECC5
                                                                                                              • _free.LIBCMT ref: 00EBECE0
                                                                                                              • _free.LIBCMT ref: 00EBECF7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$AllocHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1835388192-0
                                                                                                              • Opcode ID: 437694eab94d5b37600ccb4b4d11d3b38825190cf5a5886168ba1c307b87f0d0
                                                                                                              • Instruction ID: 40351184f7e08330080b3e2046c77fda7834448492501705ef104b1c77aa807c
                                                                                                              • Opcode Fuzzy Hash: 437694eab94d5b37600ccb4b4d11d3b38825190cf5a5886168ba1c307b87f0d0
                                                                                                              • Instruction Fuzzy Hash: B851B231A00204AFDB21DF29C942BEBBBF5EF59724B1415ADE809E7351E731ED419B80
                                                                                                              Function 00DCF0A0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,00000000,?,00000000,00000000), ref: 00DCF185
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpEncoderW::AnsiDecode: szBuff can not be NULL.,00000000,CHttpEncoderW::AnsiDecode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.,00000000,EEAE26D7), ref: 00DCF1C4
                                                                                                              Strings
                                                                                                              • CHttpEncoderA::AnsiDecode: szBuff can not be NULL., xrefs: 00DCF0D7
                                                                                                              • CHttpEncoderW::AnsiDecode: szBuff can not be NULL., xrefs: 00DCF1B8
                                                                                                              • CHttpEncoderW::AnsiDecode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DCF1AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorLastMultiWide
                                                                                                              • String ID: CHttpEncoderA::AnsiDecode: szBuff can not be NULL.$CHttpEncoderW::AnsiDecode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.$CHttpEncoderW::AnsiDecode: szBuff can not be NULL.
                                                                                                              • API String ID: 203985260-1921645064
                                                                                                              • Opcode ID: fe3c32c1eb2f46795fb6b2eebd1f44f2b51cecca3a2304868440849b6589ebf8
                                                                                                              • Instruction ID: fc3fe2cb78861c1e845b40c36af946975b3394cdcdd0621711feac475118de19
                                                                                                              • Opcode Fuzzy Hash: fe3c32c1eb2f46795fb6b2eebd1f44f2b51cecca3a2304868440849b6589ebf8
                                                                                                              • Instruction Fuzzy Hash: FA51F63160434AABDB24DF58DC41FEABBA9EB45B20F18466EF818976C1D771A900C7B1
                                                                                                              Function 00EBC99D Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free
                                                                                                              • String ID:
                                                                                                              • API String ID: 269201875-0
                                                                                                              • Opcode ID: 25deadf00ca3d18877dddfa4f034c021b7323edc9c90b6d432051c087d16d18a
                                                                                                              • Instruction ID: cab668957d669c4776fa483c8ec2e3e8afd7227e2a8a0ce1ab95f04dfd9cba66
                                                                                                              • Opcode Fuzzy Hash: 25deadf00ca3d18877dddfa4f034c021b7323edc9c90b6d432051c087d16d18a
                                                                                                              • Instruction Fuzzy Hash: 7741D532A002089FDB14DF78C881A9EB7E5EF89714B2555A9E956FB391DB31ED01CB80
                                                                                                              Function 00DED2C0 Relevance: 7.6, APIs: 5, Instructions: 128COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00DED2F1
                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00DED30F
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00DED337
                                                                                                              • std::_Facet_Register.LIBCPMT ref: 00DED423
                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00DED44D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                              • String ID:
                                                                                                              • API String ID: 459529453-0
                                                                                                              • Opcode ID: 440afc0196a17241da5583c2d928b9e1036a8c8c4acf2be1092b597f6263ccba
                                                                                                              • Instruction ID: e6dc087574a23c2d9ea8a213a2e1a68a06ca6744c30249f7d9ced23094b41b20
                                                                                                              • Opcode Fuzzy Hash: 440afc0196a17241da5583c2d928b9e1036a8c8c4acf2be1092b597f6263ccba
                                                                                                              • Instruction Fuzzy Hash: 0351CC71900298DBDB11DF59D8807AEBBF1FF20354F284169D855AB381DB74AE00CBA1
                                                                                                              Function 00E08BE0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipGetImageGraphicsContext.GDIPLUS(?,?), ref: 00E08C30
                                                                                                              • GdipGraphicsClear.GDIPLUS(00000000,FFEDEDEF,?,?), ref: 00E08C4D
                                                                                                              • GdipGetImageWidth.GDIPLUS(?,00000000,00000000,FFEDEDEF,?,?), ref: 00E08C6B
                                                                                                              • GdipGetImageHeight.GDIPLUS(?,00000000,?,00000000,00000000,FFEDEDEF,?,?), ref: 00E08CB2
                                                                                                              • GdipDeleteGraphics.GDIPLUS(00000000,?,00000000,?,00000000,00000000,FFEDEDEF,?,?), ref: 00E08D2E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$GraphicsImage$ClearContextDeleteHeightWidth
                                                                                                              • String ID:
                                                                                                              • API String ID: 450755709-0
                                                                                                              • Opcode ID: ff094bf052f4ef9a81737625ee4cf69d049687d87a7c6323ede4a5fe3c6fa3ab
                                                                                                              • Instruction ID: e07ecee884ddffb516651c855c6fa8bbf8baea250be5ed2cb7bd255ec91526a7
                                                                                                              • Opcode Fuzzy Hash: ff094bf052f4ef9a81737625ee4cf69d049687d87a7c6323ede4a5fe3c6fa3ab
                                                                                                              • Instruction Fuzzy Hash: E3418D70A106199FDB12DB74C945B6EF7F8FF59350F10872AE819B3291EB30A881CB90
                                                                                                              Function 00E2C680 Relevance: 7.6, APIs: 5, Instructions: 98windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000409,00000000,00000001), ref: 00E2C6B9
                                                                                                              • SendMessageW.USER32(00000000), ref: 00E2C6C0
                                                                                                              • MessageBeep.USER32(00000040), ref: 00E2C722
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000409,00000000,00000001), ref: 00E2C746
                                                                                                              • SendMessageW.USER32(00000000), ref: 00E2C74D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$D__@@Lib@@SendWindowWnd@$Beep
                                                                                                              • String ID:
                                                                                                              • API String ID: 1648407695-0
                                                                                                              • Opcode ID: ba823d93b1ba0e6d9aca0262db16cacee6d1097937f443f92a8b5f998d4563b9
                                                                                                              • Instruction ID: bbd3ef6f1ccc531a423e7a8e139951f9e816fe37918de4ad1f3949b207ad5e15
                                                                                                              • Opcode Fuzzy Hash: ba823d93b1ba0e6d9aca0262db16cacee6d1097937f443f92a8b5f998d4563b9
                                                                                                              • Instruction Fuzzy Hash: 7731F931A41310AFDB308F78D985B6EB7E4AF44B08F24655AEE85BB581C771F844CBA1
                                                                                                              Function 00E0A1B0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 00E0A230
                                                                                                              • SetViewportOrgEx.GDI32(?,?,00000000,?), ref: 00E0A21D
                                                                                                                • Part of subcall function 00E07AD0: ??0CDuiRect@DuiLib@@QAE@HHHH@Z.YCOMUIU(00000000,00000000,?,?,EEAE26D7), ref: 00E07B27
                                                                                                                • Part of subcall function 00E07AD0: ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E07B36
                                                                                                                • Part of subcall function 00E07AD0: ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E07B3B
                                                                                                                • Part of subcall function 00E07AD0: GetClientRect.USER32(00000000,?), ref: 00E07B44
                                                                                                                • Part of subcall function 00E07AD0: GetWindowRect.USER32(00000000,?), ref: 00E07B51
                                                                                                                • Part of subcall function 00E07AD0: GdipGetImageHeight.GDIPLUS(?,?), ref: 00E07B71
                                                                                                                • Part of subcall function 00E07AD0: GdipGetImageWidth.GDIPLUS(?,?,?,?), ref: 00E07B9D
                                                                                                                • Part of subcall function 00E07AD0: GdipCloneBitmapAreaI.GDIPLUS(00000000,00000000,00000000,00000000,0026200A,?,?,?,?,?,?), ref: 00E07BD3
                                                                                                              • BeginPaint.USER32(?,?,EEAE26D7), ref: 00E0A24D
                                                                                                              • SetViewportOrgEx.GDI32(00000000,00000000,00000002,00000000), ref: 00E0A26D
                                                                                                              • EndPaint.USER32(?,?), ref: 00E0A29B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GdipLib@@Rect@Viewport$ImagePaintRect$AreaBeginBitmapClientCloneHeightWidthWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3911760940-0
                                                                                                              • Opcode ID: d3c5af161676c3fc2fc1e960e87be5a90d729220f1e2abda2241dbbbe31608a1
                                                                                                              • Instruction ID: cfdeae4b2423ba7dca01bbe30262f6f17d762b0585297ed9f7016c168ca833cf
                                                                                                              • Opcode Fuzzy Hash: d3c5af161676c3fc2fc1e960e87be5a90d729220f1e2abda2241dbbbe31608a1
                                                                                                              • Instruction Fuzzy Hash: FC313BB1A04248EFDB11DFE9CC49BAEBBF9FB48714F104129E416AB290DB756E04CB50
                                                                                                              Function 00E44560 Relevance: 7.6, APIs: 5, Instructions: 93windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindow.USER32 ref: 00E445F5
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(769523D0,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E4461F
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00E44627
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 00E4462F
                                                                                                              • PostMessageW.USER32(769523D0,00000403,00000000,00000000), ref: 00E44652
                                                                                                                • Part of subcall function 00E44670: IsWindow.USER32(00000001), ref: 00E4470A
                                                                                                                • Part of subcall function 00E44670: ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(00000001,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E44734
                                                                                                                • Part of subcall function 00E44670: ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,00F4E7C0,00EEABB4,000000FF,?,00E389C9,00000001,00000001), ref: 00E4473C
                                                                                                                • Part of subcall function 00E44670: ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,00F4E7C0,00EEABB4,000000FF,?,00E389C9,00000001,00000001), ref: 00E44744
                                                                                                                • Part of subcall function 00E44670: PostMessageW.USER32(00000001,00000404,00000000,00000000), ref: 00E4476A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Lib@@Wnd@$CenterCreate@D__@@MessageModal@PostShowU__@@@Window@
                                                                                                              • String ID:
                                                                                                              • API String ID: 3637571515-0
                                                                                                              • Opcode ID: 6bf31f3138b8d7c9d449f1afe3f626fb13939bbeb24ee5c169df5be6612a19c8
                                                                                                              • Instruction ID: 9d509b7c06209dc0f7622df23e6846c932337ed8b5feb6224c698768226302a9
                                                                                                              • Opcode Fuzzy Hash: 6bf31f3138b8d7c9d449f1afe3f626fb13939bbeb24ee5c169df5be6612a19c8
                                                                                                              • Instruction Fuzzy Hash: FE210772784344AFDB209FA5BC05BB9B7F4EB4AB11F01016AFA55A73C0DB755904CB44
                                                                                                              Function 00DE05C0 Relevance: 7.6, APIs: 5, Instructions: 89memorywindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GlobalAlloc.KERNEL32(00000042,?,EEAE26D7), ref: 00DE05F4
                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00DE0610
                                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00DE0638
                                                                                                              • GdipCreateBitmapFromStream.GDIPLUS(00000000,?,00000010), ref: 00DE0669
                                                                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,00000000,000000FF,00000010), ref: 00DE0693
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateGdip$AllocBitmapFromGlobalStream
                                                                                                              • String ID:
                                                                                                              • API String ID: 2713546604-0
                                                                                                              • Opcode ID: 0b8fbc11be598be22bbe9b72c6c2393adee5fde7b6e5ff9bd5bb4c52c3c3a9fc
                                                                                                              • Instruction ID: 5b1e5dd3de90d7ce5c671e8361f0b56c0bc48d45071c3a9c8f2aedad9b337559
                                                                                                              • Opcode Fuzzy Hash: 0b8fbc11be598be22bbe9b72c6c2393adee5fde7b6e5ff9bd5bb4c52c3c3a9fc
                                                                                                              • Instruction Fuzzy Hash: 9D318F71A00219EFDB20EF95C945BAEBBF8FF48710F10455DE959E7290D7B09940CBA0
                                                                                                              Function 00E32CC0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000,EEAE26D7), ref: 00E32CED
                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00E32D70
                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00E32DAD
                                                                                                                • Part of subcall function 00E5E3B0: ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000096,?,00E2ABE1), ref: 00E5E3BA
                                                                                                                • Part of subcall function 00E5E3B0: KillTimer.USER32(00000000,?,00E2ABE1), ref: 00E5E3C1
                                                                                                                • Part of subcall function 00E5E3B0: ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(wndMedia,00000000,?,00E2ABE1), ref: 00E5E3D0
                                                                                                                • Part of subcall function 00E5E3B0: WaitForSingleObject.KERNEL32(?,000249F0,?,00E2ABE1), ref: 00E5E3F7
                                                                                                                • Part of subcall function 00E5E3B0: CloseHandle.KERNEL32(?,?,00E2ABE1), ref: 00E5E405
                                                                                                              • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00E32DF3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@Window$ShowWait$Cursor@$Base@CloseD__@@D__@@@HandleImplKillObjectSingleTimerWindow@Wnd@
                                                                                                              • String ID:
                                                                                                              • API String ID: 2968429970-0
                                                                                                              • Opcode ID: c3f07dbaac39436df90fd858d83f556837e3bf34ec4818b9237bf51cb1746062
                                                                                                              • Instruction ID: 973733f341a7a8c90a5c963a3940fc2dc5cdd286babda6f496daa0376dac544f
                                                                                                              • Opcode Fuzzy Hash: c3f07dbaac39436df90fd858d83f556837e3bf34ec4818b9237bf51cb1746062
                                                                                                              • Instruction Fuzzy Hash: C3318B306046049FD728EB20DD99FFABBA4FB11304FA05A2DE2DBB2690DF317944CA41
                                                                                                              Function 00DCEFC0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?,?), ref: 00DCF000
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?,?,?,?,00000000), ref: 00DCF029
                                                                                                              • GetLastError.KERNEL32(00000000), ref: 00DCF03C
                                                                                                                • Part of subcall function 00DD6430: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD6477
                                                                                                                • Part of subcall function 00DD6400: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD6427
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000066,00000259,00000000), ref: 00DCF05F
                                                                                                              Strings
                                                                                                              • CHttpToolW::Ansi2Unicode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DCEFDC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorException@8LastMultiThrowWide
                                                                                                              • String ID: CHttpToolW::Ansi2Unicode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.
                                                                                                              • API String ID: 2956008001-1264610672
                                                                                                              • Opcode ID: 81e69c319edae647b58cdd801a7d8ccd688235e9c5a078d4563c0e2ae7a54587
                                                                                                              • Instruction ID: 350bc52e8832c76b690544a8bfd56466c8d89b4376264f89f096659a3048167b
                                                                                                              • Opcode Fuzzy Hash: 81e69c319edae647b58cdd801a7d8ccd688235e9c5a078d4563c0e2ae7a54587
                                                                                                              • Instruction Fuzzy Hash: FE11E3B1B452157BFB202B659C46FBA335D9B80F24F280139FA18AA2C1DA61D80096B5
                                                                                                              Function 00E120B0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipGraphicsClear.GDIPLUS(?,05000000,FFFFFFFF,?,?,?,?,?,?,?,?,?,?,?,00E0D60C,?), ref: 00E120D9
                                                                                                              • GetDC.USER32(?), ref: 00E120F5
                                                                                                              • GetWindowRect.USER32(?,?), ref: 00E12112
                                                                                                              • UpdateLayeredWindow.USER32(?,00000000,?,?,?,?,00000000,01FF0000,00000002), ref: 00E1215A
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00E12164
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ClearGdipGraphicsLayeredRectReleaseUpdate
                                                                                                              • String ID:
                                                                                                              • API String ID: 3259010597-0
                                                                                                              • Opcode ID: b05b7b1a8a855ecb776e24bea92c26b4e8675cde6572c826274dacf8bee98ee9
                                                                                                              • Instruction ID: 87334b6c3dcce9881d502ea4584b0918de148851c92daeccd4cff2e091d07a45
                                                                                                              • Opcode Fuzzy Hash: b05b7b1a8a855ecb776e24bea92c26b4e8675cde6572c826274dacf8bee98ee9
                                                                                                              • Instruction Fuzzy Hash: 8E211B71A00619AFDB00DFA5DD45AFEFBB9FF49310F104229E819B3210DB31A950CBA0
                                                                                                              Function 00E00570 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWindowExW.USER32(00080020,00000000,80880000,80000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00E005BD
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E005CB
                                                                                                              • GetWindowLongW.USER32(?,000000FC), ref: 00E00609
                                                                                                              • SetWindowLongW.USER32(?,000000FC,00E01090), ref: 00E0061C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Long$Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 1733017098-0
                                                                                                              • Opcode ID: 6794b5b705fab99202a2d1b1ee0c5ffafd1e7dacadff49a136ecf9be524011fc
                                                                                                              • Instruction ID: 9101f21bbf2e6aa2afd6686ed6d150bc5707d6e87c24ead6573b180b6c0bd122
                                                                                                              • Opcode Fuzzy Hash: 6794b5b705fab99202a2d1b1ee0c5ffafd1e7dacadff49a136ecf9be524011fc
                                                                                                              • Instruction Fuzzy Hash: C7119A30144704FFEB216B51DC09F9A3EA5BB14B65F208108FAAA7A2F1CB75A1A4DB44
                                                                                                              Function 00EC3084 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,?,00EB1828,00EC81DB,?,00EB2521,?,00000004,?,?,?,?,00EBCA2A,?,?), ref: 00EC3089
                                                                                                              • _free.LIBCMT ref: 00EC30BE
                                                                                                              • _free.LIBCMT ref: 00EC30E5
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,?,?,?,00E04118,?,00E04118), ref: 00EC30F2
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,?,?,?,00E04118,?,00E04118), ref: 00EC30FB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3170660625-0
                                                                                                              • Opcode ID: f443085c90a58e9de45e593c4857e8e017ba54b88fb1671881782ff70985c551
                                                                                                              • Instruction ID: 605a5f74a83a3345b842af1f6942454ca63bed9e6f6149a79cdaa5a6eb337ed5
                                                                                                              • Opcode Fuzzy Hash: f443085c90a58e9de45e593c4857e8e017ba54b88fb1671881782ff70985c551
                                                                                                              • Instruction Fuzzy Hash: F101493B201A016B823167356E87F6B2299ABE2376320216CF902B2193DE37C90791A1
                                                                                                              Function 00DC7080 Relevance: 7.6, APIs: 6, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC709C
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC70AD
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC70BE
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC70CF
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC70E0
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC70F1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1263568516-0
                                                                                                              • Opcode ID: dd1ba33787441fe45c1a2a58806cbd132d353b5d60ef5d979006822f061f025b
                                                                                                              • Instruction ID: e0a52d0dd4b6119d8cd196c6dea7fc5d1bdee411738316ac6cfa7474dd7e1551
                                                                                                              • Opcode Fuzzy Hash: dd1ba33787441fe45c1a2a58806cbd132d353b5d60ef5d979006822f061f025b
                                                                                                              • Instruction Fuzzy Hash: 25011D30B4071676EA309A798C41F16B7AC6B04B50F28441A7644F71C0CEA0F8449FB8
                                                                                                              Function 00DCEA20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 248COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsDBCSLeadByteEx.KERNEL32(?,00000000,?,?,?,?,?,?,?,00DCC611,?,?), ref: 00DCEAF4
                                                                                                              • IsDBCSLeadByteEx.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00DCC611,?,?), ref: 00DCEB85
                                                                                                              • IsDBCSLeadByteEx.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00DCC611,?,?), ref: 00DCEC32
                                                                                                              Strings
                                                                                                              • CHttpUrlAnalyzerT::Analyze: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DCECE9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteLead
                                                                                                              • String ID: CHttpUrlAnalyzerT::Analyze: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.
                                                                                                              • API String ID: 535570690-238203081
                                                                                                              • Opcode ID: 745079c825cfc5355c6f869fb1a9d3b87f1814b16236eb531960cc9a27c0741a
                                                                                                              • Instruction ID: bd23c357201a173ca4135859d3518ed4015fc5aef2c401a3c12e15b6b4f47bba
                                                                                                              • Opcode Fuzzy Hash: 745079c825cfc5355c6f869fb1a9d3b87f1814b16236eb531960cc9a27c0741a
                                                                                                              • Instruction Fuzzy Hash: 84A1A2B19057468FDB25CF69C540BAAFBF2BF09300F18862ED49A97741D335E945CBA0
                                                                                                              Function 00DEE1B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 238COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00DED2C0: std::_Lockit::_Lockit.LIBCPMT ref: 00DED2F1
                                                                                                                • Part of subcall function 00DED2C0: std::_Lockit::_Lockit.LIBCPMT ref: 00DED30F
                                                                                                                • Part of subcall function 00DED2C0: std::_Lockit::~_Lockit.LIBCPMT ref: 00DED337
                                                                                                                • Part of subcall function 00DED2C0: std::_Lockit::~_Lockit.LIBCPMT ref: 00DED44D
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DEE373
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$Exception@8Throw
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 2777619170-1866435925
                                                                                                              • Opcode ID: 2fe4c4541df2856defd1a9541ca61504e29b44442e35d4e10ba6c0626b90b95c
                                                                                                              • Instruction ID: 94fcffa028aead801c84d345b10b674be9a4cb41831bcf40b5ef292d9b6acf67
                                                                                                              • Opcode Fuzzy Hash: 2fe4c4541df2856defd1a9541ca61504e29b44442e35d4e10ba6c0626b90b95c
                                                                                                              • Instruction Fuzzy Hash: C0A17B71A00248DFDB10EFA8C845BEEBBF4FF45304F148169E515AB392DB759A05CBA1
                                                                                                              Function 00DECC90 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 202COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DECECF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 2005118841-1866435925
                                                                                                              • Opcode ID: 0fa595bc04dccf25d20a4f4472847fd11b1626e601d98935dced8a9648a87a07
                                                                                                              • Instruction ID: 7ca7108c02d39c59a4bc77b9ee8dfffb46eec250b5df546aeaf4348c0061e34b
                                                                                                              • Opcode Fuzzy Hash: 0fa595bc04dccf25d20a4f4472847fd11b1626e601d98935dced8a9648a87a07
                                                                                                              • Instruction Fuzzy Hash: 4071C475A106848FCB14EF59C840BA9BBB1FF49714F285269EC19AB391D731ED42CBA0
                                                                                                              Function 00DDD0D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000002,00DD9BAF,00000007,00000000,00000000,?,00000000,?,?,?,00DD9BAF,00000000,?), ref: 00DDD13A
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpEncoderW::UrlEncodeA: szBuff can not be NULL.,00000000,00000000,?,?,?,00DD9BAF,00000000,?,00000001,?,00EFD0D8,00000000), ref: 00DDD1A3
                                                                                                              Strings
                                                                                                              • CHttpEncoderW::UrlEncodeA: szBuff can not be NULL., xrefs: 00DDD197
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorLastMultiWide
                                                                                                              • String ID: CHttpEncoderW::UrlEncodeA: szBuff can not be NULL.
                                                                                                              • API String ID: 203985260-88503844
                                                                                                              • Opcode ID: a2f2fb700fc188dd2ac8413d16a652aec2918b9701c4575351e299d9c227417b
                                                                                                              • Instruction ID: e811dd9bddcfcf9b22ecc8e87f264d7c044388825bf9126d4b347b501b7bc8a1
                                                                                                              • Opcode Fuzzy Hash: a2f2fb700fc188dd2ac8413d16a652aec2918b9701c4575351e299d9c227417b
                                                                                                              • Instruction Fuzzy Hash: 0651A271A00209ABDB10EF98DC02BBEB7B6EF44710F24412AF905A7391DB71AE01C7B1
                                                                                                              Function 00DED060 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DED262
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 2005118841-1866435925
                                                                                                              • Opcode ID: db9d3e51e5cea0b8a0d5588c1569ede8beab89f5136042e0bf1d3b2cf4e898f5
                                                                                                              • Instruction ID: 5ebda6b073cd360ed188791d800b2a4904272ddac21437001e69b7604c5ea61b
                                                                                                              • Opcode Fuzzy Hash: db9d3e51e5cea0b8a0d5588c1569ede8beab89f5136042e0bf1d3b2cf4e898f5
                                                                                                              • Instruction Fuzzy Hash: AD51B175E00284CFDB10EF55C981BA9BBB2FF49318F294199E915AB392CB31DD41CBA1
                                                                                                              Function 00DDCE00 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 169COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000002,?,00000007,00000000,00000000,?,?,?), ref: 00DDCE6A
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpEncoderW::UrlEncodeW: szBuff can not be NULL.,00000000,?,?), ref: 00DDCED9
                                                                                                              Strings
                                                                                                              • CHttpEncoderW::UrlEncodeW: szBuff can not be NULL., xrefs: 00DDCECD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorLastMultiWide
                                                                                                              • String ID: CHttpEncoderW::UrlEncodeW: szBuff can not be NULL.
                                                                                                              • API String ID: 203985260-2429219053
                                                                                                              • Opcode ID: 6a8d524734fe51bee34453e1a30c11dfecb3484c0467e0343d030348311b0c57
                                                                                                              • Instruction ID: f339605dba2894fc6d901ad1bec2188b633f2a52d6f52a233cdb4b097865970c
                                                                                                              • Opcode Fuzzy Hash: 6a8d524734fe51bee34453e1a30c11dfecb3484c0467e0343d030348311b0c57
                                                                                                              • Instruction Fuzzy Hash: 9651A575A00209ABDB14EF94DC02BBEB7B5EF44710F14412AF915A72D1EB71AE01C7B1
                                                                                                              Function 00DE2C20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DE2E00
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 2005118841-1866435925
                                                                                                              • Opcode ID: 9b7989a9d9dbfd2cb995ca563d4848c0b9038f2abef85aa545cef1f86750bb51
                                                                                                              • Instruction ID: e9f05e591fd55b2bf45508df1346d08d82e2f078ee4ee5dac052722a466fdc28
                                                                                                              • Opcode Fuzzy Hash: 9b7989a9d9dbfd2cb995ca563d4848c0b9038f2abef85aa545cef1f86750bb51
                                                                                                              • Instruction Fuzzy Hash: AD51B071A002489FDB14EF65C885BA9B7E4FF04324F64816DE5169B392DB36EE01CBA0
                                                                                                              Function 00E0C530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E0C61C
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00E0C665
                                                                                                              • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00E0C66D
                                                                                                                • Part of subcall function 00E0F710: GlobalUnlock.KERNEL32(?), ref: 00E0F753
                                                                                                                • Part of subcall function 00E0F710: GlobalFree.KERNEL32(?), ref: 00E0F75C
                                                                                                                • Part of subcall function 00E0F710: FindResourceW.KERNEL32(00000000,?,00000000,EEAE26D7,?,?,?,?,00EE3DD3,000000FF,?,00E0C7C1,000000D9,PNG), ref: 00E0F773
                                                                                                                • Part of subcall function 00E0F710: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,00EE3DD3,000000FF,?,00E0C7C1,000000D9,PNG), ref: 00E0F785
                                                                                                                • Part of subcall function 00E0F710: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,00EE3DD3,000000FF,?,00E0C7C1,000000D9,PNG), ref: 00E0F798
                                                                                                                • Part of subcall function 00E0F710: LockResource.KERNEL32(00000000,?,?,?,?,00EE3DD3,000000FF,?,00E0C7C1,000000D9,PNG), ref: 00E0F79F
                                                                                                                • Part of subcall function 00E0F710: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00EE3DD3,000000FF,?,00E0C7C1,000000D9,PNG), ref: 00E0F7B5
                                                                                                                • Part of subcall function 00E0F710: GlobalLock.KERNEL32(00000000), ref: 00E0F7C7
                                                                                                                • Part of subcall function 00E0F710: CreateStreamOnHGlobal.OLE32(?,00000000,00000000), ref: 00E0F7F0
                                                                                                                • Part of subcall function 00E0F710: GdipAlloc.GDIPLUS(00000010), ref: 00E0F803
                                                                                                                • Part of subcall function 00E0F710: GdipCreateBitmapFromStream.GDIPLUS(00000000,?,00000010), ref: 00E0F834
                                                                                                                • Part of subcall function 00E0F710: GlobalUnlock.KERNEL32(?), ref: 00E0F89F
                                                                                                                • Part of subcall function 00E0F710: GlobalFree.KERNEL32(?), ref: 00E0F8A8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$Resource$Lib@@$AllocCreateFreeGdipLockPoint@StreamUnlock$BitmapFindFromLoadRect@Sizeof
                                                                                                              • String ID: PNG
                                                                                                              • API String ID: 2582079666-364855578
                                                                                                              • Opcode ID: 3abe7aee61b17a9b75b6553a2791c86678d1e28e8469027157b5a8208039aeaf
                                                                                                              • Instruction ID: 4861e76316a69264fe7ad26f7a23650bd14c87f7384ecee6c68aee71cf45945c
                                                                                                              • Opcode Fuzzy Hash: 3abe7aee61b17a9b75b6553a2791c86678d1e28e8469027157b5a8208039aeaf
                                                                                                              • Instruction Fuzzy Hash: 9C8104B060274AEFE704CF64C55879ABFF0BB04308F108549D4186B6D2C3BAA568EFD1
                                                                                                              Function 00DE0940 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 147COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DE0B25
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 2005118841-1866435925
                                                                                                              • Opcode ID: 54089d36217c8d0fe1a3fa5024d1b561749abb7d11f2fb04923068b4e5fd9e02
                                                                                                              • Instruction ID: 8dd4995772897e684a14b6df39e8bfecad40872cb2059ee773bb5c3808f5471c
                                                                                                              • Opcode Fuzzy Hash: 54089d36217c8d0fe1a3fa5024d1b561749abb7d11f2fb04923068b4e5fd9e02
                                                                                                              • Instruction Fuzzy Hash: 4B517171A01249DFCB10EF69C895AADBBB4FF14314F148269E855AB392C771DD40CBA0
                                                                                                              Function 00E469F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WritePrivateProfileStringW.KERNEL32(LANG,LCID,?,?), ref: 00E46A6F
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8PrivateProfileStringThrowWrite
                                                                                                              • String ID: LANG$LCID$oem.ini
                                                                                                              • API String ID: 389455049-2603398421
                                                                                                              • Opcode ID: 19cd722212205af0699e669ad3eaa04bfd1d190dbdc53f0f7ff1be90d7aac9d2
                                                                                                              • Instruction ID: 389fb641729c1a566ea1ffe6024b32ad24c970b909dcee5825cbd153bd049808
                                                                                                              • Opcode Fuzzy Hash: 19cd722212205af0699e669ad3eaa04bfd1d190dbdc53f0f7ff1be90d7aac9d2
                                                                                                              • Instruction Fuzzy Hash: AD41E432901A09EFDB10DF58DC05BAEBBB8EF45724F158259F924A7291DB709D00CBA1
                                                                                                              Function 00E3A600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(FFFFFFFF,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E3A733
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00E3A73B
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 00E3A743
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@WindowWnd@$CenterCreate@D__@@Modal@ShowU__@@@Window@
                                                                                                              • String ID: ErrVideoFile
                                                                                                              • API String ID: 4232685419-2017487813
                                                                                                              • Opcode ID: 1e80f24b07d272d00bfeda9ef111023f4f0bd5f1139116003f6f7fffe748bede
                                                                                                              • Instruction ID: 737d9d10029b7b3670926a8c6a4afacebbcf82fc13c5f2f8d2d704a6dac6ffac
                                                                                                              • Opcode Fuzzy Hash: 1e80f24b07d272d00bfeda9ef111023f4f0bd5f1139116003f6f7fffe748bede
                                                                                                              • Instruction Fuzzy Hash: C841C371A006099FDB14DF68C805BAEFBF5FF84324F14426AE425B72E0DB71A940CB91
                                                                                                              Function 00E2A580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,EEAE26D7), ref: 00E2A5BC
                                                                                                                • Part of subcall function 00DF4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF4167
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8ObjectSingleThrowWait
                                                                                                              • String ID: %s//%s//$*.*$data2
                                                                                                              • API String ID: 11775685-3752667982
                                                                                                              • Opcode ID: 370d6906a04842752af5220731376bb9b762d1bfd21136b921ceb2a60c6a7df1
                                                                                                              • Instruction ID: d1412bd46bd0350194fca7f3fe601a68a8e150e1bc852727cdd3ce1e57d21f4d
                                                                                                              • Opcode Fuzzy Hash: 370d6906a04842752af5220731376bb9b762d1bfd21136b921ceb2a60c6a7df1
                                                                                                              • Instruction Fuzzy Hash: B141D071A00A199FC720DF69C844B5AF7F4FF40324F188628E565A7691DB31E800CF91
                                                                                                              Function 00DE4680 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DE47AE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 2005118841-1866435925
                                                                                                              • Opcode ID: 6d8b57a9daba9fd087b214adc0a0ed76e658e60d67eac5b40089b10789f0b148
                                                                                                              • Instruction ID: 5eab6ef1af0a4314ebcbf7a19c457bb93c55290c334a463ac7503109a749935b
                                                                                                              • Opcode Fuzzy Hash: 6d8b57a9daba9fd087b214adc0a0ed76e658e60d67eac5b40089b10789f0b148
                                                                                                              • Instruction Fuzzy Hash: 9B419E396006448FCB24EF69C585F69B7E4FF09718F58856CE8169B792CB35ED00CB90
                                                                                                              Function 00DCE550 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DCE670
                                                                                                              Strings
                                                                                                              • CHttpClientT::AddParam: It is not allowed to call this method if the POST context is active., xrefs: 00DCE6C7
                                                                                                              • CHttpToolW::AddHeader: szName can not be NULL., xrefs: 00DCE634
                                                                                                              • CHttpToolW::AddHeader: hRequest can not be NULL., xrefs: 00DCE626
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: CHttpClientT::AddParam: It is not allowed to call this method if the POST context is active.$CHttpToolW::AddHeader: hRequest can not be NULL.$CHttpToolW::AddHeader: szName can not be NULL.
                                                                                                              • API String ID: 2005118841-4239911162
                                                                                                              • Opcode ID: d32bd12578889d243f0115101f0282c59383a1a45cf13920afb1ab283202b586
                                                                                                              • Instruction ID: 0620810a759e920b6fae5473d0c2140b46a51f546aa716fff6b40129d0ad0e66
                                                                                                              • Opcode Fuzzy Hash: d32bd12578889d243f0115101f0282c59383a1a45cf13920afb1ab283202b586
                                                                                                              • Instruction Fuzzy Hash: 4C2124F1A4420A5BEF20EFA4CD46F6F77A89B10B04F280429F514BB2D1D7B5E94486F5
                                                                                                              Function 00DEF070 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Getcvt
                                                                                                              • String ID: false$true
                                                                                                              • API String ID: 1921796781-2658103896
                                                                                                              • Opcode ID: b07c005f4edbfba191e98051db2d386b3d0afd97ea8d2feab77085ac58e10942
                                                                                                              • Instruction ID: 78a7ddd53aa0b993d354c6b680a749ee283c43380c801878bd53985ec43bfc2f
                                                                                                              • Opcode Fuzzy Hash: b07c005f4edbfba191e98051db2d386b3d0afd97ea8d2feab77085ac58e10942
                                                                                                              • Instruction Fuzzy Hash: EF31D3B2C047489FD721DF95C901BAEFBF4FB05310F10865BE955A7291DB30AA04CBA0
                                                                                                              Function 00DCF3B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpEncoderW::AnsiEncode: szBuff can not be NULL.,00000000,CHttpEncoderW::AnsiEncode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.,00000000,EEAE26D7,?,00000000,?,00000000,00000000,0000000A,00000000), ref: 00DCF48B
                                                                                                                • Part of subcall function 00DCF540: WideCharToMultiByte.KERNEL32(-00000100,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,EEAE26D7,?,00000000), ref: 00DCF5AD
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DCF44E
                                                                                                              Strings
                                                                                                              • CHttpEncoderW::AnsiEncode: szBuff can not be NULL., xrefs: 00DCF47F
                                                                                                              • CHttpEncoderW::AnsiEncode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DCF473
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                                              • String ID: CHttpEncoderW::AnsiEncode: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.$CHttpEncoderW::AnsiEncode: szBuff can not be NULL.
                                                                                                              • API String ID: 1717984340-3360842510
                                                                                                              • Opcode ID: 9719869654a513a84ce7d881f9cceda6efd0eda0dfad69fddd5c0ad4fe234677
                                                                                                              • Instruction ID: 466f7c601c7e26c71123e23d2b3f62064aa359aaf98b6608b5dd65c887737661
                                                                                                              • Opcode Fuzzy Hash: 9719869654a513a84ce7d881f9cceda6efd0eda0dfad69fddd5c0ad4fe234677
                                                                                                              • Instruction Fuzzy Hash: E021B37164434AABDB24AF54CC46FEF7B79EB41B10F14062EF924672D1DB70A900C6B1
                                                                                                              Function 00E38D90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(comboFont,EEAE26D7), ref: 00E38DC8
                                                                                                              • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 00E38E20
                                                                                                              • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 00E38E3C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$String@$ControlControl@FindI@2@ManagerPaint
                                                                                                              • String ID: comboFont
                                                                                                              • API String ID: 1870430350-1878065344
                                                                                                              • Opcode ID: 58b8ffef2a20db3a3f73c05b5dd43a72db4f277e93f64527286252616077ff44
                                                                                                              • Instruction ID: bf858b77c42e432ea2c0057a47f70f26e6999fbae947e14698dfa4abd6a71c3d
                                                                                                              • Opcode Fuzzy Hash: 58b8ffef2a20db3a3f73c05b5dd43a72db4f277e93f64527286252616077ff44
                                                                                                              • Instruction Fuzzy Hash: 23316F3060060A9FDB14DB79CC58BAAF7B4FF85724F144669E42A97291EF34AD44CB90
                                                                                                              Function 00DEA8D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DEA9D6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: Type is not convertible to string$false$true
                                                                                                              • API String ID: 2005118841-1606231287
                                                                                                              • Opcode ID: d00adff406c5b989e29e7e50ea5f8ce2f14f1f34fc83107c4f1185b1da39cbb9
                                                                                                              • Instruction ID: 95755efca333f0a0b3f7ed8a63116efc7eae2bf03bc0511a2aa55fab4c0c7e2b
                                                                                                              • Opcode Fuzzy Hash: d00adff406c5b989e29e7e50ea5f8ce2f14f1f34fc83107c4f1185b1da39cbb9
                                                                                                              • Instruction Fuzzy Hash: E521E571608348EBDB10EF54D801B6ABBF4EB04714F10495EE859AB7C1CBB6A9049BA1
                                                                                                              Function 00E247D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E24838
                                                                                                              • SetEvent.KERNEL32(?), ref: 00E24841
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryEvent
                                                                                                              • String ID: %s//%s//$data2
                                                                                                              • API String ID: 3642801631-229016458
                                                                                                              • Opcode ID: 6e32d4b182656e9a22767b21f89dba149eb0181ba1e938c9fdc0e695f74ec310
                                                                                                              • Instruction ID: 2e71f63ea9d3b9528c9629253462844ed500f8063c88bf24ac0a8741cb02f8d2
                                                                                                              • Opcode Fuzzy Hash: 6e32d4b182656e9a22767b21f89dba149eb0181ba1e938c9fdc0e695f74ec310
                                                                                                              • Instruction Fuzzy Hash: 3111D071A00608AFD714DB68DC09F6ABBF8FF05724F154629F924A72E1DB71A800CBA0
                                                                                                              Function 00E42570 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileStringW.KERNEL32(Config,SampleRatio,00EF8660,EEAE26D7,00000104,00000000), ref: 00E425E7
                                                                                                                • Part of subcall function 00E570B0: GetPrivateProfileStringW.KERNEL32(Config,SampleRatio,00EF8660,?,00000104,?), ref: 00E5718C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileString
                                                                                                              • String ID: Config$Config.ini$SampleRatio
                                                                                                              • API String ID: 1096422788-1085615553
                                                                                                              • Opcode ID: 74c82262760fa3b09395b19c89ed9fcd3db4b3b3addbed72faa92dfc005c20cd
                                                                                                              • Instruction ID: 7d82b1e12d757ab52642b14e5b37b24f837780277fd97744b498a5ae0d150fdd
                                                                                                              • Opcode Fuzzy Hash: 74c82262760fa3b09395b19c89ed9fcd3db4b3b3addbed72faa92dfc005c20cd
                                                                                                              • Instruction Fuzzy Hash: F221D470A8020C9FDB10DF64CC49FEAB7B8FF00710F5046A9B519A72D1EB30AA548B84
                                                                                                              Function 00E55200 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E5527D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                              • API String ID: 2005118841-1866435925
                                                                                                              • Opcode ID: b0d4a667e45d99b2faf12baf57e8b0e55ceb28540a5aa639fcb561542935ef58
                                                                                                              • Instruction ID: a0633f6e8aaf399ea9c63ad4b40166742d93a1fb4321080a9781d19f25f5e715
                                                                                                              • Opcode Fuzzy Hash: b0d4a667e45d99b2faf12baf57e8b0e55ceb28540a5aa639fcb561542935ef58
                                                                                                              • Instruction Fuzzy Hash: 96012837D00A098BCB04EBA8C853BEAB3E8AF04341F8455B5D909EB102F629D84587D4
                                                                                                              Function 00E41030 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShellExecuteW.SHELL32(?,open,00000003,00000000,00000000,00000003), ref: 00E4108A
                                                                                                              • ShellExecuteW.SHELL32(?,open,iexplore.exe,00000000,00000000,00000003), ref: 00E410A9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExecuteShell
                                                                                                              • String ID: iexplore.exe$open
                                                                                                              • API String ID: 587946157-14827900
                                                                                                              • Opcode ID: 9d174392f230e1f612133361f61ce9c933fdd2f70c9ce15a3a11d5376e5035c5
                                                                                                              • Instruction ID: 9f0dc594dd0bfdbc401891887a0afb3723bd373e001378c53a7fd8a9bbddfdbe
                                                                                                              • Opcode Fuzzy Hash: 9d174392f230e1f612133361f61ce9c933fdd2f70c9ce15a3a11d5376e5035c5
                                                                                                              • Instruction Fuzzy Hash: EA11E271A40709AFDB10DF68DC05B5DBBB5FB04B25F104724F524E62D1DB7599409B40
                                                                                                              Function 00DD0200 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00DD021D
                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,CHttpToolA::CreateFileAlwaysToWrite: szFilePath can not be NULL.,00000000), ref: 00DD024D
                                                                                                              Strings
                                                                                                              • CHttpToolA::CreateFileAlwaysToWrite: szFilePath can not be NULL., xrefs: 00DD0225
                                                                                                              • CHttpToolW::CreateFileAlwaysToWrite: szFilePath can not be NULL., xrefs: 00DD0257
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID: CHttpToolA::CreateFileAlwaysToWrite: szFilePath can not be NULL.$CHttpToolW::CreateFileAlwaysToWrite: szFilePath can not be NULL.
                                                                                                              • API String ID: 823142352-1657713534
                                                                                                              • Opcode ID: 69a18befe91601133746085c84269b74751071f371f96c94d77d9f458539979d
                                                                                                              • Instruction ID: 763eff99fd5565e90853be2910679f77d03db31cb79bf93484678c44f73e6ee4
                                                                                                              • Opcode Fuzzy Hash: 69a18befe91601133746085c84269b74751071f371f96c94d77d9f458539979d
                                                                                                              • Instruction Fuzzy Hash: A8F0ED703C03087BFA2026A9AC0FFA57A9C9B84F04F608011BB48BA5D2DAE1F800857C
                                                                                                              Function 00DD600C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DD604B
                                                                                                              Strings
                                                                                                              • CHttpClientT::SetProxyAccount: szUserName can not be an empty string., xrefs: 00DD6052
                                                                                                              • CHttpClientT::SetProxyAccount: szPassword can not be NULL., xrefs: 00DD605E
                                                                                                              • CHttpClientT::SetProxyAccount: szPassword can not be an empty string., xrefs: 00DD606A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: CHttpClientT::SetProxyAccount: szPassword can not be NULL.$CHttpClientT::SetProxyAccount: szPassword can not be an empty string.$CHttpClientT::SetProxyAccount: szUserName can not be an empty string.
                                                                                                              • API String ID: 2005118841-1178449450
                                                                                                              • Opcode ID: 64feab0f8f973446ecc1ea2a4e16ab78bfdf172800b783b01dcd92ddadc694bc
                                                                                                              • Instruction ID: 18fd4f71a5817e9dbaefef863b5caefb296d5de952fcbcf48fb90d6fa731aa19
                                                                                                              • Opcode Fuzzy Hash: 64feab0f8f973446ecc1ea2a4e16ab78bfdf172800b783b01dcd92ddadc694bc
                                                                                                              • Instruction Fuzzy Hash: 8FF031B0A403096AEB20EAA09D02B6A76A49F44700F285426F604B63C1E7B5F94086F5
                                                                                                              Function 00DEAA00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DEAA7E
                                                                                                              Strings
                                                                                                              • Negative integer can not be converted to unsigned integer, xrefs: 00DEAA68
                                                                                                              • Real out of unsigned integer range, xrefs: 00DEAA49
                                                                                                              • Type is not convertible to uint, xrefs: 00DEAA5B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: Negative integer can not be converted to unsigned integer$Real out of unsigned integer range$Type is not convertible to uint
                                                                                                              • API String ID: 2005118841-1738163505
                                                                                                              • Opcode ID: 768126e72f39322e923ec1e9288d0a198c2b5f4ab4cae808ac58ced4c5d044fe
                                                                                                              • Instruction ID: 7a861694aaa811826487e3ea79854d387567f95744db486f0114b583f9adabf3
                                                                                                              • Opcode Fuzzy Hash: 768126e72f39322e923ec1e9288d0a198c2b5f4ab4cae808ac58ced4c5d044fe
                                                                                                              • Instruction Fuzzy Hash: 6E014E3154478DDBC711FABD79424197398EB02745B1443E6AC0D97151EF32E921E763
                                                                                                              Function 00E36383 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShowWindow.USER32(?,?), ref: 00E363A4
                                                                                                                • Part of subcall function 00E34120: ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(?,EEAE26D7,?,?,00E322D8), ref: 00E3415A
                                                                                                                • Part of subcall function 00E34120: ?SelectItem@CTabLayoutUI@DuiLib@@QAE_NH@Z.YCOMUIU(?,?,00E322D8), ref: 00E34174
                                                                                                                • Part of subcall function 00E34120: ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRPicFile,?,?,00E322D8), ref: 00E341D3
                                                                                                                • Part of subcall function 00E34120: ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAPicFile,00000000,?,00E322D8), ref: 00E341DE
                                                                                                                • Part of subcall function 00E34120: ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRVideoFile,00000000,?,00E322D8), ref: 00E341E9
                                                                                                                • Part of subcall function 00E34120: ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAVideoFile,00000000,?,00E322D8), ref: 00E341F4
                                                                                                                • Part of subcall function 00E34120: ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRPicFile,00000001,?,00E322D8), ref: 00E3420B
                                                                                                                • Part of subcall function 00E34120: ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(tabConver,?,00E322D8), ref: 00E342C0
                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00E363CC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$ShowWindow$Base@ImplWindow@$ControlControl@FindI@2@ManagerPaint$Item@LayoutSelect
                                                                                                              • String ID: tabMain
                                                                                                              • API String ID: 2859199055-2605674194
                                                                                                              • Opcode ID: fce6c5e3883a497e941375d572e8bd58b4e7c826e0df7d3802ab0bb1e0bc079b
                                                                                                              • Instruction ID: 4c0e058ddcc3084a810b45008fc20d950a30322c7db8f4ac686f96f7937513fa
                                                                                                              • Opcode Fuzzy Hash: fce6c5e3883a497e941375d572e8bd58b4e7c826e0df7d3802ab0bb1e0bc079b
                                                                                                              • Instruction Fuzzy Hash: 6F01A430340A107FDA243B30BC5AFBF3F91EB91B05F141818F656BA1D1CA906C85DB96
                                                                                                              Function 00E06440 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(DlgFrame), ref: 00E06456
                                                                                                              • ?SetBorderSize@CControlUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00E06492
                                                                                                              • ?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.YCOMUIU ref: 00E064A6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ControlLib@@$BorderSize@$Control@FindI@2@ManagerPaintT@@@Utag
                                                                                                              • String ID: DlgFrame
                                                                                                              • API String ID: 3762731894-587853529
                                                                                                              • Opcode ID: f8a96f82313b63fc3671fc494cf3fb87a4a9e9f561712f6dd6f0d13e3961d0c9
                                                                                                              • Instruction ID: ac06d12e468b795a2848627ee322a5146bee0a332aa9af126c2bdc9d2dcaa333
                                                                                                              • Opcode Fuzzy Hash: f8a96f82313b63fc3671fc494cf3fb87a4a9e9f561712f6dd6f0d13e3961d0c9
                                                                                                              • Instruction Fuzzy Hash: 5CF04921E002298BC3012B3C5C091BAB775FFD9704F055355EC95B7255EF3098E483D0
                                                                                                              Function 00E3CFA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registrywindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnterCriticalSection.KERNEL32(00F5074C,EEAE26D7), ref: 00E3CFE6
                                                                                                              • RegisterWindowMessageW.USER32(commdlg_ColorOK), ref: 00E3CFFE
                                                                                                              • LeaveCriticalSection.KERNEL32(00F5074C), ref: 00E3D00A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeaveMessageRegisterWindow
                                                                                                              • String ID: commdlg_ColorOK
                                                                                                              • API String ID: 6923546-1282741433
                                                                                                              • Opcode ID: 4c6c8f8b02408316abae53a8426e0cf085299d36ef2fb4d47a3d221309d31239
                                                                                                              • Instruction ID: c8204fc23e35b636221655be7649b97430d4489053b063b6f665e77463351ecb
                                                                                                              • Opcode Fuzzy Hash: 4c6c8f8b02408316abae53a8426e0cf085299d36ef2fb4d47a3d221309d31239
                                                                                                              • Instruction Fuzzy Hash: 1C019E3190575DEFCB00DF98EC08BAA7FB8FB1A715F000259E811A3391DBB56A04CB91
                                                                                                              Function 00DD0CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00DD0CD3
                                                                                                              • GetLastError.KERNEL32(00DDC508,CHttpToolW::GetFileSize: szFilePath can not be NULL.,00000000,CHttpToolW::GetFileSize: hFile can not be NULL.,00000000,00000000,?,00DDC508,00000000,00000000,00000000,?,00000000,?), ref: 00DD0CFB
                                                                                                              Strings
                                                                                                              • CHttpToolW::GetFileSize: szFilePath can not be NULL., xrefs: 00DD0CEE
                                                                                                              • CHttpToolW::GetFileSize: hFile can not be NULL., xrefs: 00DD0CE2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastSize
                                                                                                              • String ID: CHttpToolW::GetFileSize: hFile can not be NULL.$CHttpToolW::GetFileSize: szFilePath can not be NULL.
                                                                                                              • API String ID: 464720113-1155689914
                                                                                                              • Opcode ID: c0e07b9f2bff8283d45fac6288787e77cf767abd66a414d98be4c790a87d739a
                                                                                                              • Instruction ID: 40351acdaa42e1cce89f58cf331ea1837c925f59afd63024d208283e0abbeb81
                                                                                                              • Opcode Fuzzy Hash: c0e07b9f2bff8283d45fac6288787e77cf767abd66a414d98be4c790a87d739a
                                                                                                              • Instruction Fuzzy Hash: 3BF0903558020C7BDB206BE89C0AFA97B5CDB80B10F148612BB14AA6D1DA70E8548AB6
                                                                                                              Function 00E063D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(DlgFrame), ref: 00E063DF
                                                                                                              • ?SetBorderSize@CControlUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00E0641E
                                                                                                              • ?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.YCOMUIU ref: 00E06432
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ControlLib@@$BorderSize@$Control@FindI@2@ManagerPaintT@@@Utag
                                                                                                              • String ID: DlgFrame
                                                                                                              • API String ID: 3762731894-587853529
                                                                                                              • Opcode ID: d461d120f078718c87aedb538a2c2f463a825aef38446b3e3548dc5e08b9b2e9
                                                                                                              • Instruction ID: 9ce5196770b09a02b6c8a319db7140795d2d7dfcbd478a00472c1fc632100abd
                                                                                                              • Opcode Fuzzy Hash: d461d120f078718c87aedb538a2c2f463a825aef38446b3e3548dc5e08b9b2e9
                                                                                                              • Instruction Fuzzy Hash: AAF0F420E11319CBD3116B3C98192BABBA4FF98704F059365FC85B6161EF3099E0C3D1
                                                                                                              Function 00E3E290 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E061E0: ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(windowinit), ref: 00E061F2
                                                                                                                • Part of subcall function 00E061E0: ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(DlgFrame), ref: 00E0620C
                                                                                                                • Part of subcall function 00E061E0: ?SetBorderSize@CControlUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00E0624B
                                                                                                                • Part of subcall function 00E061E0: ?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.YCOMUIU ref: 00E0625F
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(click,?), ref: 00E3E2A7
                                                                                                              • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(textchanged), ref: 00E3E2D4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$ControlString@$BorderSize@$Control@FindI@2@ManagerPaintT@@@Utag
                                                                                                              • String ID: click$textchanged
                                                                                                              • API String ID: 162522762-1707420698
                                                                                                              • Opcode ID: 7a90f6b9350605134b706920d408354c3df4a5143962b7b935a743acd4e49f52
                                                                                                              • Instruction ID: 5cc4f2295e1561cff55324bc2daf24849e3c0a2713883909499d9686cac77327
                                                                                                              • Opcode Fuzzy Hash: 7a90f6b9350605134b706920d408354c3df4a5143962b7b935a743acd4e49f52
                                                                                                              • Instruction Fuzzy Hash: 80F0E9323001116BCA01AB54EC09AEEBB9CEFC5715F000026F105B75D1CB62EA25C3A5
                                                                                                              Function 00DD0C70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00DD0C83
                                                                                                              • GetLastError.KERNEL32(00DDBEF5,CHttpToolA::GetFileSize: szFilePath can not be NULL.,CHttpToolA::GetFileSize: hFile can not be NULL.,00000000,?,00DDBEF5,00000000,00000000,00000000,?,00000000), ref: 00DD0CA7
                                                                                                              Strings
                                                                                                              • CHttpToolA::GetFileSize: szFilePath can not be NULL., xrefs: 00DD0C9A
                                                                                                              • CHttpToolA::GetFileSize: hFile can not be NULL., xrefs: 00DD0C90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastSize
                                                                                                              • String ID: CHttpToolA::GetFileSize: hFile can not be NULL.$CHttpToolA::GetFileSize: szFilePath can not be NULL.
                                                                                                              • API String ID: 464720113-4163622179
                                                                                                              • Opcode ID: 94496bc9c06e79b4117e3ffd1458614bb3dff770e82f294fe558cd7e62d23947
                                                                                                              • Instruction ID: acd33d8ddc818588405229c86af8f859f558530358289a4e596943f638177bad
                                                                                                              • Opcode Fuzzy Hash: 94496bc9c06e79b4117e3ffd1458614bb3dff770e82f294fe558cd7e62d23947
                                                                                                              • Instruction Fuzzy Hash: D9E086341403086FDB106BAD9D0ABBC3B58EFC0722F188212FA28942D5CB70E840C675
                                                                                                              Function 00EB26A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,?,00EB2778,00000000,?,00DFE9A7,00000000,00000000,00DFF810,?,00000000,?), ref: 00EB26BE
                                                                                                              • FreeLibrary.KERNEL32(00000000,00000000,?,00EB2778,00000000,?,00DFE9A7,00000000,00000000,00DFF810,?,00000000,?), ref: 00EB26CD
                                                                                                              • _free.LIBCMT ref: 00EB26D4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFreeHandleLibrary_free
                                                                                                              • String ID: x'
                                                                                                              • API String ID: 621396759-1180049743
                                                                                                              • Opcode ID: ec05baf72e888923840fe95325bd5d236ca05035c0770fa0983d4327f446deb3
                                                                                                              • Instruction ID: 8b8c70352e0fb8589e3883d3f4ebffcfde40e452e587807176463a4ea9dd1b1b
                                                                                                              • Opcode Fuzzy Hash: ec05baf72e888923840fe95325bd5d236ca05035c0770fa0983d4327f446deb3
                                                                                                              • Instruction Fuzzy Hash: 48E04632001624AFD7216B06E808B9BBBA9AF41365F14902DE629728708776ACD5DB94
                                                                                                              Function 00E5E1F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000001,?,00E362C7), ref: 00E5E1FC
                                                                                                              • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000000,?,00E362C7), ref: 00E5E20B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Base@ImplLib@@ShowWindowWindow@
                                                                                                              • String ID: btnPause$btnPlay
                                                                                                              • API String ID: 1918941322-2951056387
                                                                                                              • Opcode ID: 13281108f8dc715fb0c4c952ca75fd7161a238a311b6a9dee834471070540c4b
                                                                                                              • Instruction ID: e3bc98d4532e584d8cd1eb32323ec900a82391bcde57ef26960439112ee54d96
                                                                                                              • Opcode Fuzzy Hash: 13281108f8dc715fb0c4c952ca75fd7161a238a311b6a9dee834471070540c4b
                                                                                                              • Instruction Fuzzy Hash: 42D017353812019BE6049B59EC8EF68B325EB88B12F20001AF542A62E0DFA0E841EA21
                                                                                                              Function 00E32C90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter), ref: 00E32C9D
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00E32CA4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                              • API String ID: 1646373207-2498399450
                                                                                                              • Opcode ID: 34d3a38fd3008d8a6c9b808bc48b040dc2016c7c5fdde597ffee711d293487d5
                                                                                                              • Instruction ID: 2fbecd73d982e452a5c08d4bad110301fd854f9308c30f21b98f371eec3c61e6
                                                                                                              • Opcode Fuzzy Hash: 34d3a38fd3008d8a6c9b808bc48b040dc2016c7c5fdde597ffee711d293487d5
                                                                                                              • Instruction Fuzzy Hash: 46C08C323847096F9640ABF26C4DE3FBB8C9780F107448411FA41E51A0D9E2C058FAA2
                                                                                                              Function 00DDC220 Relevance: 6.4, APIs: 4, Instructions: 417networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetCloseHandle.WININET(?), ref: 00DDC278
                                                                                                                • Part of subcall function 00DCF540: WideCharToMultiByte.KERNEL32(-00000100,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,EEAE26D7,?,00000000), ref: 00DCF5AD
                                                                                                              • InternetCloseHandle.WININET(?), ref: 00DDC282
                                                                                                              • InternetCloseHandle.WININET(?), ref: 00DDC28C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleInternet$ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 1622922300-0
                                                                                                              • Opcode ID: 9f340bc74757b5d4c0f17f2dc24d1d68c0422ecb4dc0ef659193e227d0f1a6d4
                                                                                                              • Instruction ID: d5aff9e4d949d72135298a0883046b5bc2627013960e6895f41d1e85636371f1
                                                                                                              • Opcode Fuzzy Hash: 9f340bc74757b5d4c0f17f2dc24d1d68c0422ecb4dc0ef659193e227d0f1a6d4
                                                                                                              • Instruction Fuzzy Hash: E8F1297590020AAFCB15EFA4C891BEEBBB6FF18304F14411AE805B7291DB35A955CFB1
                                                                                                              Function 00EC323F Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __alldvrm$_strrchr
                                                                                                              • String ID:
                                                                                                              • API String ID: 1036877536-0
                                                                                                              • Opcode ID: c9b30a73bd041bcef4cb3df9cdf9f1ea649cba3ee9dc236a0e57f3985a785e8d
                                                                                                              • Instruction ID: b89861c8f51692bd3e66b0ec22a8e535156fb4c5be14a250cd88d08c0381c2d9
                                                                                                              • Opcode Fuzzy Hash: c9b30a73bd041bcef4cb3df9cdf9f1ea649cba3ee9dc236a0e57f3985a785e8d
                                                                                                              • Instruction Fuzzy Hash: 7FA15A729003859FDB2A8F78C981BAEBBE1FF55314F14916EE495BB241C63A8A42C750
                                                                                                              Function 00E40D90 Relevance: 6.2, APIs: 4, Instructions: 249COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcschr
                                                                                                              • String ID:
                                                                                                              • API String ID: 2691759472-0
                                                                                                              • Opcode ID: f557885340fc0d006326f406a7e9a30469e3d43a16803ac6e4840faa947bd90b
                                                                                                              • Instruction ID: 476e2674ab5e6c67a7a17ae960f325736e264415d753d1720304e959fe90ea79
                                                                                                              • Opcode Fuzzy Hash: f557885340fc0d006326f406a7e9a30469e3d43a16803ac6e4840faa947bd90b
                                                                                                              • Instruction Fuzzy Hash: 2981E132D006189BDB24DBB8EC01ABEB3B4AF95714F15533DBD19BB281EB70A9458690
                                                                                                              Function 00E02D70 Relevance: 6.2, APIs: 4, Instructions: 180COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceW.KERNEL32(00000000,?,00000006,00E03B89), ref: 00E02DF4
                                                                                                                • Part of subcall function 00DF6040: LoadResource.KERNEL32(00DF51A2,?,00000000,?,00DF51A2,00000000,00000000,?), ref: 00DF604A
                                                                                                                • Part of subcall function 00DF6040: LockResource.KERNEL32(00000000,?,00DF51A2,00000000,00000000,?), ref: 00DF6055
                                                                                                                • Part of subcall function 00DF6040: SizeofResource.KERNEL32(00DF51A2,?,?,00DF51A2,00000000,00000000,?), ref: 00DF6067
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,00000000,00000000,00000000,00000000), ref: 00E02E2B
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,00E03B89,000000FF,00000000,00000000,00000000,00000000,?,?,?,00EE2248,000000FF,?,00E03B89), ref: 00E02E74
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,00E03B89,000000FF,?,-00000001,00000000,00000000,?,?,?,00EE2248,000000FF,?,00E03B89), ref: 00E02EAA
                                                                                                                • Part of subcall function 00E037F0: FindResourceExW.KERNEL32(00000000,00000006,00000000,a&,00000000,000000FF,000000FF,?,00000000,?,00E0389B,000000FF,00000000,000000FF,?,a&), ref: 00E03827
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$ByteCharMultiWide$Find$LoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 1683463930-0
                                                                                                              • Opcode ID: 2a4255f402f41386189332f2b121f1749555981c873a4cdba4186af217e15160
                                                                                                              • Instruction ID: 518d59857372594c24e3ecf9c4e2bf3f11aa3b8149b4c2d46ef147737416819e
                                                                                                              • Opcode Fuzzy Hash: 2a4255f402f41386189332f2b121f1749555981c873a4cdba4186af217e15160
                                                                                                              • Instruction Fuzzy Hash: E6519D70340602AFE7218F59CC89F2AB7E8EF54724F24425DB655BB2D1DBB4A881CB64
                                                                                                              Function 00DFCCB0 Relevance: 6.2, APIs: 4, Instructions: 175stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 00DFCD39
                                                                                                              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00DFCDA9
                                                                                                              • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?), ref: 00DFCE56
                                                                                                              • lstrcpynW.KERNEL32(?,00000000,?), ref: 00DFCE70
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$lstrcpyn
                                                                                                              • String ID:
                                                                                                              • API String ID: 1168372961-0
                                                                                                              • Opcode ID: ac96ff4ee82b979b5af19dd7d809169104ba1380f2944546ee3ef927974db9e6
                                                                                                              • Instruction ID: 5506160f89c85ce7904cbb8eb642ea06152d2ef426c82bfdace16e3bfb4f2b3d
                                                                                                              • Opcode Fuzzy Hash: ac96ff4ee82b979b5af19dd7d809169104ba1380f2944546ee3ef927974db9e6
                                                                                                              • Instruction Fuzzy Hash: 18517E3561020C9BCB249F38CC01BFEBB65EF85714F1983A9EA59AB1C1DB715E45CBA0
                                                                                                              Function 00E3CD10 Relevance: 6.1, APIs: 4, Instructions: 140windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000,EEAE26D7,?,?,?,00E34854,EEAE26D7), ref: 00E3CD3E
                                                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E3CDDD
                                                                                                              • SendMessageW.USER32(?,00000404,00000000,00000000), ref: 00E3CDED
                                                                                                              • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00E3CE5F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor@Lib@@MessageSendWait$D__@@@
                                                                                                              • String ID:
                                                                                                              • API String ID: 3958628232-0
                                                                                                              • Opcode ID: cc10463da06b3e409ae956c68fc59e1b855ff1160ece2d4088b299bbfaa0ee81
                                                                                                              • Instruction ID: 40ecd9c1e5f0001b23b0b515ad51ad96601a85f4910bd0dfb806945f040d07b9
                                                                                                              • Opcode Fuzzy Hash: cc10463da06b3e409ae956c68fc59e1b855ff1160ece2d4088b299bbfaa0ee81
                                                                                                              • Instruction Fuzzy Hash: 2E41E671900248DFDB10EB69DD0AB6DBFB4EF05714F244259F515B72D2DB71A900CBA1
                                                                                                              Function 00DDA6C0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • CHttpClientT::_ReleasePostResponse: The post context is not active., xrefs: 00DDA905
                                                                                                              • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00DDA911
                                                                                                              • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00DDAB71
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle
                                                                                                              • String ID: CHttpClientT::_ReleasePostResponse: The post context is not active.$CHttpPostStatT::FileCount: The post context is not active.$CHttpPostStatT::FileCount: The post context is not active.
                                                                                                              • API String ID: 2962429428-1075908693
                                                                                                              • Opcode ID: 369d6122965aaed39c929a834bcfd522bd0fad93b651b1112a360b082578b7fb
                                                                                                              • Instruction ID: b184b6110e1505272b2c492f9b543a84a9edaaea8cf6a5ddc74ff39168cd5318
                                                                                                              • Opcode Fuzzy Hash: 369d6122965aaed39c929a834bcfd522bd0fad93b651b1112a360b082578b7fb
                                                                                                              • Instruction Fuzzy Hash: 9F51DCB0505B01DFE7209F78C855B97B7E4BB00314F09892EE5AE9B391D7B5B848CB62
                                                                                                              Function 00DCF270 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 128COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,EEAE26D7,?,?,?), ref: 00DCF2D8
                                                                                                              • GetLastError.KERNEL32(CHttpEncoderW::AnsiDecodeLen: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.,00000000,EEAE26D7,?,?,?), ref: 00DCF341
                                                                                                              Strings
                                                                                                              • CHttpEncoderA::AnsiEncode: szBuff can not be NULL., xrefs: 00DCF397
                                                                                                              • CHttpEncoderW::AnsiDecodeLen: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DCF337
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharErrorLastMultiWide
                                                                                                              • String ID: CHttpEncoderA::AnsiEncode: szBuff can not be NULL.$CHttpEncoderW::AnsiDecodeLen: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.
                                                                                                              • API String ID: 203985260-3347520855
                                                                                                              • Opcode ID: 1153a0cce95d2cb95bded5c081839386a72a2fa6298163be913bf9a02cf1fe48
                                                                                                              • Instruction ID: 4856e93d2dc54cc40a123fe71b6afb62f707ec0eb250fb4b8445b243611dba25
                                                                                                              • Opcode Fuzzy Hash: 1153a0cce95d2cb95bded5c081839386a72a2fa6298163be913bf9a02cf1fe48
                                                                                                              • Instruction Fuzzy Hash: B531083160424ABFDB25EF69DC01FE9BBA5EB41710F18826EF9189B2C1D731A900C7B0
                                                                                                              Function 00E2ED80 Relevance: 6.1, APIs: 4, Instructions: 124windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000409,00000000,00000001,?,?,C000008C,00000001), ref: 00E2EE79
                                                                                                              • SendMessageW.USER32(00000000), ref: 00E2EE80
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000409,00000001,00000000,?,?,C000008C,00000001), ref: 00E2EEB3
                                                                                                              • SendMessageW.USER32(00000000), ref: 00E2EEBA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: D__@@Lib@@MessageSendWindowWnd@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1693822128-0
                                                                                                              • Opcode ID: 4e2d89c1e316bffc66b20ec4c09a4743552de1dca65bd2203c1d2eac2f03a869
                                                                                                              • Instruction ID: 5bb001d86c302673989bf3a46c1d6f18b8b9d46641a493746b57236bc8a6f865
                                                                                                              • Opcode Fuzzy Hash: 4e2d89c1e316bffc66b20ec4c09a4743552de1dca65bd2203c1d2eac2f03a869
                                                                                                              • Instruction Fuzzy Hash: 2C41B7313016319FDB38DB28E854BAA73E2AF84B08F1A552DE585BB790CB71BC41C791
                                                                                                              Function 00E12B50 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12B7D
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12B8E
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12B9E
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12BAF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@Rect@$Height@Width@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1847965394-0
                                                                                                              • Opcode ID: 8f63860fe9d525533a0cdc866656f101424661435058eedf1d2ae08d213b9ddb
                                                                                                              • Instruction ID: 408066ae7398c9e442fef3b87a92dacf8dbca567b16e5dfc449b71944ce14ffe
                                                                                                              • Opcode Fuzzy Hash: 8f63860fe9d525533a0cdc866656f101424661435058eedf1d2ae08d213b9ddb
                                                                                                              • Instruction Fuzzy Hash: 8341C3319147458FC306DB3AC845559F7E4AFEE244F04CB1EF89AB3262EB30A596CB41
                                                                                                              Function 00E430B0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 00E43111
                                                                                                              • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00E43122
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E4313F
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E4316A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1717984340-0
                                                                                                              • Opcode ID: 8aa31163da2204196315d4f7a86233efcce50ce6fcf1193f23b85ab776e73f2f
                                                                                                              • Instruction ID: 3113188c3eaae4e01f4ac6308febcf9d44913a3d70d93a3a8ce673cad01e6e00
                                                                                                              • Opcode Fuzzy Hash: 8aa31163da2204196315d4f7a86233efcce50ce6fcf1193f23b85ab776e73f2f
                                                                                                              • Instruction Fuzzy Hash: 6D21E275601205BBEB205F65EC82FBA7B2DEF05754F204225FB046A1D0E772AA14CBA4
                                                                                                              Function 00E12650 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??9CDuiPoint@DuiLib@@QBEHUtagPOINT@@@Z.YCOMUIU(?,?), ref: 00E1268C
                                                                                                              • GdipCreatePen1.GDIPLUS(FFFF0000,?,00000000,EEAE26D7), ref: 00E12749
                                                                                                              • GdipDrawRectangle.GDIPLUS(?,00000000), ref: 00E1278E
                                                                                                              • GdipDeletePen.GDIPLUS(00000000,?,00000000), ref: 00E127A4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$CreateDeleteDrawLib@@Pen1Point@RectangleT@@@Utag
                                                                                                              • String ID:
                                                                                                              • API String ID: 2148718937-0
                                                                                                              • Opcode ID: 43d316d64572815e7e5ee297f828edd9fcccac2d007ac321538fc7cf1fd6cbbe
                                                                                                              • Instruction ID: 2d64458f93ab224e979e87f5b23d91c5562579abde6d27301abbaff8d65b12be
                                                                                                              • Opcode Fuzzy Hash: 43d316d64572815e7e5ee297f828edd9fcccac2d007ac321538fc7cf1fd6cbbe
                                                                                                              • Instruction Fuzzy Hash: 9C41A131D24B4A9FCB11DF77CC406AEF7B4AF9A750F14871AE855722A0E7706990DB40
                                                                                                              Function 00E2AFA0 Relevance: 6.1, APIs: 4, Instructions: 98windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000409,00000000,00000001), ref: 00E2AFDD
                                                                                                              • SendMessageW.USER32(00000000), ref: 00E2AFE4
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00E2AFF3
                                                                                                              • MessageBeep.USER32(00000040), ref: 00E2B062
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$BeepCloseD__@@HandleLib@@SendWindowWnd@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1018964785-0
                                                                                                              • Opcode ID: cbb04c137b5ccafa07384f8bb9bafa423e6e77e87ba8b8346115466853cba53d
                                                                                                              • Instruction ID: ee90faaf433a2b688a400a982a4ac2c7f0e6066706b47b91527659afb5abb154
                                                                                                              • Opcode Fuzzy Hash: cbb04c137b5ccafa07384f8bb9bafa423e6e77e87ba8b8346115466853cba53d
                                                                                                              • Instruction Fuzzy Hash: 9431B370B04724DFEB31CF65EA85F66BBE4AF04B08F089459E9456B282D770E844C761
                                                                                                              Function 00E127C0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GdipSetSmoothingMode.GDIPLUS(?,00000002,EEAE26D7), ref: 00E12807
                                                                                                              • GdipCreatePen1.GDIPLUS(FFFF0000,?,00000000,EEAE26D7,?,00000002), ref: 00E12875
                                                                                                              • GdipDrawRectangle.GDIPLUS(?,00000000,00000002), ref: 00E128B7
                                                                                                              • GdipDeletePen.GDIPLUS(00000000,?,00000000,00000002), ref: 00E128CD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Gdip$CreateDeleteDrawModePen1RectangleSmoothing
                                                                                                              • String ID:
                                                                                                              • API String ID: 3418039581-0
                                                                                                              • Opcode ID: 7652b117174609cfbb99cc16545c23bb45b1f20fad75fdfb8f67dcb6569180fb
                                                                                                              • Instruction ID: a0f72037300da57b96ebc2b955e564c900b5f2d563c76f834f45ae5fa42916b3
                                                                                                              • Opcode Fuzzy Hash: 7652b117174609cfbb99cc16545c23bb45b1f20fad75fdfb8f67dcb6569180fb
                                                                                                              • Instruction Fuzzy Hash: F931AD71C14B4DAACB02DF37CC416AAF7B4EF6A750F14DB1AF814721A1E73065A09B90
                                                                                                              Function 00E3ADE0 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 00E3AE02
                                                                                                              • ?SetBkImage@CControlUI@DuiLib@@QAE_NPB_W@Z.YCOMUIU(00EF8660), ref: 00E3AE2B
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@HHHH@Z.YCOMUIU(00000000,00000000,?,?,00000001), ref: 00E3AE40
                                                                                                              • ?SetBitmap@CPictureUI@DuiLib@@QAEXPAUHBITMAP__@@AAUtagRECT@@H@Z.YCOMUIU(?,-00000004), ref: 00E3AE4F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@$Bitmap@ControlExistsFileImage@P__@@PathPictureRect@Utag
                                                                                                              • String ID:
                                                                                                              • API String ID: 2835651767-0
                                                                                                              • Opcode ID: c0edb6ee5a20992ba350b1f0537616ed35a1b6d72b1f6969d018ac8c6808a3ac
                                                                                                              • Instruction ID: 8357262a8ce1908c43bcd98611531082e3eb23b41ca098b221dc27ebb18ae446
                                                                                                              • Opcode Fuzzy Hash: c0edb6ee5a20992ba350b1f0537616ed35a1b6d72b1f6969d018ac8c6808a3ac
                                                                                                              • Instruction Fuzzy Hash: 92215C32600604AFCF229FA5DC45E6BBBB2FF59700F14452DF68B66561CB32A864EB41
                                                                                                              Function 00DD6658 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00DD6673
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00DD669E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 626452242-0
                                                                                                              • Opcode ID: 6950575a76660978fdd046ee39532986b21b853213738229a0d2fcd804b52e45
                                                                                                              • Instruction ID: b6ce2c1b3f801f0b89aca3f57eed17b657cea13c2c47505fe3bb5de89cdca2e1
                                                                                                              • Opcode Fuzzy Hash: 6950575a76660978fdd046ee39532986b21b853213738229a0d2fcd804b52e45
                                                                                                              • Instruction Fuzzy Hash: 3001DB713843047BFB102BA56C47F6B2618DBC0B35F280226F724F82D1DEA1D40485BD
                                                                                                              Function 00E44970 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindow.USER32(?), ref: 00E449D5
                                                                                                              • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(?,00EF8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E449FD
                                                                                                              • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00E44A05
                                                                                                              • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 00E44A0D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Lib@@Wnd@$CenterCreate@D__@@Modal@ShowU__@@@Window@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1873043032-0
                                                                                                              • Opcode ID: d19380eea1b15a113c9f9b4163194df18fb01f9778c1d9db062fb8406e0ce242
                                                                                                              • Instruction ID: 14fdf58008ac22221644bfe20f5625ab82838781f96fbffee7ee5f2522920006
                                                                                                              • Opcode Fuzzy Hash: d19380eea1b15a113c9f9b4163194df18fb01f9778c1d9db062fb8406e0ce242
                                                                                                              • Instruction Fuzzy Hash: 4021D576B04204AFDB049F55DC05B7AB7E5FB88720F00426AED15E33D0EB756900D780
                                                                                                              Function 00DD6620 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • CHttpToolA::Unicode2Ansi: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00DD66B1
                                                                                                              • CHttpPostStatT::TotalCount: The post context is not active., xrefs: 00DD662C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: CHttpPostStatT::TotalCount: The post context is not active.$CHttpToolA::Unicode2Ansi: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.
                                                                                                              • API String ID: 0-3665396777
                                                                                                              • Opcode ID: 11301c89edbf838d90242807ce7b328711de634d865b271a477a5ef563a23f30
                                                                                                              • Instruction ID: 8ebd9124828f9f15697f493c2517682ad3b513bf106a44e19af3f84bfddb3e1a
                                                                                                              • Opcode Fuzzy Hash: 11301c89edbf838d90242807ce7b328711de634d865b271a477a5ef563a23f30
                                                                                                              • Instruction Fuzzy Hash: 8EF03061A813047BF72437A94C4BF792518DB85B16F190066FB24796D2DEE1E80095FF
                                                                                                              Function 00DD83DF Relevance: 6.1, APIs: 4, Instructions: 56networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DD83F0
                                                                                                                • Part of subcall function 00E83E56: RaiseException.KERNEL32(?,?,EEAE26D7,?,?,?,?,?,?,00E056AD,80004005,EEAE26D7), ref: 00E83EB6
                                                                                                              • InternetCloseHandle.WININET(?), ref: 00DD8435
                                                                                                              • InternetCloseHandle.WININET(?), ref: 00DD843F
                                                                                                              • InternetCloseHandle.WININET(?), ref: 00DD8449
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleInternet$ExceptionException@8RaiseThrow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1390451768-0
                                                                                                              • Opcode ID: 46fcd0ecd77978f326086d0c8b25683b13ab6502e2e238b3be37d854a67fc081
                                                                                                              • Instruction ID: 51c5b7c1050f62c311831568b0ead3e4f700d59106bca95d23e7550ae830c326
                                                                                                              • Opcode Fuzzy Hash: 46fcd0ecd77978f326086d0c8b25683b13ab6502e2e238b3be37d854a67fc081
                                                                                                              • Instruction Fuzzy Hash: D0013C71E0020DABDF10EAF8DC45FEE77BD9B04700F0445A7B909E7280DAB1EA409AB1
                                                                                                              Function 00E12D00 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12D26
                                                                                                              • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12D33
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12D3F
                                                                                                              • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00E12D4C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@Rect@$Height@Width@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1847965394-0
                                                                                                              • Opcode ID: cc180efbc1580831f54534c8e6bf0e1860d635e11ca4cc773c89cbae8b79b422
                                                                                                              • Instruction ID: 262308c0324190bce3fd3197473b940205dbeb33ed2cd51c57420b6459d2480f
                                                                                                              • Opcode Fuzzy Hash: cc180efbc1580831f54534c8e6bf0e1860d635e11ca4cc773c89cbae8b79b422
                                                                                                              • Instruction Fuzzy Hash: 6301A2735002154FDB14DF29E9886E9BBF5EF94304B410169ED49E7166EF70ED49CB40
                                                                                                              Function 00E0A380 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0A39C
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00E0A3BD
                                                                                                                • Part of subcall function 00E3F7C0: ReleaseCapture.USER32 ref: 00E3F7C9
                                                                                                              • SetCursor.USER32(00000000), ref: 00E0A3DC
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00E0A3FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CursorInvalidateRect$CaptureRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 2232807753-0
                                                                                                              • Opcode ID: e07d27172ba1079a284c3686b4b6745ff01bdd376fe73e6b5d0993aac6687718
                                                                                                              • Instruction ID: 7aec988ef31308b9064143b9435a5b4f160636ed6fe6219d7b159abfdeacbd6e
                                                                                                              • Opcode Fuzzy Hash: e07d27172ba1079a284c3686b4b6745ff01bdd376fe73e6b5d0993aac6687718
                                                                                                              • Instruction Fuzzy Hash: E00162305447406FF361A774DC0EF667ED07B40B04F084868F1A6B65E1CBB87888CB55
                                                                                                              Function 00E12580 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DeleteGdip$FreeGraphicsObjectSelect
                                                                                                              • String ID:
                                                                                                              • API String ID: 1630502854-0
                                                                                                              • Opcode ID: c8f2429e5b43ed8b830b63422c9e74682bf2b77ac1773d8dcf792aa5445b59af
                                                                                                              • Instruction ID: 03593fe4b8b483bc4f96e8ad0574ef9a3af3a6de139b7533ea5e31ef8e9b3ef0
                                                                                                              • Opcode Fuzzy Hash: c8f2429e5b43ed8b830b63422c9e74682bf2b77ac1773d8dcf792aa5445b59af
                                                                                                              • Instruction Fuzzy Hash: 86F0C231200B00DFE7319F35DC58BE7B3E9AF81304F00141DE59AA2150DB71A855CB62
                                                                                                              Function 00E12A10 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00E12A26
                                                                                                              • GetClientRect.USER32(?,?), ref: 00E12A33
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00E12A42
                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E12A53
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LongWindow$ClientLib@@RectRect@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1802287019-0
                                                                                                              • Opcode ID: 3a8afb5d25079e6d788abc902513db789d8d4f974fbe7b9a260196ac31ebfd93
                                                                                                              • Instruction ID: 23d2799c4391281eb9d59e0870fe032f44bd80473ed738274ab24d58dad85d42
                                                                                                              • Opcode Fuzzy Hash: 3a8afb5d25079e6d788abc902513db789d8d4f974fbe7b9a260196ac31ebfd93
                                                                                                              • Instruction Fuzzy Hash: 02F01D31500608AFCB10FB69DD09D7ABBB8FB45711B100569F856E22A1DB21A908DB50
                                                                                                              Function 00DC8B10 Relevance: 6.0, APIs: 4, Instructions: 24windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32 ref: 00DC8B1B
                                                                                                              • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00DC8B36
                                                                                                              • MessageBoxW.USER32(00000000,?,00EF7200,00000000), ref: 00DC8B48
                                                                                                              • LocalFree.KERNEL32(?), ref: 00DC8B51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$ErrorFormatFreeLastLocal
                                                                                                              • String ID:
                                                                                                              • API String ID: 2195691534-0
                                                                                                              • Opcode ID: 6fc5b923f4196d8fdab3b73b9d014f3a52f5bb34d862d31ba76a7c5406eb6b5e
                                                                                                              • Instruction ID: ad15563430d17f5b574ebfdfd889c5a9d195ca10679b3aae5a3d143addf49406
                                                                                                              • Opcode Fuzzy Hash: 6fc5b923f4196d8fdab3b73b9d014f3a52f5bb34d862d31ba76a7c5406eb6b5e
                                                                                                              • Instruction Fuzzy Hash: 15E01271680204BFE7115B91DC0AFA83B64AB44B51F104100F719A90E0CBB16544C765
                                                                                                              Function 00DF72A0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 270COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,?,EEAE26D7), ref: 00DF7468
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID: LnRleHQ=$eGlhbWVuYnN0MTIzNDU2OTg3d24=
                                                                                                              • API String ID: 4139908857-2032424547
                                                                                                              • Opcode ID: be3001108175e81054ead492a12e5641b6a3081ae2c2cd7d23bcbd2496de97a1
                                                                                                              • Instruction ID: de0ca7f89f4139a2a06a6fb1c6f30d52a407a23dcdbae08b98715c5826a6f109
                                                                                                              • Opcode Fuzzy Hash: be3001108175e81054ead492a12e5641b6a3081ae2c2cd7d23bcbd2496de97a1
                                                                                                              • Instruction Fuzzy Hash: C0C190709053A9DFCB21CF68C8107EEFBB1BF15300F198299D485A7382D775AA84CBA1
                                                                                                              Function 00E36A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000), ref: 00E36B41
                                                                                                              • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00E36BD1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor@Lib@@Wait$D__@@@
                                                                                                              • String ID: tabConver
                                                                                                              • API String ID: 783644440-4102355168
                                                                                                              • Opcode ID: 52f68fa4a30c1ad14c9c25b888cba396a2a5e6eb7a120b70d359b71542ad6c51
                                                                                                              • Instruction ID: cc2ca3ee69cda6644801aefffda12e9bff402e78458f75a6ea0a26181d5c582e
                                                                                                              • Opcode Fuzzy Hash: 52f68fa4a30c1ad14c9c25b888cba396a2a5e6eb7a120b70d359b71542ad6c51
                                                                                                              • Instruction Fuzzy Hash: 7341B174600604AFDB24CF34C488FAAFBB5FB45728F20966DE816EB390DB30AC04CA51
                                                                                                              Function 00E20ED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __Init_thread_footer.LIBCMT ref: 00E2104D
                                                                                                                • Part of subcall function 00E63D26: EnterCriticalSection.KERNEL32(00F519F4,?,?,?,00E0405B,00F4E7A4,EEAE26D7,?,?,00EE26D8,000000FF,?,00E053DC,EEAE26D7), ref: 00E63D31
                                                                                                                • Part of subcall function 00E63D26: LeaveCriticalSection.KERNEL32(00F519F4,?,?,00E0405B,00F4E7A4,EEAE26D7,?,?,00EE26D8,000000FF,?,00E053DC,EEAE26D7), ref: 00E63D6E
                                                                                                              • __Init_thread_footer.LIBCMT ref: 00E2109B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalInit_thread_footerSection$EnterLeave
                                                                                                              • String ID: run.dat
                                                                                                              • API String ID: 3080361431-3217760016
                                                                                                              • Opcode ID: 8dbb0e8ff5b6a923c304c0da0dfbec157b8febeab4582fac2a36be705ab96da1
                                                                                                              • Instruction ID: c93ac77ec597cfb577ed777dc2abdefd1d3145009ab0f12c65b87ca37cfd50e4
                                                                                                              • Opcode Fuzzy Hash: 8dbb0e8ff5b6a923c304c0da0dfbec157b8febeab4582fac2a36be705ab96da1
                                                                                                              • Instruction Fuzzy Hash: 3A4195B1940219DBD710EBA8E906B5DB7F0EB44721F105369FA21772D2DB706A04ABA2
                                                                                                              Function 00ED07DD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00ED0A7E,?,00000050,?,?,?,?,?), ref: 00ED08B8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ACP$OCP
                                                                                                              • API String ID: 0-711371036
                                                                                                              • Opcode ID: 7d94e1abcca2ba3a52b864786e0d1f6aac55b7f9ca9f5cdedc5e20a83ff7ed1b
                                                                                                              • Instruction ID: 8560d67c1c34dbcbdb2b2cd6f56587b2d452913d9b5ba374a3526b9e3fcde33e
                                                                                                              • Opcode Fuzzy Hash: 7d94e1abcca2ba3a52b864786e0d1f6aac55b7f9ca9f5cdedc5e20a83ff7ed1b
                                                                                                              • Instruction Fuzzy Hash: 9521CB6AE00201AAEB3C9B64CA01BDB7396EF55B15F5E5426E905F7301E732DD42E3D0
                                                                                                              Function 00E3CEB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtToolbarRatio,?), ref: 00E3CF35
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Base@ImplItemLib@@TextWindow
                                                                                                              • String ID: %d%%$txtToolbarRatio
                                                                                                              • API String ID: 997997502-1462745673
                                                                                                              • Opcode ID: 3d794e3faa7c4696804d7533064ebd646a2d37702a0c68bf5229df5bcc0573c4
                                                                                                              • Instruction ID: d703146c0ba2391dca47d17acf101569c3df3fa1779e1e3144e9c158b6925d34
                                                                                                              • Opcode Fuzzy Hash: 3d794e3faa7c4696804d7533064ebd646a2d37702a0c68bf5229df5bcc0573c4
                                                                                                              • Instruction Fuzzy Hash: C911D231A006099FC710DB69DC05A6BBBA8FF06724F15872AF825F3291EB71A810CB90
                                                                                                              Function 00DD9284 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DD92C4
                                                                                                              Strings
                                                                                                              • CHttpResponseT::_LoadHeader: m_hRequest can not be NULL., xrefs: 00DD92CB
                                                                                                              • CHttpResponseT::_LoadHeader: szName can not be NULL., xrefs: 00DD92D7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: CHttpResponseT::_LoadHeader: m_hRequest can not be NULL.$CHttpResponseT::_LoadHeader: szName can not be NULL.
                                                                                                              • API String ID: 2005118841-3648340978
                                                                                                              • Opcode ID: cadb7038598cbcd631d80b22206e56f54fac0df07a091c12f8835c97c75c39dc
                                                                                                              • Instruction ID: b30f69243e1a4554cf0c872505742964697d2b3b691fd52e877d4d765f8c6440
                                                                                                              • Opcode Fuzzy Hash: cadb7038598cbcd631d80b22206e56f54fac0df07a091c12f8835c97c75c39dc
                                                                                                              • Instruction Fuzzy Hash: DBF0BDB0A4030566EF10FFB4DC47B5E76759B40B04F285425F5087A291DAA2FA0586B6
                                                                                                              Function 00DD90D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DD9116
                                                                                                              Strings
                                                                                                              • CHttpResponseT::_LoadHeader: m_hRequest can not be NULL., xrefs: 00DD911D
                                                                                                              • CHttpResponseT::_LoadHeader: szName can not be NULL., xrefs: 00DD9129
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw
                                                                                                              • String ID: CHttpResponseT::_LoadHeader: m_hRequest can not be NULL.$CHttpResponseT::_LoadHeader: szName can not be NULL.
                                                                                                              • API String ID: 2005118841-3648340978
                                                                                                              • Opcode ID: dfe083c0511e5369e629e6d22385abc99112753085a9ea7bfe04a92e86a03f5b
                                                                                                              • Instruction ID: 944379437e0c6aaae1975fa17435dad4a1b963d8d40158b2402294140b06e6d8
                                                                                                              • Opcode Fuzzy Hash: dfe083c0511e5369e629e6d22385abc99112753085a9ea7bfe04a92e86a03f5b
                                                                                                              • Instruction Fuzzy Hash: 74F0F4F0E443466ADF10FFB4CC57B6E76659F00740F185025F608793D2DAA2EA0596F6
                                                                                                              Function 00DD6590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00DD65AF
                                                                                                                • Part of subcall function 00E83E56: RaiseException.KERNEL32(?,?,EEAE26D7,?,?,?,?,?,?,00E056AD,80004005,EEAE26D7), ref: 00E83EB6
                                                                                                              Strings
                                                                                                              • CHttpPostStatT::TotalByte: The post context is not active., xrefs: 00DD65CC
                                                                                                              • CHttpPostStatT::TotalByte: The post context is not active., xrefs: 00DD65EC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionException@8RaiseThrow
                                                                                                              • String ID: CHttpPostStatT::TotalByte: The post context is not active.$CHttpPostStatT::TotalByte: The post context is not active.
                                                                                                              • API String ID: 3976011213-2071995965
                                                                                                              • Opcode ID: 35ef0edfbb786d198633c34c09ce3dbd7c6e0291034fdd3204cca7e01ee61b72
                                                                                                              • Instruction ID: 4b26daa39ea9152c6bce9158a6d00f237b078ab5d4f740d0361f12cfa719ab18
                                                                                                              • Opcode Fuzzy Hash: 35ef0edfbb786d198633c34c09ce3dbd7c6e0291034fdd3204cca7e01ee61b72
                                                                                                              • Instruction Fuzzy Hash: CBE0D83054030CBBC701BBE4CC07F997B64AB04B04F189415F309391D6C6B2E186C6F5
                                                                                                              Function 00DD0610 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 00DD0621
                                                                                                              • GetLastError.KERNEL32(00000000,CHttpToolA::EndRequest: hRequest can not be NULL.,00000000), ref: 00DD0639
                                                                                                              Strings
                                                                                                              • CHttpToolA::EndRequest: hRequest can not be NULL., xrefs: 00DD062D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHttpLastRequest
                                                                                                              • String ID: CHttpToolA::EndRequest: hRequest can not be NULL.
                                                                                                              • API String ID: 4268994570-438178888
                                                                                                              • Opcode ID: 76b72f9c89260bd94da883848d5e02c65d183d22ef02b45d93d3167256c6ecba
                                                                                                              • Instruction ID: 3593f1f54d16a1d0dc6fff2875b650cfe1318e6a0b56c4136b1e9b70569a4a51
                                                                                                              • Opcode Fuzzy Hash: 76b72f9c89260bd94da883848d5e02c65d183d22ef02b45d93d3167256c6ecba
                                                                                                              • Instruction Fuzzy Hash: 27E09E71781309BFF66067AA9C0BF7A3B5CDB84F45F180416BB18E96C1DE90E850C5BA
                                                                                                              Function 00E44520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000004,?,00000004,?,?,00E25822,00000001), ref: 00E4454A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value
                                                                                                              • String ID: Software\EasePaintWatermarkRemover$UtilFlag
                                                                                                              • API String ID: 3702945584-3823976766
                                                                                                              • Opcode ID: e49c2e7b3f7e0d07aff39a688dd9afe8269bbe58b89681b9cab71e0ebec73478
                                                                                                              • Instruction ID: cedf45d027316362809d3eb1277cdae1cd4d7257a27781f1a899a309b9d5b0ec
                                                                                                              • Opcode Fuzzy Hash: e49c2e7b3f7e0d07aff39a688dd9afe8269bbe58b89681b9cab71e0ebec73478
                                                                                                              • Instruction Fuzzy Hash: 19E04FB1B8530CBFDF10CF91AC02BA577A8D741715F005199FE0CA61C1D9B2E914A7A5
                                                                                                              Function 00E64C83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00E64E64: GetLastError.KERNEL32 ref: 00E64E76
                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,00DC2A16), ref: 00E64CB6
                                                                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DC2A16), ref: 00E64CC5
                                                                                                              Strings
                                                                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E64CC0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                              • API String ID: 389471666-631824599
                                                                                                              • Opcode ID: 042001d7cde4650e583a614ff0af717faeabe797cab92a226189fa5a978b5c1e
                                                                                                              • Instruction ID: 75cac5c669ec9992ad8553a7818faff57821463d00dea843cb7d556af2bf9133
                                                                                                              • Opcode Fuzzy Hash: 042001d7cde4650e583a614ff0af717faeabe797cab92a226189fa5a978b5c1e
                                                                                                              • Instruction Fuzzy Hash: C1E092B02013128FE360AF69F914742BAE4AF50384F00981DE886E77D1E7B5E448DBA1
                                                                                                              Function 00E3AF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ?GetInstance@CSkinManager@DuiLib@@SAPAV12@XZ.YCOMUIU(Default.xml,?,00E531B3), ref: 00E3AF09
                                                                                                              • ?ReloadFont@CSkinManager@DuiLib@@QAEHPB_WPAVCPaintManagerUI@2@@Z.YCOMUIU ref: 00E3AF11
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.3351065843.0000000000DC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.3350990879.0000000000DC0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351419453.0000000000EF6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351524617.0000000000F45000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351550606.0000000000F47000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F4E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351584024.0000000000F50000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.3351691309.0000000000F53000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_dc0000_EasePaint.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Lib@@Manager@Skin$Font@I@2@@Instance@ManagerPaintReloadV12@
                                                                                                              • String ID: Default.xml
                                                                                                              • API String ID: 271707227-1250747232
                                                                                                              • Opcode ID: 03f349da7fc809a93032f225e8a27b698e4fabbe891dc1ff70934734b660ca8d
                                                                                                              • Instruction ID: a093e5d4c8c1f0b8d0b00fac000db7e0f556acf15a0fea91e9faf847e3f5fb4b
                                                                                                              • Opcode Fuzzy Hash: 03f349da7fc809a93032f225e8a27b698e4fabbe891dc1ff70934734b660ca8d
                                                                                                              • Instruction Fuzzy Hash: 8EB09230640200AFCF00BBB1990C8383B78EBC93093600166A802D62D0DA35D805DA11