Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wi86CSarYC.exe

Overview

General Information

Sample name:wi86CSarYC.exe
renamed because original name is a hash value
Original sample name:d7444d0ab1742bd2fed6dfdbd47f97372843894e0c78d853761697089bb24d40.exe
Analysis ID:1573201
MD5:0897b6ab5240bdb4bbeb3adf924adb19
SHA1:542a45a470d549a1c60ddeb4839a0efb1360679b
SHA256:d7444d0ab1742bd2fed6dfdbd47f97372843894e0c78d853761697089bb24d40
Tags:193-188-22-41exeuser-JAMESWT_MHT
Infos:

Detection

DanaBot
Score:75
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to infect the boot sector
Loading BitLocker PowerShell Module
May use the Tor software to hide its network traffic
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create an SMB header
Contains functionality to detect virtual machines (SGDT)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • wi86CSarYC.exe (PID: 2760 cmdline: "C:\Users\user\Desktop\wi86CSarYC.exe" MD5: 0897B6AB5240BDB4BBEB3ADF924ADB19)
    • EasePaint.exe (PID: 5396 cmdline: "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" MD5: 95D5FAC09D8DF14A4890FB72E6BA046E)
      • cmd.exe (PID: 2120 cmdline: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6316 cmdline: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • EasePaint.exe (PID: 1048 cmdline: "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" MD5: 95D5FAC09D8DF14A4890FB72E6BA046E)
  • EasePaint.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" MD5: 95D5FAC09D8DF14A4890FB72E6BA046E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social usering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          0000000D.00000003.3929757739.00000000087F4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 84 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", CommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe, ParentProcessId: 5396, ParentProcessName: EasePaint.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", ProcessId: 2120, ProcessName: cmd.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", CommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe, ParentProcessId: 5396, ParentProcessName: EasePaint.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", ProcessId: 2120, ProcessName: cmd.exe
            Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe, ProcessId: 5396, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AlphaSound Mixer Ultimate
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", CommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2120, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe", ProcessId: 6316, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libbind.dllReversingLabs: Detection: 36%
            Multi AV Scanner detection for submitted file
            Source: wi86CSarYC.exeReversingLabs: Detection: 50%
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929757739.00000000087F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835520008.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3923212377.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3849575732.000000000804B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3922758058.00000000087F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042529002.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042673545.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3841384821.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929131466.0000000008D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4043144948.000000000964E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3837473236.0000000008049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3838408464.00000000090D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952078384.000000000886A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925800807.00000000092FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3926678062.0000000008277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3282499501.000000000B37F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3924670964.0000000008D79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042971149.0000000008D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835974239.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2933959466.000000000887A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3928597756.0000000009884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3845310118.0000000009659000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3893442861.000000000964A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952675287.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2951222884.0000000009360000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042863226.0000000008B46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3846624601.0000000008040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3894502013.0000000009BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925429184.00000000087F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2935995229.00000000082E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5396, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F96BC0 lstrcpynW,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,9_2_00F96BC0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F96D25 LocalFree,CertCloseStore,CryptMsgClose,9_2_00F96D25
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F96F00 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,9_2_00F96F00
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10035220 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,9_2_10035220
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10035430 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_10035430
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10026530 CryptAcquireContextA,CryptCreateHash,9_2_10026530
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10026570 CryptHashData,9_2_10026570
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10026590 CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_10026590
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1003E9D0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,9_2_1003E9D0
            Source: wi86CSarYC.exe, 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ced40734-b
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: mov dword ptr [esi+04h], 424D53FFh9_2_10038F80
            Source: wi86CSarYC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:49888 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:49894 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:50015 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:50016 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:50017 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:50018 version: TLS 1.2
            Source: wi86CSarYC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: \EasePaint\2.2.1.0\temp\release-en\EasePaint_en\EasePaint_en.pdb source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: \EasePaint\comuiLib\bin\ycomuiu.pdb source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF6440 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,9_2_00FF6440
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01010B60 MultiByteToWideChar,MultiByteToWideChar,FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,9_2_01010B60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FFAEA0 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,9_2_00FFAEA0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF5740 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,9_2_00FF5740
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FFD720 FindFirstFileW,DeleteFileW,FindNextFileW,DeleteFileW,FindNextFileW,FindClose,9_2_00FFD720
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10049C9F __getdrive,FindFirstFileA,_strlen,_IsRootUNCName,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,9_2_10049C9F
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: global trafficHTTP traffic detected: GET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
            Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FC96D0 MultiByteToWideChar,MultiByteToWideChar,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,9_2_00FC96D0
            Source: global trafficHTTP traffic detected: GET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: global trafficHTTP traffic detected: GET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1Host: vip.bitwarsoft.comAuthorization: Basic cm9vdDpwYXNzAccept: */*
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ldlg_regkillfocusoptLoginType_AccountoptLoginType_SMSbtnGobackLoginbtnGobackRegistbtnRegistbtnLogin_SMSbtnSendCaptchabtnForgetPassbtnFacebookbtnTwitterbtnGoogleedtUserName_LoginedtUserNameimgOKimgNORegDlgTitle1RegDlgTitle2layLoginTypelayThirdLoginedtPasswordedtPasswordOKOnRegisteredtPassword_LoginOnLoginedtCaptchaedtMobilenameerrMsgedtMobile_SubmitedtEmail_SubmitByMobileByEmailfacebooktwittergooglehttps://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%s equals www.twitter.com (Twitter)
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ldlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.facebook.com (Facebook)
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ldlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.linkedin.com (Linkedin)
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ldlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.twitter.com (Twitter)
            Source: EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: dlg_regkillfocusoptLoginType_AccountoptLoginType_SMSbtnGobackLoginbtnGobackRegistbtnRegistbtnLogin_SMSbtnSendCaptchabtnForgetPassbtnFacebookbtnTwitterbtnGoogleedtUserName_LoginedtUserNameimgOKimgNORegDlgTitle1RegDlgTitle2layLoginTypelayThirdLoginedtPasswordedtPasswordOKOnRegisteredtPassword_LoginOnLoginedtCaptchaedtMobilenameerrMsgedtMobile_SubmitedtEmail_SubmitByMobileByEmailfacebooktwittergooglehttps://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%s equals www.twitter.com (Twitter)
            Source: EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: dlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.facebook.com (Facebook)
            Source: EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: dlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.linkedin.com (Linkedin)
            Source: EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: dlg_sharehttps://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free+Watermark+Remover+%2d+EasePaint+Watermark+Experthttps://www.facebook.com/sharer.php?u=https://www.easepaint.combtnLinkedinhttps://www.linkedin.com/shareArticle?mini=true&url=https://www.easepaint.combtnTumblrhttps://www.tumblr.com/widgets/share/tool/preview?shareSource=legacy&canonicalUrl=&url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertbtnReddithttps://www.reddit.com/submit?url=https://www.easepaint.com&title=Free+Watermark+Remover+%2d+EasePaint+Watermark+ExpertmenuEnmenuJPmenuTRmenuDEmenuESmenuKOmenuFRmenuARmenuRUmenuPTmenuIDskin.xmlHomeCtrl.xmlConverCtrl.xmlWatermarkPicCtrl.xmlWatermarkVideoCtrl.xmlWatermarkTypeCtrl.xmlposEditButtonListHeaderItem equals www.twitter.com (Twitter)
            Source: global trafficDNS traffic detected: DNS query: vip.bitwarsoft.com
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.jpg
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://action.ashxCodeValueTimesModeUsernameLogsevent.ashxContenterror.ashxContactsuggest.ashxerrorf
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0.
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quoteunquoteapps.com)
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quoteunquoteapps.comhttp://basicrecipe.comCopyright
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://scripts.sil.org/OFL
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://scripts.sil.org/OFLCopyright
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
            Source: EasePaint.exeString found in binary or memory: http://u.bitwar.net/ep/EasePaintSetup.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://u.bitwar.net/ep/EasePaintSetup.exehttp://u.bitwar.net/ep/newversion.htmhttp://u.bitwar.net/ep
            Source: EasePaint.exeString found in binary or memory: http://u.bitwar.net/ep/cd.cab
            Source: EasePaint.exeString found in binary or memory: http://u.bitwar.net/ep/newversion.htm
            Source: EasePaint.exeString found in binary or memory: http://u.bitwar.net/ep/patch.dll.cab
            Source: EasePaint.exeString found in binary or memory: http://u.bitwar.net/ep/patchversion.htm
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://vip.deliocr.cn/ep/parse_video/parse.php?url=%s&time=%d&s=%svideo_urlimg_urlEmptyVideoUrl%s
            Source: EasePaint.exeString found in binary or memory: http://www.brynosaurus.com/cachedir/
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
            Source: EasePaint.exe, 00000008.00000003.3283656252.00000000FDD60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
            Source: EasePaint.exe, 00000008.00000003.3283656252.00000000FDD60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891039590.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2892575283.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891502154.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891502154.0000000004C96000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891039590.0000000004C96000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2892260537.0000000004C69000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891039590.0000000004CC2000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2892381558.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891669239.0000000004C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cairographics.org))
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/V
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
            Source: EasePaint.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
            Source: wi86CSarYC.exe, 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000000.2188156535.000000000146F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
            Source: wi86CSarYC.exe, 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000000.2188156535.000000000146F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
            Source: wi86CSarYC.exe, 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000000.2188156535.000000000146F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
            Source: EasePaint.exe, 00000008.00000003.2937652748.0000000004D15000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2936346217.0000000004D15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://down.bitwarsoft.com
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/0install/0install-win0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: EasePaint.exeString found in binary or memory: https://tw.easepaint.com/video-watermark-removal-support.html
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Free
            Source: EasePaint.exe, 00000008.00000003.2937652748.0000000004D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/analysis/dll/callback.php
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/checkrechargecode.php?code=%s&lc=%s&product_id=%d&uid=%s&username=%s
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%s
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/getuserinfo.php?lc=%s&password=%s&product_id=%d&reg_type=%d&uid=%s&u
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/login_authorized/check.php?lc=%s&product_id=%d&scene_id=%s&uid=%s&ve
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/modify.php?by_pass=%d&email=%s&lc=%s&mobile=%s&newpass=%s&password=%
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%s
            Source: EasePaint.exe, 00000008.00000003.2934143883.000000000314B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/pay/create.php?adid=%s&business=%d&fee_id=%d&lc=%s&mon=%d&partner_id
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/register.php?adid=%s&lc=%s&partner_id=%s&password=%s&product_id=%d&r
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/sendcaptcha.php?by_mobile=%d&email=%s&lc=%s&mobile=%s&product_id=%d&
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/share/check.php?lc=%s&product_id=%d&uid=%s&username=%s&version=%d&s=
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%s
            Source: EasePaint.exe, 00000008.00000003.2891502154.0000000004C96000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2890818604.0000000004C96000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891039590.0000000004C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfe
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/tutu/addtotal.php?count=1&lc=%s&product_id=%d&username=%s&version=%d
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/chat/
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.html
            Source: EasePaint.exe, 00000008.00000003.2937765019.000000000379C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.htmlU
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/share/ep/5times-en/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/share/ep/5times-tw/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://www.bitwarsoft.com/tutorialsChangeWindowMessageFilteruser32.dllLable_ScrollBarBg
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%s
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%d
            Source: EasePaint.exeString found in binary or memory: https://www.bitwarsoft.com/uninstallfeedback?lang=tw&product_id=%d
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easepaint.com/0
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
            Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
            Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
            Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:49888 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:49894 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:50015 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:50016 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:50017 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 47.251.36.78:443 -> 192.168.2.6:50018 version: TLS 1.2
            Source: wi86CSarYC.exe, 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: DirectInput8Creatememstr_078321f0-f
            Source: C:\Users\user\Desktop\wi86CSarYC.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dllJump to behavior
            Source: wi86CSarYC.exe, 00000000.00000000.2188156535.0000000001588000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: GetRawInputDatamemstr_7d2765c7-0
            Source: Yara matchFile source: Process Memory Space: wi86CSarYC.exe PID: 2760, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929757739.00000000087F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835520008.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3923212377.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3849575732.000000000804B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3922758058.00000000087F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042529002.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042673545.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3841384821.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929131466.0000000008D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4043144948.000000000964E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3837473236.0000000008049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3838408464.00000000090D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952078384.000000000886A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925800807.00000000092FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3926678062.0000000008277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3282499501.000000000B37F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3924670964.0000000008D79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042971149.0000000008D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835974239.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2933959466.000000000887A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3928597756.0000000009884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3845310118.0000000009659000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3893442861.000000000964A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952675287.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2951222884.0000000009360000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042863226.0000000008B46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3846624601.0000000008040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3894502013.0000000009BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925429184.00000000087F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2935995229.00000000082E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5396, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10035220 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,9_2_10035220

            System Summary

            barindex
            PE file has a writeable .text section
            Source: ToolkitPro1513vc60.dll.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAE7E0 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,_strncat,CloseHandle,FreeLibrary,9_2_00FAE7E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAF2C0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,9_2_00FAF2C0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAFD90 NtMapViewOfSection,NtUnmapViewOfSection,9_2_00FAFD90
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAEBF0: GetVersionExW,CreateFileA,DeviceIoControl,_strncat,CloseHandle,9_2_00FAEBF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAE7E09_2_00FAE7E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010680C49_2_010680C4
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FEA2209_2_00FEA220
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FC83E09_2_00FC83E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FDA5809_2_00FDA580
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010687BC9_2_010687BC
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FD07009_2_00FD0700
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F968F09_2_00F968F0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010549839_2_01054983
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FEE9F09_2_00FEE9F0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FC69009_2_00FC6900
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FDEAF69_2_00FDEAF6
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FE0AF09_2_00FE0AF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01068A199_2_01068A19
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F92C709_2_00F92C70
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F94D509_2_00F94D50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF8E609_2_00FF8E60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01068EE29_2_01068EE2
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_0108D14F9_2_0108D14F
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F931E09_2_00F931E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF32509_2_00FF3250
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAF2109_2_00FAF210
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010532709_2_01053270
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF93709_2_00FF9370
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FCB4E09_2_00FCB4E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FDB4E09_2_00FDB4E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F976209_2_00F97620
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F937B09_2_00F937B0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FCB7B09_2_00FCB7B0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF97A09_2_00FF97A0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FE37109_2_00FE3710
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F919909_2_00F91990
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010A58AC9_2_010A58AC
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01067A2C9_2_01067A2C
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FE9BA09_2_00FE9BA0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F95B809_2_00F95B80
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F97B509_2_00F97B50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F93B309_2_00F93B30
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_0107DD309_2_0107DD30
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FE3DD09_2_00FE3DD0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01067C5B9_2_01067C5B
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FEDD509_2_00FEDD50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FDDEFA9_2_00FDDEFA
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F93EB09_2_00F93EB0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FD9E109_2_00FD9E10
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1000B1D09_2_1000B1D0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_100282309_2_10028230
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_100473209_2_10047320
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_100163509_2_10016350
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_100523C19_2_100523C1
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1003F4009_2_1003F400
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1003F4C69_2_1003F4C6
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1003F4C49_2_1003F4C4
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_100545A19_2_100545A1
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_100416709_2_10041670
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_100529039_2_10052903
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1002DAA09_2_1002DAA0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1004BAC09_2_1004BAC0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10040B409_2_10040B40
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10007C009_2_10007C00
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1004CC349_2_1004CC34
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1003FDB69_2_1003FDB6
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1001EE609_2_1001EE60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10051E7F9_2_10051E7F
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10043E909_2_10043E90
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10015EC09_2_10015EC0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10052FC39_2_10052FC3
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10039FF09_2_10039FF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6BCE1AD013_2_6BCE1AD0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6BCDFA8013_2_6BCDFA80
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6BC60A0013_2_6BC60A00
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6BC7D1F013_2_6BC7D1F0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6BC7E98013_2_6BC7E980
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6C08864313_2_6C088643
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6BC6492013_2_6BC64920
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6BC5789013_2_6BC57890
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe 6E2DE2230A751EC89BB757595C466B846B5AC6EFB8F17C67E5AF78C98B60B798
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 01012660 appears 40 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 10032260 appears 40 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 1000A830 appears 287 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 1000A8C0 appears 319 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00FB80C0 appears 46 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 10019DE0 appears 34 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 010335AD appears 83 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00FC4980 appears 55 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 100472C0 appears 49 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 100443A0 appears 53 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00FA62B0 appears 111 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00FB9660 appears 43 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 00FA6590 appears 95 times
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: String function: 1001E470 appears 41 times
            Source: EasePaint.exe.0.drStatic PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=store
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolkitPro.dll vs wi86CSarYC.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZeroInstall.Store.dll: vs wi86CSarYC.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcurl.dllB vs wi86CSarYC.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshost.dllR vs wi86CSarYC.exe
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEasePaint.exe4 vs wi86CSarYC.exe
            Source: wi86CSarYC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal75.troj.spyw.evad.winEXE@10/39@1/2
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F98B60 GetLastError,FormatMessageW,OutputDebugStringW,LocalFree,9_2_00F98B60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FCB4E0 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,GetShellWindow,GetWindowThreadProcessId,OpenProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,LoadLibraryW,GetProcAddress,FreeLibrary,GetLastError,CloseHandle,CloseHandle,CloseHandle,9_2_00FCB4E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FEF930 CoCreateInstance,9_2_00FEF930
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FC6040 LoadResource,LockResource,SizeofResource,9_2_00FC6040
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeMutant created: \Sessions\1\BaseNamedObjects\65243982
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Temp\s24o.0.icsJump to behavior
            Source: wi86CSarYC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: wi86CSarYC.exeReversingLabs: Detection: 50%
            Source: EasePaint.exeString found in binary or memory: https://vip.bitwarsoft.com/v1.0/tutu/addtotal.php?count=1&lc=%s&product_id=%d&username=%s&version=%d&s=%s
            Source: EasePaint.exeString found in binary or memory: /install
            Source: unknownProcess created: C:\Users\user\Desktop\wi86CSarYC.exe "C:\Users\user\Desktop\wi86CSarYC.exe"
            Source: C:\Users\user\Desktop\wi86CSarYC.exeProcess created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
            Source: C:\Users\user\Desktop\wi86CSarYC.exeProcess created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"Jump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: opengl32.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: dinput8.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: xinput1_4.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: inputhost.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: appxdeploymentclient.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ycomuiu.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: libcurl.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: libbind.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: vcomp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: shost.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: toolkitpro1513vc60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mfc42.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: opengl32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netprofm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ycomuiu.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: libcurl.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: libbind.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: vcomp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: shost.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: toolkitpro1513vc60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mfc42.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: opengl32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ycomuiu.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: libcurl.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: libbind.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: vcomp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: shost.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: toolkitpro1513vc60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mfc42.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: opengl32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeAutomated click: OK
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: wi86CSarYC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: wi86CSarYC.exeStatic file information: File size 20092696 > 1048576
            Source: wi86CSarYC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4dd200
            Source: wi86CSarYC.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x148800
            Source: wi86CSarYC.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xcc7800
            Source: wi86CSarYC.exeStatic PE information: More than 200 imports for KERNEL32.dll
            Source: wi86CSarYC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: \EasePaint\2.2.1.0\temp\release-en\EasePaint_en\EasePaint_en.pdb source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: \EasePaint\comuiLib\bin\ycomuiu.pdb source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: wi86CSarYC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAE7E0 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,_strncat,CloseHandle,FreeLibrary,9_2_00FAE7E0
            Source: ycomuiu.dll.0.drStatic PE information: real checksum: 0x2f147d should be: 0x2f3e04
            Source: libcurl.dll.0.drStatic PE information: real checksum: 0x858cf should be: 0x83117
            Source: shost.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x463e87
            Source: ToolkitPro1513vc60.dll.0.drStatic PE information: real checksum: 0x76cdbd should be: 0x774dbd
            Source: ycomuiu.dll.0.drStatic PE information: section name: _RDATA
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_013E3B1A push ecx; ret 0_2_013E3B2D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_3_02DCBA1C pushad ; ret 9_3_02DCBA1D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F9E008 push dword ptr [ebx+ecx*2-75h]; iretd 9_2_00F9E00E
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F9E1A5 push dword ptr [ebp+edx*2-75h]; iretd 9_2_00F9E1B4
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FE2650 push ecx; mov dword ptr [esp], 3F800000h9_2_00FE273D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01034A46 push ecx; ret 9_2_01034A59
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010AADAC push ecx; ret 9_2_010AADBF
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FE33F0 push ecx; mov dword ptr [esp], 3F800000h9_2_00FE35EB
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10047305 push ecx; ret 9_2_10047318

            Persistence and Installation Behavior

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetVersionExW,CreateFileA,DeviceIoControl,_strncat,CloseHandle, \\.\PhysicalDrive%d9_2_00FAEBF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,DeviceIoControl,_strncat,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00FAFA50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: CreateFileA,DeviceIoControl,_strncat,CloseHandle, \\.\PhysicalDrive%d9_2_00FAFC80
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ycomuiu.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\shost.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ToolkitPro1513vc60.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libbind.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libcurl.dllJump to dropped file
            Source: C:\Users\user\Desktop\wi86CSarYC.exeFile created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile created: C:\Users\user\AppData\Local\Temp\s45w.2Jump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile created: C:\Users\user\AppData\Local\Temp\s45w.1Jump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile created: C:\Users\user\AppData\Local\Temp\st4.1Jump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile created: C:\Users\user\AppData\Local\Temp\st4.2Jump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile created: C:\Users\user\AppData\Local\Temp\s5h8.1Jump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile created: C:\Users\user\AppData\Local\Temp\s5h8.2Jump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FD4140 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,9_2_00FD4140
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01010310 GetModuleFileNameW,PathRemoveFileSpecW,GetPrivateProfileIntW,SHSetValueW,WritePrivateProfileStringW,SHGetValueW,9_2_01010310
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010162A0 GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,9_2_010162A0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010267A0 SHGetValueW,GetPrivateProfileStringW,9_2_010267A0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01027BD0 GetPrivateProfileIntW,9_2_01027BD0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01027A20 GetPrivateProfileIntW,PathFileExistsW,9_2_01027A20

            Boot Survival

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetVersionExW,CreateFileA,DeviceIoControl,_strncat,CloseHandle, \\.\PhysicalDrive%d9_2_00FAEBF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,DeviceIoControl,_strncat,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00FAFA50
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: CreateFileA,DeviceIoControl,_strncat,CloseHandle, \\.\PhysicalDrive%d9_2_00FAFC80
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run AlphaSound Mixer UltimateJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run AlphaSound Mixer UltimateJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            May use the Tor software to hide its network traffic
            Source: EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: torConnect
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF3DF0 __set_se_translator,SetUnhandledExceptionFilter,FindWindowW,SetForegroundWindow,IsIconic,ShowWindow,CoInitialize,DefWindowProcW,InitCommonControlsEx,SHGetValueW,PathFileExistsW,SHSetValueW,EnterCriticalSection,DestroyWindow,LeaveCriticalSection,CoUninitialize,__Init_thread_footer,__Init_thread_footer,9_2_00FF3DF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01004FA0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,9_2_01004FA0
            Source: C:\Users\user\Desktop\wi86CSarYC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAE620 sgdt fword ptr [ebp-18h]9_2_00FAE620
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetAdaptersInfo,GetAdaptersInfo,SHGetValueA,_strncat,9_2_00FAED80
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWindow / User API: threadDelayed 730Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWindow / User API: threadDelayed 906Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWindow / User API: threadDelayed 410Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7039Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 655Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeAPI coverage: 3.9 %
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeAPI coverage: 6.7 %
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 4416Thread sleep time: -45300s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 5464Thread sleep time: -75075s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 5336Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 6212Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 3640Thread sleep count: 410 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 500Thread sleep count: 7039 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4836Thread sleep count: 655 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5476Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4136Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe TID: 6108Thread sleep count: 298 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF6440 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,9_2_00FF6440
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01010B60 MultiByteToWideChar,MultiByteToWideChar,FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,9_2_01010B60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FFAEA0 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,9_2_00FFAEA0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF5740 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,9_2_00FF5740
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FFD720 FindFirstFileW,DeleteFileW,FindNextFileW,DeleteFileW,FindNextFileW,FindClose,9_2_00FFD720
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10049C9F __getdrive,FindFirstFileA,_strlen,_IsRootUNCName,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,9_2_10049C9F
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeThread delayed: delay time: 75075Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: wi86CSarYC.exe, 00000000.00000002.2889176343.0000000000938000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: wi86CSarYC.exe, 00000000.00000002.2889176343.00000000008E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_013F6CB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_013F6CB7
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F98B60 GetLastError,FormatMessageW,OutputDebugStringW,LocalFree,9_2_00F98B60
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAE7E0 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,_strncat,CloseHandle,FreeLibrary,9_2_00FAE7E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01035452 mov esi, dword ptr fs:[00000030h]9_2_01035452
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_0108B618 mov eax, dword ptr fs:[00000030h]9_2_0108B618
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAE020 GetProcessHeap,MultiByteToWideChar,HeapAlloc,SetLastError,MultiByteToWideChar,GetLastError,HeapFree,SetLastError,SetLastError,9_2_00FAE020
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_013E33BF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_013E33BF
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_013F6CB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_013F6CB7
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FF3DF0 __set_se_translator,SetUnhandledExceptionFilter,FindWindowW,SetForegroundWindow,IsIconic,ShowWindow,CoInitialize,DefWindowProcW,InitCommonControlsEx,SHGetValueW,PathFileExistsW,SHSetValueW,EnterCriticalSection,DestroyWindow,LeaveCriticalSection,CoUninitialize,__Init_thread_footer,__Init_thread_footer,9_2_00FF3DF0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_0106F55F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0106F55F
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_010335C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_010335C2
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10054325 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_10054325
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_100467ED _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_100467ED
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1003EF38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_1003EF38
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6C05C442 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_6C05C442
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 13_2_6C06E519 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6C06E519

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"Jump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeProcess created: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00F98F20 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileW,InternetReadFile,WriteFile,CloseHandle,9_2_00F98F20
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
            Source: EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
            Source: wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TaskbarCreatedTrayClockWClassTrayNotifyWndShell_TrayWndCXTPSpinButtonCtrlTOOLBARBUTTONSPINARROWSHORIZONTALTOOLBARBUTTONSPINARROWGLYPHSTOOLBARBUTTONSPINARROWSVERTICALCXTPSplitterWndExCXTPSplitterWndSplitterFrameSplitterFrameTabSplitterFaceSplitterFaceTabCXTPCaptionCXTPCaptionPopupWndXTPCaptionPopupWndCXTPHyperLinkCXTPSearchOptionsViewCXTPSearchOptionsCtrlCXTPExcelTabCtrlCXTPMDIWndTab...CXTPTabCtrlCXTPTabViewSysTabControl32CXTPTreeCtrlCXTPTreeViewUserPreferencesMaskControl Panel\DesktopCOMBOBOXXtreme Toolkit v%d.%02d%d.%02dSoftwareHKLMHKCU%i,%i%ld,%ld%i,%i,%i,%i%ld,%ld,%ld,%ldCXTButtonCXTButtonThemeFactoryCXTComboBoxExComboBoxEx32CXTMonthCalCtrlCXTDateTimeCtrlSysDateTimePick32SysMonthCal32CXTFlatEditCXTFlatComboBoxCXTFlatEditThemeFactoryCXTFlatComboBoxThemeFactory
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAEB40 cpuid 9_2_00FAEB40
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,9_2_010A09C4
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,9_2_010A0B93
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: EnumSystemLocalesW,9_2_010A0D40
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_010A0DCD
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: EnumSystemLocalesW,9_2_010A0C3C
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: EnumSystemLocalesW,9_2_010A0CA5
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_010A1146
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,9_2_010A101D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: EnumSystemLocalesW,9_2_010910B7
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_010A131A
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,9_2_010A124D
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoW,9_2_01091B07
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: GetLocaleInfoA,9_2_1004E6D3
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\__db.s24o.3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\__db.s24o.3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s24o.3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\TMP3617.tmp VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\wi86CSarYC.exeCode function: 0_2_013E3E2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_013E3E2C
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_01094634 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,9_2_01094634
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_00FAE7E0 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,_strncat,CloseHandle,FreeLibrary,9_2_00FAE7E0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929757739.00000000087F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835520008.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3923212377.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3849575732.000000000804B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3922758058.00000000087F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042529002.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042673545.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3841384821.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929131466.0000000008D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4043144948.000000000964E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3837473236.0000000008049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3838408464.00000000090D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952078384.000000000886A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925800807.00000000092FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3926678062.0000000008277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3282499501.000000000B37F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3924670964.0000000008D79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042971149.0000000008D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835974239.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2933959466.000000000887A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3928597756.0000000009884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3845310118.0000000009659000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3893442861.000000000964A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952675287.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2951222884.0000000009360000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042863226.0000000008B46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3846624601.0000000008040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3894502013.0000000009BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925429184.00000000087F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2935995229.00000000082E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5396, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: Yara matchFile source: 00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929757739.00000000087F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835520008.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3923212377.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3849575732.000000000804B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3922758058.00000000087F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042529002.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042673545.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3841384821.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929131466.0000000008D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4043144948.000000000964E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3837473236.0000000008049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3838408464.00000000090D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952078384.000000000886A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925800807.00000000092FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3926678062.0000000008277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3282499501.000000000B37F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3924670964.0000000008D79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042971149.0000000008D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835974239.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2933959466.000000000887A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3928597756.0000000009884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3845310118.0000000009659000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3893442861.000000000964A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952675287.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2951222884.0000000009360000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042863226.0000000008B46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3846624601.0000000008040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3894502013.0000000009BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925429184.00000000087F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2935995229.00000000082E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5396, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929757739.00000000087F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835520008.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3923212377.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3849575732.000000000804B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3922758058.00000000087F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042529002.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042673545.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3841384821.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3929131466.0000000008D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4043144948.000000000964E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3837473236.0000000008049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3838408464.00000000090D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952078384.000000000886A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925800807.00000000092FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3926678062.0000000008277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.3282499501.000000000B37F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3924670964.0000000008D79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4042971149.0000000008D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3835974239.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2933959466.000000000887A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3928597756.0000000009884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3845310118.0000000009659000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3893442861.000000000964A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2952675287.0000000009364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2951222884.0000000009360000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4042863226.0000000008B46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3846624601.0000000008040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.3894502013.0000000009BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.3925429184.00000000087F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2935995229.00000000082E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EasePaint.exe PID: 5396, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_1000B1D0 _memset,_strncpy,_strtoul,_strtoul,curl_pushheader_bynum,getsockname,WSAGetLastError,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_easy_strerror,curl_msnprintf,curl_easy_strerror,9_2_1000B1D0
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10029A90 bind,WSAGetLastError,9_2_10029A90
            Source: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCode function: 9_2_10020E90 _memset,_memset,_strncmp,curl_pushheader_bynum,_strncmp,htons,bind,htons,htons,bind,_memset,getsockname,WSAGetLastError,htons,htons,htons,WSAGetLastError,9_2_10020E90

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		1
            Exploitation of Remote Services            		12
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            Data Encrypted for Impact
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		31
            Input Capture            		3
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		1
            Bootkit            		12
            Process Injection            		2
            Obfuscated Files or Information            		Security Account Manager85
            System Information Discovery            		SMB/Windows Admin Shares31
            Input Capture            		1
            Multi-hop Proxy            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		NTDS251
            Security Software Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets2
            Process Discovery            		SSHKeylogging3
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
            Virtualization/Sandbox Evasion            		Cached Domain Credentials151
            Virtualization/Sandbox Evasion            		VNCGUI Input Capture1
            Proxy            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync11
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Process Injection            		Proc Filesystem2
            System Owner/User Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Bootkit            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573201 Sample: wi86CSarYC.exe Startdate: 11/12/2024 Architecture: WINDOWS Score: 75 40 vip.bitwarsoft.com 2->40 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected DanaBot stealer dll 2->52 54 6 other signatures 2->54 9 wi86CSarYC.exe 16 2->9         started        12 EasePaint.exe 6 2->12         started        14 EasePaint.exe 6 2->14         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\ycomuiu.dll, PE32 9->28 dropped 30 C:\Users\user\AppData\Local\...\shost.dll, PE32 9->30 dropped 32 C:\Users\user\AppData\Local\...\libcurl.dll, PE32 9->32 dropped 34 3 other files (2 malicious) 9->34 dropped 16 EasePaint.exe 9 41 9->16         started        process6 dnsIp7 36 193.188.22.41, 443, 50020 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 16->36 38 vip.bitwarsoft.com 47.251.36.78, 443, 49888, 49894 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 16->38 42 May use the Tor software to hide its network traffic 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 46 Adds a directory exclusion to Windows Defender 16->46 20 cmd.exe 1 16->20         started        signatures8 process9 signatures10 56 Adds a directory exclusion to Windows Defender 20->56 23 powershell.exe 23 20->23         started        26 conhost.exe 20->26         started        process11 signatures12 58 Loading BitLocker PowerShell Module 23->58

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            wi86CSarYC.exe50%ReversingLabsWin32.Trojan.Leonem

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ToolkitPro1513vc60.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libbind.dll37%ReversingLabsWin32.Trojan.Generic
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libcurl.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\shost.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ycomuiu.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://quoteunquoteapps.comhttp://basicrecipe.comCopyright0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfe0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/check.php?lc=%s&product_id=%d&uid=%s&username=%s&version=%d&s=0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/patchversion.htm0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/tutorialsChangeWindowMessageFilteruser32.dllLable_ScrollBarBg0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%s0%Avira URL Cloudsafe
            https://tw.easepaint.com/video-watermark-removal-support.html0%Avira URL Cloudsafe
            http://action.ashxCodeValueTimesModeUsernameLogsevent.ashxContenterror.ashxContactsuggest.ashxerrorf0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%d0%Avira URL Cloudsafe
            https://www.easepaint.com/00%Avira URL Cloudsafe
            http://u.bitwar.net/ep/EasePaintSetup.exe0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/register.php?adid=%s&lc=%s&partner_id=%s&password=%s&product_id=%d&r0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/login_authorized/check.php?lc=%s&product_id=%d&scene_id=%s&uid=%s&ve0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee60325858050%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee60325858050%Avira URL Cloudsafe
            https://www.bitwarsoft.com/0%Avira URL Cloudsafe
            http://vip.deliocr.cn/ep/parse_video/parse.php?url=%s&time=%d&s=%svideo_urlimg_urlEmptyVideoUrl%s0%Avira URL Cloudsafe
            http://scripts.sil.org/OFLCopyright0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%s0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/uninstallfeedback?lang=tw&product_id=%d0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/checkrechargecode.php?code=%s&lc=%s&product_id=%d&uid=%s&username=%s0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/patch.dll.cab0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/share/ep/5times-en/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/newversion.htm0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%s0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/cd.cab0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/tutu/addtotal.php?count=1&lc=%s&product_id=%d&username=%s&version=%d0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/getuserinfo.php?lc=%s&password=%s&product_id=%d&reg_type=%d&uid=%s&u0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/pay/create.php?adid=%s&business=%d&fee_id=%d&lc=%s&mon=%d&partner_id0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/chat/0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/sendcaptcha.php?by_mobile=%d&email=%s&lc=%s&mobile=%s&product_id=%d&0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.htmlU0%Avira URL Cloudsafe
            https://down.bitwarsoft.com0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/share/ep/5times-tw/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_0%Avira URL Cloudsafe
            https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.html0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/modify.php?by_pass=%d&email=%s&lc=%s&mobile=%s&newpass=%s&password=%0%Avira URL Cloudsafe
            http://quoteunquoteapps.com)0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%s0%Avira URL Cloudsafe
            https://vip.bitwarsoft.com/v1.0/analysis/dll/callback.php0%Avira URL Cloudsafe
            http://u.bitwar.net/ep/EasePaintSetup.exehttp://u.bitwar.net/ep/newversion.htmhttp://u.bitwar.net/ep0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vip.bitwarsoft.com
            		47.251.36.78
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805false
              • Avira URL Cloud: safe
              		unknown
              https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://html4/loose.dtdwi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfeEasePaint.exe, 00000008.00000003.2891502154.0000000004C96000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2890818604.0000000004C96000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891039590.0000000004C96000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.bitwarsoft.com/tutorialsChangeWindowMessageFilteruser32.dllLable_ScrollBarBgwi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://ocsp.sectigo.com0wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://cairographics.org))wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891039590.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2892575283.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891502154.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891502154.0000000004C96000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891039590.0000000004C96000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2892260537.0000000004C69000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891039590.0000000004CC2000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2892381558.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2891669239.0000000004C80000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://quoteunquoteapps.comhttp://basicrecipe.comCopyrightwi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=%s&product_id=%d&version=%d&s=%sEasePaint.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://tw.easepaint.com/video-watermark-removal-support.htmlEasePaint.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://vip.bitwarsoft.com/v1.0/share/check.php?lc=%s&product_id=%d&uid=%s&username=%s&version=%d&s=EasePaint.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://action.ashxCodeValueTimesModeUsernameLogsevent.ashxContenterror.ashxContactsuggest.ashxerrorfwi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://u.bitwar.net/ep/patchversion.htmEasePaint.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://.csswi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://curl.haxx.se/docs/http-cookies.htmlwi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exefalse
                            		high
                            https://curl.haxx.se/docs/http-cookies.html#EasePaint.exefalse
                              		high
                              https://www.bitwarsoft.com/uninstallfeedback?lang=en&product_id=%dEasePaint.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.easepaint.com/0wi86CSarYC.exe, 00000000.00000003.2885054706.000000000094B000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885274367.000000000095A000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2885440843.000000000096A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.openssl.org/support/faq.htmlEasePaint.exe, 00000008.00000003.3283656252.00000000FDD60000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://vip.bitwarsoft.com/v1.0/register.php?adid=%s&lc=%s&partner_id=%s&password=%s&product_id=%d&rEasePaint.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://curl.se/docs/hsts.htmlwi86CSarYC.exe, 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000000.2188156535.000000000146F000.00000002.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  https://www.bitwarsoft.com/EasePaint.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://u.bitwar.net/ep/EasePaintSetup.exeEasePaint.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://curl.haxx.se/docs/copyright.htmlDwi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://curl.haxx.se/Vwi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.brynosaurus.com/cachedir/EasePaint.exefalse
                                        		high
                                        http://vip.deliocr.cn/ep/parse_video/parse.php?url=%s&time=%d&s=%svideo_urlimg_urlEmptyVideoUrl%swi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://scripts.sil.org/OFLCopyrightwi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://.jpgwi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmp, wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://vip.bitwarsoft.com/v1.0/login_authorized/check.php?lc=%s&product_id=%d&scene_id=%s&uid=%s&veEasePaint.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.bitwarsoft.com/uninstallfeedback?lang=tw&product_id=%dEasePaint.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.bitwarsoft.com/twitter/login2.html%s?scene_id=%s&lc=%s&login_type=%swi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://u.bitwar.net/ep/newversion.htmEasePaint.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://sectigo.com/CPS0wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://curl.se/docs/http-cookies.htmlwi86CSarYC.exe, 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000000.2188156535.000000000146F000.00000002.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              https://twitter.com/intent/tweet?url=https://www.easepaint.com&text=Freewi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpfalse
                                                		high
                                                https://vip.bitwarsoft.com/v1.0/checkrechargecode.php?code=%s&lc=%s&product_id=%d&uid=%s&username=%sEasePaint.exefalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://u.bitwar.net/ep/patch.dll.cabEasePaint.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://vip.bitwarsoft.com/v1.0/tutu/addtotal.php?count=1&lc=%s&product_id=%d&username=%s&version=%dEasePaint.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.bitwarsoft.com/share/ep/5times-en/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_EasePaint.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://u.bitwar.net/ep/cd.cabEasePaint.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://curl.se/docs/alt-svc.htmlwi86CSarYC.exe, 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmp, wi86CSarYC.exe, 00000000.00000000.2188156535.000000000146F000.00000002.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    https://vip.bitwarsoft.com/v1.0/getuserinfo.php?lc=%s&password=%s&product_id=%d&reg_type=%d&uid=%s&uEasePaint.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://vip.bitwarsoft.com/v1.0/checkusername.php?lc=%s&product_id=%d&username=%s&version=%d&s=%sEasePaint.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://vip.bitwarsoft.com/v1.0/pay/create.php?adid=%s&business=%d&fee_id=%d&lc=%s&mon=%d&partner_idEasePaint.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0twi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.openssl.org/support/faq.htmlRANDEasePaint.exe, 00000008.00000003.3283656252.00000000FDD60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.bitwarsoft.com/chat/EasePaint.exefalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ywi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.htmlUEasePaint.exe, 00000008.00000003.2937765019.000000000379C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://vip.bitwarsoft.com/v1.0/sendcaptcha.php?by_mobile=%d&email=%s&lc=%s&mobile=%s&product_id=%d&EasePaint.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.bitwarsoft.com/multiple-segment-trims-on-same-video.htmlEasePaint.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.bitwarsoft.com/share/ep/5times-tw/index.html?count=%d&day=0&lc=%s&partner_id=%s&product_EasePaint.exefalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://github.com/0install/0install-win0wi86CSarYC.exe, 00000000.00000003.2881890960.0000000005393000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://vip.bitwarsoft.com/v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9bEasePaint.exe, 00000008.00000003.2934143883.000000000314B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://down.bitwarsoft.comEasePaint.exe, 00000008.00000003.2937652748.0000000004D15000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000003.2936346217.0000000004D15000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://vip.bitwarsoft.com/v1.0/share/openflag.php?lc=%s&product_id=%d&version=%d&s=%sEasePaint.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://quoteunquoteapps.com)wi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://scripts.sil.org/OFLwi86CSarYC.exe, 00000000.00000003.2881890960.00000000054EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://vip.bitwarsoft.com/v1.0/modify.php?by_pass=%d&email=%s&lc=%s&mobile=%s&newpass=%s&password=%EasePaint.exefalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://u.bitwar.net/ep/EasePaintSetup.exehttp://u.bitwar.net/ep/newversion.htmhttp://u.bitwar.net/epwi86CSarYC.exe, 00000000.00000003.2881890960.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, EasePaint.exe, 00000008.00000000.2888009068.00000000010C6000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://vip.bitwarsoft.com/v1.0/analysis/dll/callback.phpEasePaint.exe, 00000008.00000003.2937652748.0000000004D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                193.188.22.41
                                                                		unknownRussian Federation
                                                                		49558LIVECOMM-ASRespublikanskayastr3k6RUfalse
                                                                47.251.36.78
                                                                		vip.bitwarsoft.comUnited States
                                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1573201
                                                                Start date and time:2024-12-11 16:36:22 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 10m 23s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Run name:Run with higher sleep bypass
                                                                Number of analysed new started processes analysed:14
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:wi86CSarYC.exe
                                                                renamed because original name is a hash value
                                                                Original Sample Name:d7444d0ab1742bd2fed6dfdbd47f97372843894e0c78d853761697089bb24d40.exe
                                                                Detection:MAL
                                                                Classification:mal75.troj.spyw.evad.winEXE@10/39@1/2
                                                                EGA Information:
                                                                • Successful, ratio: 75%
                                                                HCA Information:Failed
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                • Excluded IPs from analysis (whitelisted): 20.190.181.0, 20.31.169.57, 13.107.246.63, 172.202.163.200, 20.234.120.54, 150.171.28.10
                                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • VT rate limit hit for: wi86CSarYC.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                16:39:58Task SchedulerRun new task: AlphaSound Mixer Studio path: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                16:40:00AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AlphaSound Mixer Ultimate C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                193.188.22.41nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                  cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                    47.251.36.78CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                      CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                        BitwarSetup.exeGet hashmaliciousUnknownBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          vip.bitwarsoft.comCEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                          • 47.251.36.78
                                                                          CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                          • 47.251.36.78
                                                                          BitwarSetup.exeGet hashmaliciousUnknownBrowse
                                                                          • 47.251.36.78

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCJosho.x86.elfGet hashmaliciousUnknownBrowse
                                                                          • 47.252.147.53
                                                                          hax.arm7.elfGet hashmaliciousMiraiBrowse
                                                                          • 47.56.171.17
                                                                          https://email.mg.cool-bird.cn/c/eJwkjzmO8zAMRk9jdb9AUYutgsXf5BoGtTgR4G0sTYzcfmCnJN8rvhd52bk81zqWRA4ARNyWndfPdaMGq0Si1E99FplUr_WAOKAVeeEy347TVryI2Rtgrxwkz8kYN5mYfVAueIiogiiEgEahAvDYg5URJ8BktbIelQ19Z2B5yrht879QjiTjKmZ6tbZ3-n-Hjw4f53nKtteQa5NxW8RBjQ-W-1FybXP-dAZ-3vFGNa_pWjegB9Hoahq_NY1-az5G44bBi0a3eFv3uyT6kjfhXwAAAP__yDBVswGet hashmaliciousUnknownBrowse
                                                                          • 47.89.233.91
                                                                          https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.htmlGet hashmaliciousCAPTCHA Scam ClickFix, LummaC StealerBrowse
                                                                          • 47.254.218.16
                                                                          https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==Get hashmaliciousUnknownBrowse
                                                                          • 8.214.60.171
                                                                          la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                                          • 47.90.7.34
                                                                          la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                          • 47.240.247.145
                                                                          la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                                          • 47.88.50.142
                                                                          sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                          • 47.242.242.172
                                                                          LIVECOMM-ASRespublikanskayastr3k6RUUFh7A8CImG.exeGet hashmaliciousDanaBotBrowse
                                                                          • 193.188.22.40
                                                                          nSORtPkIOR.msiGet hashmaliciousDanaBotBrowse
                                                                          • 193.188.22.41
                                                                          cloudflare.msiGet hashmaliciousDanaBotBrowse
                                                                          • 193.188.22.41
                                                                          zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                                          • 193.188.22.40
                                                                          http://winningwriters.comGet hashmaliciousUnknownBrowse
                                                                          • 193.188.22.73
                                                                          f6ffg1sZS2.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                          • 92.246.89.93
                                                                          cHZiG7fsJb.exeGet hashmaliciousMetasploitBrowse
                                                                          • 212.192.213.56
                                                                          tsnsd8pOvn.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                          • 92.246.89.93

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0ehttps://t.ly/me-ZSGet hashmaliciousUnknownBrowse
                                                                          • 47.251.36.78
                                                                          Cj3OWJHzls.lnkGet hashmaliciousDucktailBrowse
                                                                          • 47.251.36.78
                                                                          MdmRznA6gx.lnkGet hashmaliciousDucktailBrowse
                                                                          • 47.251.36.78
                                                                          3y37oMIUy6.lnkGet hashmaliciousDucktailBrowse
                                                                          • 47.251.36.78
                                                                          m9c7iq9nzP.lnkGet hashmaliciousDucktailBrowse
                                                                          • 47.251.36.78
                                                                          WXahq3ZEss.lnkGet hashmaliciousDucktailBrowse
                                                                          • 47.251.36.78
                                                                          0A3NB8ot11.lnkGet hashmaliciousDucktailBrowse
                                                                          • 47.251.36.78

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exeCEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                                            CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1168
                                                                              Entropy (8bit):5.3426553490785125
                                                                              Encrypted:false
                                                                              SSDEEP:24:3GWWSKco4KmBs4RPT6BmFoUebIlmjKcmZ9t7J0gt/NKqHr6t:LWSU4y4RQmFoUeUmfmZ9tK8NPHM
                                                                              MD5:94F7AA2F4CDA98B8979EB10B70B21BE9
                                                                              SHA1:1DC040A01F7003F7D8E8DAEA516CED9F431C3281
                                                                              SHA-256:A635FD0D3E55AAB4D91539A385E79E0E3BD6A8E96317AA24D297A8BE7572F532
                                                                              SHA-512:A4079683D23FDD56AB3C68E521B6D74529ABDB8A03F14D73EDA26ACE8DC272EAABFCE7AEC061017F629F7B1B927E7B811947AAAA52DD120AF9F76C275A10BB07
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2410320
                                                                              Entropy (8bit):6.889985120272385
                                                                              Encrypted:false
                                                                              SSDEEP:49152:sZFK7uHTpF43FAhsB8tyXfV0ZWErm5UPGV9T/iOrjH/6z:s7z/mO7mGPQLrM
                                                                              MD5:95D5FAC09D8DF14A4890FB72E6BA046E
                                                                              SHA1:C04BD301260B8229E2929AD21B1A2EB5DCAADE5C
                                                                              SHA-256:6E2DE2230A751EC89BB757595C466B846B5AC6EFB8F17C67E5AF78C98B60B798
                                                                              SHA-512:2D2414A67FACB92E0317B67CEC12413DB7D46D08DE490CA21ACA897CAB6F7E17DC26ED758A394D741FA5885F0092F7924E36AB5B130F6482B4154C0C7F71FDC4
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: CEjWMdiJnR.exe, Detection: malicious, Browse
                                                                              • Filename: CEjWMdiJnR.exe, Detection: malicious, Browse
                                                                              Reputation:low
                                                                              Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......o.HC+.&.+.&.+.&..n..1.&..n....&..n..4.&...'.).&."...*.&..R../.&.y.#.b.&.y."...&.y.%.2.&."...).&.".....&.+.'.~.&..."./.&...#.l.&.....*.&.+..*.&...$.*.&.Rich+.&.........................PE..L...t..d.........."......F...........E.......`....@..........................@%...../4%...@..........................................0...............t$.PS....$.x-......T...........................8...@............`...............................text...bD.......F.................. ..`.rdata.......`.......J..............@..@.data........P...6...0..............@....rsrc........0.......f..............@..@.reloc..x-....$......F#.............@..B................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\Expense.dat

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):5708898
                                                                              Entropy (8bit):7.999817474035384
                                                                              Encrypted:true
                                                                              SSDEEP:98304:4uSUpCVmIEpd+mWeTSQLybH+u0aqQ0vsPb+e5MPd4C7O3Rsc8IaM:43AC8I6+mWI4GaqT0Pb+EC7U/8ZM
                                                                              MD5:047F3A06561E6F55DB635A603F92F021
                                                                              SHA1:C7BEB5E73D4948CD25698D7DAB13372DC01ED185
                                                                              SHA-256:F910097C00C7E382ECAD8353B4FF115BCDCE67FF60B5038ED0E5D7665BC6AD3D
                                                                              SHA-512:ED77789AACBAE69D5CD21C451A8EA19ED0F38A6D67633C4213948566F7AA1D0EFA302978B6990972104D2CF798C1E2538CFAFB2F7D34267C5812F8C991A79CC4
                                                                              Malicious:false
                                                                              Preview:.......?+v..2......................................1012546698.?=<>8! #nDF.BK++*--/.Q.VRUU_VYXnjlomnxuGBEDFFIH.OMLNFqpsD@FCE@@I.}|..a`c.`dggihkjklon....x.....................e......................W........................6.............................................................../210;354.........4033=476PVO_OR^R/ #"$$'&.-+*,$/.Qdbfdfo`mW[Z]]_^A.FBEEOFIH"$9)= ..crutvvyx..}|xva`c^edgfihk{mlon...f.................................................................r................l..................................|.q.b.D.i.}.h.e...............032.4G6K8T:Z<M>@ N"A$F&](J*.,s.$P R:T9V<X/Z.\+^ @0B.D_FIHKJML7Kqpsrutwoyx{b}|..d`ccodgf$+.......................................................................................Q...............................dbcgdqr.`},h............."...<w=P...wU.R....[..X.....ac......Mi..`d..a`HYX[B]\_.D@CCgDGF...+%..!.=25..<:.6>B.J.48.VW...7.&tjmlwn.......................................................1.................

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\Gallery.wav

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                              Category:dropped
                                                                              Size (bytes):5016910
                                                                              Entropy (8bit):7.480590135173546
                                                                              Encrypted:false
                                                                              SSDEEP:98304:M/5DCbiskOaOhu69skGR4vHDgsHbPbn8gU4xH7U+bTb3gGQf+nYqjUp3Oj:MlUkVuuuK473bPbn8YbTsfWnYmU36
                                                                              MD5:466DD2E741CB161BC1ED68B7C6CCB50B
                                                                              SHA1:A1AA1E2E1941BC10A983AB698609BCBD5F367CB6
                                                                              SHA-256:46919A2E0BFE9535C4D2496180278FE2C956055F5AC4873A72C4A7A4F20FB3D8
                                                                              SHA-512:51E875164CA54C8EEAB048AEEE9801731EA989FA410E0CBC5414172AC63589D53A0AC718ADA2585F6E936B2881809780280796474BE073EA335FB0CDE7FACCB5
                                                                              Malicious:false
                                                                              Preview:RIFFF.L.WAVEfmt ........D...........LIST....INFOISFT....Lavf57.83.100.data..L.................................................................................................................................................................................................................................................................................................................(.(............././.'.'.:.:.....'.'.............................................................b.b.o.o.............................................l.l.........,.,.....-.-.....2.2.....%.%.....*.*.".".............................................................?.?.,.,.4.4././.....+.+.#.#.,.,.0.0.1.1.<.<.3.3.........................................................>.>.H.H.=.=.C.C.=.=.L.L.@.@.N.N.?.?.N.N.J.J.V.V.H.H.*.*.........H H @ @ E E H H 9 9 A A @ @ K K 8 8 ; ; ....................................................i.i.............................................=.=.v.v.Z.Z.......................................

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\Lab.db

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):5709187
                                                                              Entropy (8bit):7.999817508127193
                                                                              Encrypted:true
                                                                              SSDEEP:98304:fuSUpCVmIEpd+mWeTSQLybH+u0aqQ0vsPb+e5MPd4C7O3Rsc8IaS:f3AC8I6+mWI4GaqT0Pb+EC7U/8ZS
                                                                              MD5:1970F3B429ED7067669B01BA11CFC12B
                                                                              SHA1:BB3043AC4895E87417512B5B0383AFB65B0597DF
                                                                              SHA-256:0E47272F371662E280469368BE3AB599B22AC402984AE06E2654E6F15177E186
                                                                              SHA-512:5F605509B3C0E3D2E6D6DD6786CFAB8E7365679C2581D6A190B57CFE27084882E5CB5F861FB4B3611282BA764FCD58905BEAAD85F7F56D55E5C3003AD7E8EE79
                                                                              Malicious:false
                                                                              Preview:#........j...4.s..,................................1012546698.?=<>8! #nDF.BK++*--/.Q.VRUU_VYXnjlomnxuGBEDFFIH.OMLNFqpsD@FCE@@I.}|..a`c.`dggihkjklon....x.....................e......................W........................6.............................................................../210;354.........4033=476PVO_OR^R/ #"$$'&.-+*,$/.Qdbfdfo`mW[Z]]_^A.FBEEOFIH"$9)= ..crutvvyx..}|xva`c^edgfihk{mlon...f.................................................................r................l..................................|.q.b.D.i.}.h.e...............032.4G6K8T:Z<M>@ N"A$F&](J*.,s.$P R:T9V<X/Z.\+^ @0B.D_FIHKJML7Kqpsrutwoyx{b}|..d`ccodgf$+.......................................................................................Q...............................dbcgdqr.`},h............."...<w=P...wU.R....[..X.....ac......Mi..`d..a`HYX[B]\_.D@CCgDGF...+%..!.=25..<:.6>B.J.48.VW...7.&tjmlwn.......................................................1.................

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ToolkitPro1513vc60.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):7759360
                                                                              Entropy (8bit):6.722542083267176
                                                                              Encrypted:false
                                                                              SSDEEP:98304:hfs3PJEPfNDXjFHKwftlnWAj9WF6HOSKXu:hfsUlNKL6HOJ+
                                                                              MD5:52093B930D74D157517D68D464E490EC
                                                                              SHA1:43D5BA4A773FE5EF0D259212DBF2DB6CC86E9A79
                                                                              SHA-256:1FCDAFA131810A276F5E1D934C55FF69B58ADFA32887DACF09B796CACC4D866E
                                                                              SHA-512:716EA1C83DEDD9E7FEF9E9B3529E17B0C1649C844BFDE822C0A48BFD9BC2C8E81836ABA4154CF227E4D0E56839CBE0280240BBB85D2A4D576010EF6E021DA8A0
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........,..B..B..B.(....B...I..B...Q...B..B..B...Q...B...I..B.h.L..B...H..B...F..B..C...B..F..B..H..B..I...B.,.D..B...F..B.Rich.B.................PE..L......N...........!......E..`1.......@.......E....g.........................pv.......v...............................O.X....jO.@.....m..V...........@v..&....q.......................................................E..............................text...:.D.......E................. ....rdata...`&...E..p&...E.............@..@.data...\.....k.......k.............@....rsrc....V....m..`...pm.............@..@.reloc..8l....q..p....p.............@..B........................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libbind.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):7286480
                                                                              Entropy (8bit):6.699794092464677
                                                                              Encrypted:false
                                                                              SSDEEP:98304:jB3tOH2AjkkDqYsKc7b+UTBl9JuONaaSGUe5Mo9itNgKybC1:5tVAjTfspb+c/uONa65kvgfbC1
                                                                              MD5:486E6FBE70C67D89FEC40B1B2BC04715
                                                                              SHA1:A2D0F2934B2538D01FCD9685A35F0336DB18B5D4
                                                                              SHA-256:AFBD2282D74C32ADD3A65FF7840A64EB7B9EAFE71C8096D03BE60FFD8BBE133B
                                                                              SHA-512:E452C3A81B4C7DE69324FA7017E3470379892D0962CBA5AF721A76BEE9DB97B6EDA00999138172AB8834C3DC5A88684E3943A67741A4A31B58CC1BD73996A81B
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 37%
                                                                              Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........+..]J.W]J.W]J.W.2.V.J.W.2.VvJ.WM..V_J.WM.1WPJ.WM..V@J.WM..VHJ.WM..V.J.W.2.V.J.WN..V\J.W]J.WqJ.W...V.J.W...VEJ.WK..VGJ.WK..V.J.W...V.J.W...VUJ.W.2.VHJ.W]J.W.K.W...V\J.W...V\J.W..3W\J.W...V\J.WRich]J.W........PE..L......g...........!...)..T...........J.......T...............................o......o...@..........................+e.D....Ee.......m...............o.......m..S..p"d.8...................."d......!d.@.............T..............................text.....T.......T................. ..`.rdata..,p....T..r....T.............@..@.data...`....pe..P...Ve.............@....rsrc.........m.......l.............@..@.reloc...S....m..T....l.............@..B........................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\libcurl.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):482808
                                                                              Entropy (8bit):6.571174585397808
                                                                              Encrypted:false
                                                                              SSDEEP:12288:p+roGaFQD+sgDLUr/cPCwMXHxQNXs0w63NKfIAygN5XwEBqHeZSCxlon4O298m5H:4Z8YDR98m5VX9jTn
                                                                              MD5:457DC112A88076C71724DC22A3F4D90F
                                                                              SHA1:7D69FD4F50B3B50B4954B1C5FCC2FD40CECCCCAA
                                                                              SHA-256:B2204979FDCFBEDE97AC011416D65685EDF4BF8C4F93345D249FDA5A45027553
                                                                              SHA-512:D30ABE00D5C4CD488651AEB835F207BEA05A13E0C44FD51C506A337241967A59DAA7C8658C1DF0B07EC4E028CE4C3D7207754B2072AF3CFC48BB887046C4D3EB
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S#..2M..2M..2M...3..2M...#..2M...0..2M.O=...2M..2L.*2M.O=...2M... ..3M...7..2M...1..2M...5..2M.Rich.2M.................PE..L...~..Y...........!.....@...........V.......P...............................@.......X...............................Q......$F..x........B........... ...=.......8..................................h?..@............P...............................text....7.......@.................. ..`.rdata.......P.......P..............@..@.data...$2...`... ...`..............@....rsrc....B.......P..................@..@.reloc...@.......P..................@..B................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\shost.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4572160
                                                                              Entropy (8bit):6.808220761823103
                                                                              Encrypted:false
                                                                              SSDEEP:98304:yp05Qj7e+pfZ64Khic8Vl7J24kL00TmUuazmoHWhCxDesui8DgMetO:K0g7ecYHhic8Vl7J24kL00TmUuazmoHX
                                                                              MD5:FE0A6C37438E85E7304DFAB539443EA1
                                                                              SHA1:57CFAF6D0754D1FCCE97B4437B82FB0C9D32FE95
                                                                              SHA-256:CDFAC37C3C704B89EE8363EA8DDBAE12A893589E98B541BC485A3BE66E37DBF9
                                                                              SHA-512:F57444C924C78CDC94C2B050F74007E6F32C1892C2AD05AD4D0E27309C902408A814270B2832E5CC720F51A1A4FEEA92FC22A45D49EDDED4A92CD80F8F79054A
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......4 ..pA..pA..pA..;9..@A..;9...A..`.W.|A..`..lA..`..cA..`..!A..c..qA..8...A..8..eA..f..qA..f...A......A.....rA..;9..UA..;9..aA..pA...@..8..qA..8..qA..8.U.qA..8..qA..RichpA..........................PE..L......g...........!...)..4...........+.......4...............................F...........@..........................-C.,....GC.......D.`l...................0E.... .A.8.....................A.....`.A.@.............4.l............................text.....4.......4................. ..`.rdata..*u....4..v....4.............@..@.data....D...pC..r...ZC.............@....rsrc...`l....D..n....C.............@..@.reloc......0E......:D.............@..B........................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\ycomuiu.dll

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3071824
                                                                              Entropy (8bit):6.7286878204550264
                                                                              Encrypted:false
                                                                              SSDEEP:49152:6v7Mg/YnxxeILSBKiUd3/xMlg3zZvQbTIe4MpHcO9IfUO8v6w5mX8w5M6usJKT4:e7eeIB1Q54b504
                                                                              MD5:4190DC53968245E1AE10749DF8879848
                                                                              SHA1:74F045D0A150AABCFB8001D237A2150DCE27973F
                                                                              SHA-256:DADF20CAAC74C8DEE10C8A875452B904AF1F799A5F445FE2A5DECDFF57B16548
                                                                              SHA-512:F3310EBCDD6EF25BF3A3BF6F61FBD55DF25B77E46590A517030669D36709E6028E6E7D9BC373F27A8269C633CBC184BCC64DC3F89566BD0C984C07C125328075
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5`..[3..[3..[3.a.3..[3.a.3..[3.a.3..[3...3..[33].3..[3..^2..[3.._2..[3..X2..[3...3..[3...3..[3..Z3z.[3..S2..[3..[2..[3...3..[3..Y2..[3Rich..[3........PE..L....G.d.........."!...... .........+........0 .............................../.....}./...@..........................r'....../,.......-.0...............PS....-.....P.$.p...................`.$.......$.@............0 ..............................text..... ....... ................. ..`.rdata...)...0 ..*.... .............@..@.data........`,..P...D,.............@..._RDATA..0.....,.......,.............@..@.rsrc...0.....-.......,.............@..@.reloc........-.......,.............@..B........................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Daoheupqtwptd

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):51200
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:BF235F22DF3E004EDE21041978C24F2E
                                                                              SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                                                              SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                                                              SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Etwawyqfhptofpp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                                                              SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                                                              SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                                                              SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Hterpqq

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):106496
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                                              SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                                              SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                                              SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Pswfeq

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):40960
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:AB893875D697A3145AF5EED5309BEE26
                                                                              SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                                                              SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                                                              SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Qqeeatytqeirww

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):106496
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                                              SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                                              SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                                              SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Riowdypewfs

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:DAA100DF6E6711906B61C9AB5AA16032
                                                                              SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                                                              SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                                                              SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Rtsyqutqu

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):98304
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:0A9156C4E3C48EF827980639C4D1E263
                                                                              SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                                                              SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                                                              SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Rtsyqutqu-shm

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):32768
                                                                              Entropy (8bit):0.017262956703125623
                                                                              Encrypted:false
                                                                              SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                              MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                              SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                              SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                              SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                              Malicious:false
                                                                              Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\TMP3617.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:7-zip archive data, version 0.4
                                                                              Category:dropped
                                                                              Size (bytes):13290781
                                                                              Entropy (8bit):7.999979953857841
                                                                              Encrypted:true
                                                                              SSDEEP:196608:sromIOmmlfLu+TwfaYfIx26ye9vcqB13YiUeLQrQVxn5GHX5sjavB0cWQklxxniv:OymdK++/fQWBqB1R6QXw35s2aHJip/O+
                                                                              MD5:04F0198F443995D1696722CA9E7E3210
                                                                              SHA1:C4DDA5FB1EB43F310538B961D7673A489643B747
                                                                              SHA-256:69BB7ED51139CA1872C30D57EE7E8459A9C12D6B8A5A60EECB979E56EAD7E987
                                                                              SHA-512:B1C3D467ABD501ECDA9B8917AB24D83A79986477FA27B0D2443B8D80432DAE83B531045A7908BCBE84447CFCD20CF355F648087BFD78F5AF2433A7C00AB87924
                                                                              Malicious:false
                                                                              Preview:7z..'.....z.........%.......Gc.u....]...sN>....7/.8...Hi.k.C.5.p...h....S.\(.ASmsq.....=.Y...-...$....A......deu.2B...U.....m|v@A../b..&.+6(.,.$p8..q.........r...u[....!G.J8P=.2|.tv._c..a.#9.......l.z..6n...E.9...[4.B......Y..j.XKr.l...S*(.6.T.-.g%...'(.../Z.;<`b<...m.2..o.n..........-V..v.. ...h..2:(......."...5.o+....+.?`Q.....14"..<.x.c.-n..D...3...[...@..Ps.~.......LC.c..^. Q..I2..a..v.......g.._@..!g6b......zy....$.....,D2$..jm^...DD..!..}Lv.;.`-.B.s......T..f'.3.qP.............`.x`..R~.F.5...l.j...w4!.CS/W..GO...|....I..!.5%. .. ....na.1F.....9W|..`....(..i.[.:..........q.fI...y.x.}.ou..M......W<..>..).{......I.$......of.~.......O`%K....&..z.k@....5..k.G1.]3;...K....U.s"......H...9<E.K2.....(..:a...6....`a.I..:0..e.Ac.Sp....^..q...... ..w...O4D.H..R!.M.TI..Jy.w\.}.!.5..[<`...S5.....?.T..#.zK..L)3@...u..x..PQa^....`...L.9.)..v.Z.m2_IqG.1..f.\.u.DtZmW...F.....L.@m.......7..1..F.'w..>..'...4....I....s.. ...).J.K&.?.6..n.....a.

                                                                              C:\Users\user\AppData\Local\Temp\Warswdetoetaf

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):106496
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                                              SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                                              SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                                              SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Yyuwiwreq

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:DAA100DF6E6711906B61C9AB5AA16032
                                                                              SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                                                              SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                                                              SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0urwu52g.3ml.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfwydy2t.udn.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw1rp3h5.skb.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zbua1muc.oad.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__db.s24o.3

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:Berkeley DB (Btree, version 9, native byte-order)
                                                                              Category:dropped
                                                                              Size (bytes):16384
                                                                              Entropy (8bit):0.029947548765222036
                                                                              Encrypted:false
                                                                              SSDEEP:3:0lBCtNl1lB/tdyXlNldlE/l9ltlBttklB/tdyXlNldlE/l:c2oXi91LCoXi
                                                                              MD5:F5FABDCD8E955E7D1B87D85CFDD31AC7
                                                                              SHA1:3D5CF1C373695A4BC1968B61EE9A69A843AFFD68
                                                                              SHA-256:C9E862A335C8CB082B07696B02252B5FC0D674AADF9D94185F3F6638ED737F84
                                                                              SHA-512:AEE26E570BE55A28F1181631BBE62E64E39DB5008FDC31E4167A33C05CDBAA5AA72546BDAF9B667D8263407045C7A20B91443CF4D0F24518B07EF430EBAED703
                                                                              Malicious:false
                                                                              Preview:............b1....... .........................................0.................... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\s24o.0.ics

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):34
                                                                              Entropy (8bit):4.094097032108653
                                                                              Encrypted:false
                                                                              SSDEEP:3:6xyX5DIRsQs5:6ydIFs5
                                                                              MD5:E92C36BBE612635205DE9F07B5AD97CB
                                                                              SHA1:400D1192775CC05207512910B30AFA605F199C01
                                                                              SHA-256:0B2079BA6432C03C15E396C79EB7BD25A70478E9FBFE26727EBF4E5B28C30D54
                                                                              SHA-512:6313BD751BD19A157963D7EEBCE82753F345538ABDC80E461A2080D52DCF6232EEBC0D88E7B3455C2A5630AAB1655AF51127B7C5BC16B025EDC4FC237B67D51B
                                                                              Malicious:false
                                                                              Preview:..ics_version.2.0.filename.s24o.0.

                                                                              C:\Users\user\AppData\Local\Temp\s24o.1.ics

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):34
                                                                              Entropy (8bit):4.152920561520417
                                                                              Encrypted:false
                                                                              SSDEEP:3:6xyX5DIRsQsq:6ydIFsq
                                                                              MD5:3FD3903474C144EA41E1A267982B68FE
                                                                              SHA1:1D43B78BAECE2B066B473167B0BA5F44A44910C7
                                                                              SHA-256:B48EEF333BCDEA15F293FC2B2038E9EE38606E768ED38AECBEFA5FCB522FB662
                                                                              SHA-512:6B44514BA027DC42B8C7B9D867E2408916DBB06FC2AEAB120DCA68544FD701168D7C12870A7B31F12E155B2E88CE22785BD645F73453EEB18DF06CC647417B5E
                                                                              Malicious:false
                                                                              Preview:..ics_version.2.0.filename.s24o.1.

                                                                              C:\Users\user\AppData\Local\Temp\s24o.2

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):35
                                                                              Entropy (8bit):2.258492676514824
                                                                              Encrypted:false
                                                                              SSDEEP:3:XVl6EcxvVKM:kp7
                                                                              MD5:D880A299052F9E9DFE0A27A82BCB75A9
                                                                              SHA1:7A94DB3C9AA1C526F2B09516AECDC647830A7DB9
                                                                              SHA-256:08D23E43FF2E59F5AA84828E4C05A3D61AE6E8C7319318EA57F7A2E91A5FEF2B
                                                                              SHA-512:DF2B90AF64C031980FFC6B49D2CFB20EDD79FF31030747689100BD4F916798629D526C4AE84F3E1AD1E530D857CB767DA321CA8EC5376E2FEEB679BBA132AFBD
                                                                              Malicious:false
                                                                              Preview:0 0 0..1 0 0..1 1 1..0 1 0..0 0 1..

                                                                              C:\Users\user\AppData\Local\Temp\s24o.3

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                              File Type:Berkeley DB (Btree, version 9, native byte-order)
                                                                              Category:dropped
                                                                              Size (bytes):16384
                                                                              Entropy (8bit):0.04580644494944765
                                                                              Encrypted:false
                                                                              SSDEEP:3:0lBCtNl1lB/tdyXlNldlE/l9ltl76VlelB/tdyXlNldlE/lggPlLB:c2oXi91+P6oXige/
                                                                              MD5:6283DA3EAAC0B3323EAC3B2DF71ACB98
                                                                              SHA1:FE90803188774838E09EA0E4E6B7F2A3D08F74C3
                                                                              SHA-256:F08FC3B67CB2D2EC88A673EE0031452E887343E11000368D4B7044258D7F7ADF
                                                                              SHA-512:6E3B95C01D51D8ACF39E99E4A5D8BF735B15378689066B35FC8B8B02B4F43323B2D450B9F8DC74400F0FCFE27BB96A4E55DA7CCA611185F26298604361D34B99
                                                                              Malicious:false
                                                                              Preview:............b1....... .........................................0.................... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\s45w.0

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PNG image data, 600 x 400, 8-bit/color RGBA, non-interlaced
                                                                              Category:dropped
                                                                              Size (bytes):41369
                                                                              Entropy (8bit):7.972428113572902
                                                                              Encrypted:false
                                                                              SSDEEP:768:8flNJeU+jFSF4HVXYmq8d66O80hoYoEJqOugiG3Y4bssP2ZNT3SAmriBeknZ:ilann1pq8o6Oh7o+1o4bssO7S+DnZ
                                                                              MD5:F09B635DA0C14490820F64D28CAD94EE
                                                                              SHA1:03CA314C663165297A8E2CC74F16612612D69CA7
                                                                              SHA-256:AF77061FC257538C87B854D2BCF2DE601CBDF884C315CD2C9240DCD757DDFE73
                                                                              SHA-512:00B0072A9463276D41CE35309901630C4274C2B73E70CE8E3A3060D490B57B1EB29AC37538807B062E325C2B7D661D8D8D366FC57A0C46DA93005191029B291D
                                                                              Malicious:false
                                                                              Preview:.PNG........IHDR...X.........r5.... .IDATx...wT.g.?~vg./ew..DP...+..b.k..Qc..........D.Q.{.`G, U...X.;..?.~~|}bb.A..u...I...3....f6........c...........................................................................................................................................................................j .C...q.L&..d..L&:.N7U|.......,....S4..H.t:fYY.uVV.....?...L.w..J..m2.h.-..,..x.@U^^n...k._~.e....Z..-..{.}.v..j...../.###..d2!EQ...j)..*4....T...).".Z-........bcc.....X.`i.m.D").....t..l6_.z.kVV.G.../....=|.0, .$I#Z...X...6Pi4.Nqq........-ruu-.7o....".H.b.t.AP4..\94Q.E.|.rWoo.l...t.^.].xq.....Q.F..p8..,..,..:...F#..j...../^....]...1g..-[.|,..e..To...............G.F...'>>..P(..$I.[.@....S.J..p...\.;.s.%.CBB^.5kuhhh.@ .3.L......X....h$JJJ......^.......-C....(....T.E.Z..UZZj.....z..YB.P6`..cYYY>.}.........w....77.|>..b2... >.6.$IRNNN....'O..n..j......5.*X.P....l...f..h$.j5777....1+V...c.S.N..I..vvv.....o*T..]............}..=.......^..!....@..T

                                                                              C:\Users\user\AppData\Local\Temp\s45w.1

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PDF document, version 1.7
                                                                              Category:dropped
                                                                              Size (bytes):955
                                                                              Entropy (8bit):6.4895112362656215
                                                                              Encrypted:false
                                                                              SSDEEP:24:AEkhE93XVAnJniM+Esx9u+eXmzMwJtsSOPfAxgd3SL:AVhE9nVAJAEs3uIMwJtsSOPYWJSL
                                                                              MD5:0DEA9687EC77F751BEA695EC6B665342
                                                                              SHA1:7968C51F0DE25C674C078409E40B7D91DF17B3E4
                                                                              SHA-256:D35236EC6E306B7068876732E7138CE8ED7B2DA570671C165F41DD0C1FB50AA7
                                                                              SHA-512:C13F9DD88C6030BB711775B69D89E8794934D50439EECBCD3F46B6AABE9ABC8A4384FAD44FC9722C6C59F5B4781E216C239F5B3EFF451292450FBA0611EB89D7
                                                                              Malicious:false
                                                                              Preview:%PDF-1.7.%....4 0 obj.<< /Length 5 0 R. /Filter /FlateDecode.>>.stream.x.3T0.B]C aab....U.....- ...endstream.endobj.5 0 obj. 27.endobj.3 0 obj.<<.>>.endobj.7 0 obj.<< /Type /ObjStm. /Length 8 0 R. /N 1. /First 4. /Filter /FlateDecode.>>.stream.x.3S0.......8.].endstream.endobj.8 0 obj. 16.endobj.9 0 obj.<< /Type /ObjStm. /Length 12 0 R. /N 4. /First 23. /Filter /FlateDecode.>>.stream.x.U..j.0.D.......Z.i09$.PJ!$....".A..$...+.qJ.i.......qT..PE...s......i.{.h...o.......>...}.@l..6..{..fJ.gAsZ.9f..:...6Nv....&..o....v+..l..\.$.....?...l2....h.....#%...>...?1...z..(.=t.....w....:.i.=.:.c.N..K^.:.W...i.D.V.....u.1s...m..(.......+....A~....^.V..~..$n..endstream.endobj.12 0 obj. 278.endobj.13 0 obj.<< /Type /XRef. /Length 58. /Filter /FlateDecode. /Size 14. /W [1 2 2]. /Root 11 0 R. /Info 10 0 R.>>.stream.x.c``........D012.0002...r..;...H0*....:F....t.(.t........endstream.endobj.startxref.729.%%EOF.

                                                                              C:\Users\user\AppData\Local\Temp\s45w.2

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PDF document, version 1.7
                                                                              Category:dropped
                                                                              Size (bytes):955
                                                                              Entropy (8bit):6.4895112362656215
                                                                              Encrypted:false
                                                                              SSDEEP:24:AEkhE93XVAnJniM+Esx9u+eXmzMwJtsSOPfAxgd3SL:AVhE9nVAJAEs3uIMwJtsSOPYWJSL
                                                                              MD5:0DEA9687EC77F751BEA695EC6B665342
                                                                              SHA1:7968C51F0DE25C674C078409E40B7D91DF17B3E4
                                                                              SHA-256:D35236EC6E306B7068876732E7138CE8ED7B2DA570671C165F41DD0C1FB50AA7
                                                                              SHA-512:C13F9DD88C6030BB711775B69D89E8794934D50439EECBCD3F46B6AABE9ABC8A4384FAD44FC9722C6C59F5B4781E216C239F5B3EFF451292450FBA0611EB89D7
                                                                              Malicious:false
                                                                              Preview:%PDF-1.7.%....4 0 obj.<< /Length 5 0 R. /Filter /FlateDecode.>>.stream.x.3T0.B]C aab....U.....- ...endstream.endobj.5 0 obj. 27.endobj.3 0 obj.<<.>>.endobj.7 0 obj.<< /Type /ObjStm. /Length 8 0 R. /N 1. /First 4. /Filter /FlateDecode.>>.stream.x.3S0.......8.].endstream.endobj.8 0 obj. 16.endobj.9 0 obj.<< /Type /ObjStm. /Length 12 0 R. /N 4. /First 23. /Filter /FlateDecode.>>.stream.x.U..j.0.D.......Z.i09$.PJ!$....".A..$...+.qJ.i.......qT..PE...s......i.{.h...o.......>...}.@l..6..{..fJ.gAsZ.9f..:...6Nv....&..o....v+..l..\.$.....?...l2....h.....#%...>...?1...z..(.=t.....w....:.i.=.:.c.N..K^.:.W...i.D.V.....u.1s...m..(.......+....A~....^.V..~..$n..endstream.endobj.12 0 obj. 278.endobj.13 0 obj.<< /Type /XRef. /Length 58. /Filter /FlateDecode. /Size 14. /W [1 2 2]. /Root 11 0 R. /Info 10 0 R.>>.stream.x.c``........D012.0002...r..;...H0*....:F....t.(.t........endstream.endobj.startxref.729.%%EOF.

                                                                              C:\Users\user\AppData\Local\Temp\s5h8.0

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PNG image data, 600 x 400, 8-bit/color RGBA, non-interlaced
                                                                              Category:dropped
                                                                              Size (bytes):41369
                                                                              Entropy (8bit):7.972428113572902
                                                                              Encrypted:false
                                                                              SSDEEP:768:8flNJeU+jFSF4HVXYmq8d66O80hoYoEJqOugiG3Y4bssP2ZNT3SAmriBeknZ:ilann1pq8o6Oh7o+1o4bssO7S+DnZ
                                                                              MD5:F09B635DA0C14490820F64D28CAD94EE
                                                                              SHA1:03CA314C663165297A8E2CC74F16612612D69CA7
                                                                              SHA-256:AF77061FC257538C87B854D2BCF2DE601CBDF884C315CD2C9240DCD757DDFE73
                                                                              SHA-512:00B0072A9463276D41CE35309901630C4274C2B73E70CE8E3A3060D490B57B1EB29AC37538807B062E325C2B7D661D8D8D366FC57A0C46DA93005191029B291D
                                                                              Malicious:false
                                                                              Preview:.PNG........IHDR...X.........r5.... .IDATx...wT.g.?~vg./ew..DP...+..b.k..Qc..........D.Q.{.`G, U...X.;..?.~~|}bb.A..u...I...3....f6........c...........................................................................................................................................................................j .C...q.L&..d..L&:.N7U|.......,....S4..H.t:fYY.uVV.....?...L.w..J..m2.h.-..,..x.@U^^n...k._~.e....Z..-..{.}.v..j...../.###..d2!EQ...j)..*4....T...).".Z-........bcc.....X.`i.m.D").....t..l6_.z.kVV.G.../....=|.0, .$I#Z...X...6Pi4.Nqq........-ruu-.7o....".H.b.t.AP4..\94Q.E.|.rWoo.l...t.^.].xq.....Q.F..p8..,..,..:...F#..j...../^....]...1g..-[.|,..e..To...............G.F...'>>..P(..$I.[.@....S.J..p...\.;.s.%.CBB^.5kuhhh.@ .3.L......X....h$JJJ......^.......-C....(....T.E.Z..UZZj.....z..YB.P6`..cYYY>.}.........w....77.|>..b2... >.6.$IRNNN....'O..n..j......5.*X.P....l...f..h$.j5777....1+V...c.S.N..I..vvv.....o*T..]............}..=.......^..!....@..T

                                                                              C:\Users\user\AppData\Local\Temp\s5h8.1

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PDF document, version 1.7
                                                                              Category:dropped
                                                                              Size (bytes):954
                                                                              Entropy (8bit):6.431322896250017
                                                                              Encrypted:false
                                                                              SSDEEP:24:AEkhE93XVAnJniM+EdpdsWOfHtGOPfAx8c:AVhE9nVAJAEFs7vtGOPYWc
                                                                              MD5:8EFF7D5CD94F33748571B1188976C16A
                                                                              SHA1:5B402BF20925C673D5F9C6D0F226F37FCACC973A
                                                                              SHA-256:72AE9FF904F0AB8E7AD545CEE015A741D703C2ACD57784D5B0F76BE28B55D756
                                                                              SHA-512:36DCF993C4DCFC8049A7ED1ADB1C2CE96823E99483F85AAAAEB33E8CACD08905855D534EFB70FE27074009E81CF9C0A69207E68BDDC9ADF7330C3A2980F3356F
                                                                              Malicious:false
                                                                              Preview:%PDF-1.7.%....4 0 obj.<< /Length 5 0 R. /Filter /FlateDecode.>>.stream.x.3T0.B]C aab....U.....- ...endstream.endobj.5 0 obj. 27.endobj.3 0 obj.<<.>>.endobj.7 0 obj.<< /Type /ObjStm. /Length 8 0 R. /N 1. /First 4. /Filter /FlateDecode.>>.stream.x.3S0.......8.].endstream.endobj.8 0 obj. 16.endobj.9 0 obj.<< /Type /ObjStm. /Length 12 0 R. /N 4. /First 23. /Filter /FlateDecode.>>.stream.x.U..j.0.D........M.`rH....Ir+=.E8.b.I...W...>f53,."&.....#f....,....BR.F..@..->..p..vz..8.l.... ..B..h.%aqq...$.icD.i.]j....Q....SXT..Sf...x...(.M.b..[..Z..r.d#xW.Vl...K../9.,...[dw...GY.!..Hgt.....K^g..g.5O;...w+.a...g......T...../J7E......._........_..n..endstream.endobj.12 0 obj. 277.endobj.13 0 obj.<< /Type /XRef. /Length 58. /Filter /FlateDecode. /Size 14. /W [1 2 2]. /Root 11 0 R. /Info 10 0 R.>>.stream.x.c``........D012.0002...r..;...H0*....:F....t.(.t........endstream.endobj.startxref.728.%%EOF.

                                                                              C:\Users\user\AppData\Local\Temp\s5h8.2

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PDF document, version 1.7
                                                                              Category:dropped
                                                                              Size (bytes):954
                                                                              Entropy (8bit):6.431322896250017
                                                                              Encrypted:false
                                                                              SSDEEP:24:AEkhE93XVAnJniM+EdpdsWOfHtGOPfAx8c:AVhE9nVAJAEFs7vtGOPYWc
                                                                              MD5:8EFF7D5CD94F33748571B1188976C16A
                                                                              SHA1:5B402BF20925C673D5F9C6D0F226F37FCACC973A
                                                                              SHA-256:72AE9FF904F0AB8E7AD545CEE015A741D703C2ACD57784D5B0F76BE28B55D756
                                                                              SHA-512:36DCF993C4DCFC8049A7ED1ADB1C2CE96823E99483F85AAAAEB33E8CACD08905855D534EFB70FE27074009E81CF9C0A69207E68BDDC9ADF7330C3A2980F3356F
                                                                              Malicious:false
                                                                              Preview:%PDF-1.7.%....4 0 obj.<< /Length 5 0 R. /Filter /FlateDecode.>>.stream.x.3T0.B]C aab....U.....- ...endstream.endobj.5 0 obj. 27.endobj.3 0 obj.<<.>>.endobj.7 0 obj.<< /Type /ObjStm. /Length 8 0 R. /N 1. /First 4. /Filter /FlateDecode.>>.stream.x.3S0.......8.].endstream.endobj.8 0 obj. 16.endobj.9 0 obj.<< /Type /ObjStm. /Length 12 0 R. /N 4. /First 23. /Filter /FlateDecode.>>.stream.x.U..j.0.D........M.`rH....Ir+=.E8.b.I...W...>f53,."&.....#f....,....BR.F..@..->..p..vz..8.l.... ..B..h.%aqq...$.icD.i.]j....Q....SXT..Sf...x...(.M.b..[..Z..r.d#xW.Vl...K../9.,...[dw...GY.!..Hgt.....K^g..g.5O;...w+.a...g......T...../J7E......._........_..n..endstream.endobj.12 0 obj. 277.endobj.13 0 obj.<< /Type /XRef. /Length 58. /Filter /FlateDecode. /Size 14. /W [1 2 2]. /Root 11 0 R. /Info 10 0 R.>>.stream.x.c``........D012.0002...r..;...H0*....:F....t.(.t........endstream.endobj.startxref.728.%%EOF.

                                                                              C:\Users\user\AppData\Local\Temp\st4.0

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PNG image data, 600 x 400, 8-bit/color RGBA, non-interlaced
                                                                              Category:dropped
                                                                              Size (bytes):41369
                                                                              Entropy (8bit):7.972428113572902
                                                                              Encrypted:false
                                                                              SSDEEP:768:8flNJeU+jFSF4HVXYmq8d66O80hoYoEJqOugiG3Y4bssP2ZNT3SAmriBeknZ:ilann1pq8o6Oh7o+1o4bssO7S+DnZ
                                                                              MD5:F09B635DA0C14490820F64D28CAD94EE
                                                                              SHA1:03CA314C663165297A8E2CC74F16612612D69CA7
                                                                              SHA-256:AF77061FC257538C87B854D2BCF2DE601CBDF884C315CD2C9240DCD757DDFE73
                                                                              SHA-512:00B0072A9463276D41CE35309901630C4274C2B73E70CE8E3A3060D490B57B1EB29AC37538807B062E325C2B7D661D8D8D366FC57A0C46DA93005191029B291D
                                                                              Malicious:false
                                                                              Preview:.PNG........IHDR...X.........r5.... .IDATx...wT.g.?~vg./ew..DP...+..b.k..Qc..........D.Q.{.`G, U...X.;..?.~~|}bb.A..u...I...3....f6........c...........................................................................................................................................................................j .C...q.L&..d..L&:.N7U|.......,....S4..H.t:fYY.uVV.....?...L.w..J..m2.h.-..,..x.@U^^n...k._~.e....Z..-..{.}.v..j...../.###..d2!EQ...j)..*4....T...).".Z-........bcc.....X.`i.m.D").....t..l6_.z.kVV.G.../....=|.0, .$I#Z...X...6Pi4.Nqq........-ruu-.7o....".H.b.t.AP4..\94Q.E.|.rWoo.l...t.^.].xq.....Q.F..p8..,..,..:...F#..j...../^....]...1g..-[.|,..e..To...............G.F...'>>..P(..$I.[.@....S.J..p...\.;.s.%.CBB^.5kuhhh.@ .3.L......X....h$JJJ......^.......-C....(....T.E.Z..UZZj.....z..YB.P6`..cYYY>.}.........w....77.|>..b2... >.6.$IRNNN....'O..n..j......5.*X.P....l...f..h$.j5777....1+V...c.S.N..I..vvv.....o*T..]............}..=.......^..!....@..T

                                                                              C:\Users\user\AppData\Local\Temp\st4.1

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PDF document, version 1.7
                                                                              Category:dropped
                                                                              Size (bytes):955
                                                                              Entropy (8bit):6.463581000994065
                                                                              Encrypted:false
                                                                              SSDEEP:24:AEkhE93XVAnJniM+wJMBzexLKtitsSOPfAxgd3SL:AVhE9nVAJAFBixUitsSOPYWJSL
                                                                              MD5:1613022F4DF52BB01DA5FD7063E7EB17
                                                                              SHA1:AEBA0243F79AC3B0EFCF447928B45998F1AD251F
                                                                              SHA-256:23870B70B47A4D71882A8DCD6E63FC521EF95E8899BDDF347D0A5D706340FE34
                                                                              SHA-512:5F55242C2F73019047DFC09276C355A0A0100C793C40B9F348A312C421F31987783F3EE7ACF6397E2B0F44155B8769DB9FA231CBE432258499489654824AD46A
                                                                              Malicious:false
                                                                              Preview:%PDF-1.7.%....4 0 obj.<< /Length 5 0 R. /Filter /FlateDecode.>>.stream.x.3T0.B]C aab....U.....- ...endstream.endobj.5 0 obj. 27.endobj.3 0 obj.<<.>>.endobj.7 0 obj.<< /Type /ObjStm. /Length 8 0 R. /N 1. /First 4. /Filter /FlateDecode.>>.stream.x.3S0.......8.].endstream.endobj.8 0 obj. 16.endobj.9 0 obj.<< /Type /ObjStm. /Length 12 0 R. /N 4. /First 23. /Filter /FlateDecode.>>.stream.x.U..j.0...~.....Z..8..bC(....J.B...XF.K....8.........b(X......=.AU!y....w.....5.@...>gT.i..`..7.Z......V..61Cx.v4.$.i..x...h.FKn{54.J..6eiN)...,.'V<2..&.......k.s.d3x.m.....e..e.M..C........4......c.+:;..`F.%.+~..\......y:.=t.=?I.&-.Av.<.Ea...]._..[...[;w.[9'....n..endstream.endobj.12 0 obj. 278.endobj.13 0 obj.<< /Type /XRef. /Length 58. /Filter /FlateDecode. /Size 14. /W [1 2 2]. /Root 11 0 R. /Info 10 0 R.>>.stream.x.c``........D012.0002...r..;...H0*....:F....t.(.t........endstream.endobj.startxref.729.%%EOF.

                                                                              C:\Users\user\AppData\Local\Temp\st4.2

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                              File Type:PDF document, version 1.7
                                                                              Category:dropped
                                                                              Size (bytes):955
                                                                              Entropy (8bit):6.463581000994065
                                                                              Encrypted:false
                                                                              SSDEEP:24:AEkhE93XVAnJniM+wJMBzexLKtitsSOPfAxgd3SL:AVhE9nVAJAFBixUitsSOPYWJSL
                                                                              MD5:1613022F4DF52BB01DA5FD7063E7EB17
                                                                              SHA1:AEBA0243F79AC3B0EFCF447928B45998F1AD251F
                                                                              SHA-256:23870B70B47A4D71882A8DCD6E63FC521EF95E8899BDDF347D0A5D706340FE34
                                                                              SHA-512:5F55242C2F73019047DFC09276C355A0A0100C793C40B9F348A312C421F31987783F3EE7ACF6397E2B0F44155B8769DB9FA231CBE432258499489654824AD46A
                                                                              Malicious:false
                                                                              Preview:%PDF-1.7.%....4 0 obj.<< /Length 5 0 R. /Filter /FlateDecode.>>.stream.x.3T0.B]C aab....U.....- ...endstream.endobj.5 0 obj. 27.endobj.3 0 obj.<<.>>.endobj.7 0 obj.<< /Type /ObjStm. /Length 8 0 R. /N 1. /First 4. /Filter /FlateDecode.>>.stream.x.3S0.......8.].endstream.endobj.8 0 obj. 16.endobj.9 0 obj.<< /Type /ObjStm. /Length 12 0 R. /N 4. /First 23. /Filter /FlateDecode.>>.stream.x.U..j.0...~.....Z..8..bC(....J.B...XF.K....8.........b(X......=.AU!y....w.....5.@...>gT.i..`..7.Z......V..61Cx.v4.$.i..x...h.FKn{54.J..6eiN)...,.'V<2..&.......k.s.d3x.m.....e..e.M..C........4......c.+:;..`F.%.+~..\......y:.=t.=?I.&-.Av.<.Ea...]._..[...[;w.[9'....n..endstream.endobj.12 0 obj. 278.endobj.13 0 obj.<< /Type /XRef. /Length 58. /Filter /FlateDecode. /Size 14. /W [1 2 2]. /Root 11 0 R. /Info 10 0 R.>>.stream.x.c``........D012.0002...r..;...H0*....:F....t.(.t........endstream.endobj.startxref.729.%%EOF.

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.781966871820781
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:wi86CSarYC.exe
                                                                              File size:20'092'696 bytes
                                                                              MD5:0897b6ab5240bdb4bbeb3adf924adb19
                                                                              SHA1:542a45a470d549a1c60ddeb4839a0efb1360679b
                                                                              SHA256:d7444d0ab1742bd2fed6dfdbd47f97372843894e0c78d853761697089bb24d40
                                                                              SHA512:cc709348df9cda2680037c33a6da44ed1c1ac382790418cb39e734de576b7916bcb1e28203322022df77f4daa454f27417a917849d9eae1998cc07b8680c47d7
                                                                              SSDEEP:393216:mZt39EfBgymdK++/fQWBqB1R6QXw35s2aHJip/O:yt3ea/dCnQHPJw35EH4p/
                                                                              TLSH:BE170102FFC385B1DE82017111BAA77B4D3A55484320E5E3A7D46DA8F8627E15B3FB98
                                                                              File Content Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........1l$.P.w.P.w.P.w.(.v.P.w.(.vhP.w.(.v.P.w...w.P.w...v.P.w...v.P.w...v.P.wE..v.P.w...v.P.w...v.Q.w...v.P.w...v0P.w.P.w.P.wE..vkS.

                                                                              File Icon

                                                                              Icon Hash:186c4c4c4c4c6967

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x852eac
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:true
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x6707F36C [Thu Oct 10 15:31:56 2024 UTC]
                                                                              TLS Callbacks:0x8525b6, 0x852b7a
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:0
                                                                              File Version Major:6
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:6c1291fac96906d97a48010bbceb4bcb

                                                                              Authenticode Signature

                                                                              Signature Valid:
                                                                              Signature Issuer:
                                                                              Signature Validation Error:
                                                                              Error Number:
                                                                              Not Before, Not After
                                                                                Subject Chain
                                                                                  Version:
                                                                                  Thumbprint MD5:
                                                                                  Thumbprint SHA-1:
                                                                                  Thumbprint SHA-256:
                                                                                  Serial:

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007FD928FA417Dh
                                                                                  jmp 00007FD928FA302Fh
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  cmp cl, 00000040h
                                                                                  jnc 00007FD928FA31C7h
                                                                                  cmp cl, 00000020h
                                                                                  jnc 00007FD928FA31B8h
                                                                                  shld edx, eax, cl
                                                                                  shl eax, cl
                                                                                  ret
                                                                                  mov edx, eax
                                                                                  xor eax, eax
                                                                                  and cl, 0000001Fh
                                                                                  shl edx, cl
                                                                                  ret
                                                                                  xor eax, eax
                                                                                  xor edx, edx
                                                                                  ret
                                                                                  int3
                                                                                  cmp cl, 00000040h
                                                                                  jnc 00007FD928FA31C7h
                                                                                  cmp cl, 00000020h
                                                                                  jnc 00007FD928FA31B8h
                                                                                  shrd eax, edx, cl
                                                                                  shr edx, cl
                                                                                  ret
                                                                                  mov eax, edx
                                                                                  xor edx, edx
                                                                                  and cl, 0000001Fh
                                                                                  shr eax, cl
                                                                                  ret
                                                                                  xor eax, eax
                                                                                  xor edx, edx
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  and dword ptr [00A74798h], 00000000h
                                                                                  sub esp, 28h
                                                                                  or dword ptr [00A31998h], 01h
                                                                                  push 0000000Ah
                                                                                  call dword ptr [008DF398h]
                                                                                  test eax, eax
                                                                                  je 00007FD928FA34BBh
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  xor eax, eax
                                                                                  lea edi, dword ptr [ebp-28h]
                                                                                  xor ecx, ecx
                                                                                  push ebx
                                                                                  cpuid
                                                                                  mov esi, ebx
                                                                                  pop ebx
                                                                                  nop
                                                                                  mov dword ptr [edi], eax
                                                                                  mov dword ptr [edi+04h], esi
                                                                                  mov dword ptr [edi+08h], ecx
                                                                                  xor ecx, ecx
                                                                                  mov dword ptr [edi+0Ch], edx
                                                                                  mov eax, dword ptr [ebp-28h]
                                                                                  mov edi, dword ptr [ebp-24h]
                                                                                  mov dword ptr [ebp-04h], eax
                                                                                  xor edi, 756E6547h
                                                                                  mov eax, dword ptr [ebp-1Ch]
                                                                                  xor eax, 49656E69h
                                                                                  mov dword ptr [ebp-18h], eax
                                                                                  mov eax, dword ptr [ebp-20h]
                                                                                  xor eax, 6C65746Eh
                                                                                  mov dword ptr [ebp-14h], eax
                                                                                  xor eax, eax
                                                                                  inc eax
                                                                                  push ebx
                                                                                  cpuid
                                                                                  mov esi, ebx
                                                                                  pop ebx
                                                                                  nop
                                                                                  lea ebx, dword ptr [ebp-28h]

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6253f00xdc.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x6770000xcc77c3.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x13274000x2718.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x133f0000x2a000.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x6178400x18.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6177300x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x4df0000x664.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x4dd1b40x4dd2009d262aa805e3ce2beedcd36cf6f125f3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x4df0000x14874c0x148800be5e9c5e9decb08b17ab0a7449429d90False0.3670358875570776data5.971856139356924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x6280000x4e7bc0xfa00bed801ea8bb518344ed91d6f6be423c1False0.406171875data5.635325263974467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x6770000xcc77c30xcc7800f86c582c81f7a178c1468cecdc6bcfd9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x133f0000x2a0000x2a00015f3d34c3fc65723d90702546b874ddaFalse0.5995047433035714data6.635714661940469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0x6772a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 756 x 756 px/m0.1879432624113475
                                                                                  RT_ICON0x6777080x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1134 x 1134 px/m0.1413934426229508
                                                                                  RT_ICON0x6780900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1512 x 1512 px/m0.09427767354596622
                                                                                  RT_ICON0x6791380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2268 x 2268 px/m0.06742738589211618
                                                                                  RT_ICON0x67b6e00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3024 x 3024 px/m0.052491733585262164
                                                                                  RT_ICON0x67f9080x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 6047 x 6047 px/m0.032148349698331954
                                                                                  RT_ICON0x6901300x12e2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9290442697558957
                                                                                  RT_RCDATA0x6914140xcacd1ddata1.0003108978271484
                                                                                  RT_GROUP_ICON0x133e1340x68data0.75
                                                                                  RT_VERSION0x133e19c0x3a6data0.41862955032119914
                                                                                  RT_MANIFEST0x133e5440x27fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5633802816901409

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllSetThreadContext, CreateIoCompletionPort, FormatMessageA, GetTempFileNameW, SleepEx, lstrcpyW, WideCharToMultiByte, CreateEventA, DeleteCriticalSection, LocalFree, QueueUserAPC, FindResourceW, LoadResource, CloseHandle, GlobalAlloc, LockResource, TerminateThread, SetEvent, GetLastError, FormatMessageW, GetThreadContext, RemoveDirectoryW, GlobalMemoryStatusEx, WriteConsoleW, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, CreateEventW, PostQueuedCompletionStatus, WaitForSingleObject, FindClose, GetTempPathW, EnumResourceNamesW, GetEnvironmentVariableW, GetQueuedCompletionStatus, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, WaitForMultipleObjects, EnumResourceTypesW, CreateWaitableTimerW, lstrlenW, EnterCriticalSection, SetLastError, SetWaitableTimer, FindFirstFileW, SizeofResource, CreateDirectoryW, GetFileAttributesW, CreateFile2, MultiByteToWideChar, IsValidCodePage, GetACP, GetOEMCP, CreateFileA, CreateFileW, GetFileAttributesA, GetFileInformationByHandle, GetFileType, GetFullPathNameW, ReadFile, WriteFile, PeekNamedPipe, GetExitCodeProcess, Sleep, GetStdHandle, SearchPathA, DuplicateHandle, SetHandleInformation, CreatePipe, GetCurrentProcess, CreateProcessA, OpenProcess, GetProcAddress, LoadLibraryA, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, InitializeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, GetCurrentThread, GetThreadGroupAffinity, InitOnceBeginInitialize, InitOnceComplete, GetModuleHandleW, WakeConditionVariable, InitializeCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, QueryPerformanceCounter, QueryPerformanceFrequency, VerSetConditionMask, GetModuleHandleExW, FreeLibrary, GetStartupInfoW, GlobalUnlock, GlobalLock, GlobalFree, SetThreadExecutionState, ReleaseSRWLockShared, AcquireSRWLockShared, GetCurrentThreadId, ReleaseSemaphore, GetExitCodeThread, CreateSemaphoreA, GetSystemInfo, VirtualFree, GetCurrentProcessId, GetSystemTimeAsFileTime, GetSystemTime, SystemTimeToFileTime, GetSystemDirectoryA, LoadLibraryW, FindNextFileW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, GetTickCount, InitializeCriticalSectionEx, GetSystemDirectoryW, GetModuleHandleA, MoveFileExW, WaitForSingleObjectEx, GetEnvironmentVariableA, VerifyVersionInfoW, GetFileSizeEx, PulseEvent, GetDiskFreeSpaceW, SetFilePointer, GetVersion, GetVersionExW, FlushFileBuffers, DeleteFileW, MoveFileW, CreateFileMappingW, OpenFileMappingW, MapViewOfFile, UnmapViewOfFile, SetEndOfFile, SignalObjectAndWait, ResetEvent, ReleaseMutex, CreateMutexW, CreateThread, LockFile, LockFileEx, UnlockFile, GetShortPathNameW, GetModuleFileNameW, GetHandleInformation, GetQueuedCompletionStatusEx, InitOnceExecuteOnce, GetTickCount64, SetFileCompletionNotificationModes, RaiseException, GetLocaleInfoEx, GetStringTypeW, TryAcquireSRWLockExclusive, GetCurrentDirectoryW, FindFirstFileExW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, InitializeSListHead, IsDebuggerPresent, RtlUnwind, InterlockedPushEntrySList, LoadLibraryExW, ExitProcess, ExitThread, FreeLibraryAndExitThread, SetConsoleCtrlHandler, SetStdHandle, SetFilePointerEx, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetTimeZoneInformation, GetConsoleOutputCP, HeapReAlloc, HeapSize, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetCommandLineA
                                                                                  USER32.dllCreateWindowExW, DestroyWindow, ShowWindow, ToUnicode, MapVirtualKeyW, DestroyIcon, GetDC, ReleaseDC, ChangeDisplaySettingsExW, EnumDisplaySettingsW, EnumDisplaySettingsExW, EnumDisplayDevicesW, GetMonitorInfoW, EnumDisplayMonitors, TrackMouseEvent, GetMessageTime, SendMessageW, PostMessageW, WaitMessage, GetLayeredWindowAttributes, SetLayeredWindowAttributes, FlashWindow, MoveWindow, SetWindowPos, GetWindowPlacement, SetWindowPlacement, IsWindowVisible, IsIconic, BringWindowToTop, IsZoomed, OpenClipboard, CloseClipboard, SetClipboardData, GetClipboardData, EmptyClipboard, SetFocus, GetActiveWindow, GetKeyState, SetCapture, ReleaseCapture, MsgWaitForMultipleObjects, SetForegroundWindow, SetPropW, GetPropW, RemovePropW, SetWindowTextW, GetClientRect, GetWindowRect, AdjustWindowRectEx, SetCursorPos, SetCursor, ClientToScreen, ScreenToClient, WindowFromPoint, ClipCursor, SetRect, OffsetRect, PtInRect, GetWindowLongW, SetWindowLongW, GetClassLongW, RegisterClassExW, LoadImageW, CreateIconIndirect, SystemParametersInfoW, MonitorFromWindow, GetRawInputData, RegisterRawInputDevices, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetProcessWindowStation, GetUserObjectInformationW, MessageBoxW, GetCursorPos, GetSystemMetrics, TranslateMessage, DispatchMessageW, PeekMessageW, RegisterDeviceNotificationW, UnregisterDeviceNotification, DefWindowProcW, UnregisterClassW, LoadCursorW
                                                                                  SHELL32.dllDragQueryFileW, ShellExecuteW, DragAcceptFiles, DragFinish, DragQueryPoint
                                                                                  OPENGL32.dllglClear, glEnable
                                                                                  WS2_32.dllinet_ntop, inet_pton, WSAWaitForMultipleEvents, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, sendto, recvfrom, getpeername, shutdown, socket, setsockopt, listen, connect, closesocket, bind, accept, send, recv, WSASetLastError, WSAIoctl, getservbyport, gethostbyaddr, inet_ntoa, getaddrinfo, freeaddrinfo, gethostname, WSARecv, inet_addr, htons, htonl, WSAGetLastError, gethostbyname, select, ntohs, getsockopt, getsockname, ioctlsocket, WSACleanup, WSAStartup, WSASend, ntohl, WSASendTo, WSARecvFrom, getservbyname, __WSAFDIsSet
                                                                                  bcrypt.dllBCryptGenRandom
                                                                                  SHLWAPI.dllPathFileExistsW
                                                                                  CRYPT32.dllCertCloseStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenSystemStoreW, CryptStringToBinaryW, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringW, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertOpenStore
                                                                                  GDI32.dllCreateDCW, DeleteDC, GetDeviceCaps, GetDeviceGammaRamp, SetDeviceGammaRamp, CreateBitmap, CreateRectRgn, DeleteObject, CreateDIBSection, ChoosePixelFormat, DescribePixelFormat, SetPixelFormat, SwapBuffers
                                                                                  ADVAPI32.dllInitializeSecurityDescriptor, SetSecurityDescriptorDacl, CryptEncrypt, CryptImportKey, CryptHashData, CryptGetHashParam, CryptEnumProvidersW, CryptSignHashW, CryptDestroyHash, CryptCreateHash, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptAcquireContextW, ReportEventW, RegisterEventSourceW, DeregisterEventSource, CryptReleaseContext, CryptGenRandom

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 11, 2024 16:38:32.366060019 CET49888443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:32.366100073 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:32.366180897 CET49888443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:32.390789986 CET49888443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:32.390814066 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:33.946805954 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:33.947333097 CET49888443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:33.951332092 CET49888443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:33.951349974 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:33.951719046 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:33.957169056 CET49888443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:34.003334045 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:34.459055901 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:34.459134102 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:34.459191084 CET49888443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:34.467292070 CET49888443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:34.467317104 CET4434988847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:34.488056898 CET49894443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:34.488096952 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:34.488166094 CET49894443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:34.488465071 CET49894443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:34.488472939 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:35.876096964 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:35.876313925 CET49894443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:35.877449989 CET49894443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:35.877461910 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:35.878482103 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:35.878887892 CET49894443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:35.919358969 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:36.392791986 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:36.392868996 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:38:36.393044949 CET49894443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:36.393531084 CET49894443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:38:36.393553972 CET4434989447.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:00.441977024 CET50015443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:00.442020893 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:00.442121983 CET50015443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:00.452136993 CET50015443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:00.452156067 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:01.820230961 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:01.822036982 CET50015443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:01.822036982 CET50015443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:01.822067022 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:01.822396040 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:01.824919939 CET50015443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:01.871331930 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:02.338505983 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:02.338689089 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:02.338901997 CET50015443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:02.915812969 CET50015443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:02.915843010 CET4435001547.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:03.305406094 CET50016443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:03.305437088 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:03.305497885 CET50016443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:03.306375980 CET50016443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:03.306390047 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:04.810597897 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:04.810746908 CET50016443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:04.811980009 CET50016443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:04.811995983 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:04.812362909 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:04.812828064 CET50016443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:04.855333090 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:05.353729963 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:05.353912115 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:05.354007006 CET50016443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:05.354492903 CET50016443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:05.354515076 CET4435001647.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:10.254962921 CET50017443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:10.255078077 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:10.255192041 CET50017443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:10.400106907 CET50017443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:10.400192022 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:11.938961029 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:11.939037085 CET50017443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:11.940447092 CET50017443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:11.940469027 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:11.940814018 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:11.943142891 CET50017443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:11.983352900 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:12.454999924 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:12.455147982 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:12.455229998 CET50017443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:12.455677986 CET50017443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:12.455714941 CET4435001747.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:12.503659964 CET50018443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:12.503695965 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:12.503766060 CET50018443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:12.504134893 CET50018443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:12.504151106 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:13.856957912 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:13.857073069 CET50018443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:13.874094963 CET50018443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:13.874123096 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:13.874456882 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:13.874792099 CET50018443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:13.915366888 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:14.375158072 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:14.375241995 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:14.375293016 CET50018443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:14.375745058 CET50018443192.168.2.647.251.36.78
                                                                                  Dec 11, 2024 16:40:14.375770092 CET4435001847.251.36.78192.168.2.6
                                                                                  Dec 11, 2024 16:40:26.802272081 CET50020443192.168.2.6193.188.22.41
                                                                                  Dec 11, 2024 16:40:26.802390099 CET44350020193.188.22.41192.168.2.6
                                                                                  Dec 11, 2024 16:40:26.802525043 CET50020443192.168.2.6193.188.22.41
                                                                                  Dec 11, 2024 16:40:26.848006010 CET50020443192.168.2.6193.188.22.41
                                                                                  Dec 11, 2024 16:40:26.848054886 CET44350020193.188.22.41192.168.2.6
                                                                                  Dec 11, 2024 16:40:26.848107100 CET50020443192.168.2.6193.188.22.41
                                                                                  Dec 11, 2024 16:40:26.848149061 CET44350020193.188.22.41192.168.2.6
                                                                                  Dec 11, 2024 16:40:26.848237038 CET44350020193.188.22.41192.168.2.6

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 11, 2024 16:38:32.025015116 CET5884253192.168.2.61.1.1.1
                                                                                  Dec 11, 2024 16:38:32.274629116 CET53588421.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 11, 2024 16:38:32.025015116 CET192.168.2.61.1.1.10x5182Standard query (0)vip.bitwarsoft.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 11, 2024 16:38:32.274629116 CET1.1.1.1192.168.2.60x5182No error (0)vip.bitwarsoft.com47.251.36.78A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • vip.bitwarsoft.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.64988847.251.36.784435396C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-11 15:38:33 UTC187OUTGET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1
                                                                                  Host: vip.bitwarsoft.com
                                                                                  Authorization: Basic cm9vdDpwYXNz
                                                                                  Accept: */*
                                                                                  2024-12-11 15:38:34 UTC421INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 15:38:34 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=7h500shr2l0sq96v6ig8smnkk0; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  2024-12-11 15:38:34 UTC34INData Raw: 31 37 0d 0a 7b 22 72 65 73 75 6c 74 22 3a 31 2c 22 6f 70 65 6e 22 3a 22 31 22 7d 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 17{"result":1,"open":"1"}0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.64989447.251.36.784435396C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-11 15:38:35 UTC183OUTGET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1
                                                                                  Host: vip.bitwarsoft.com
                                                                                  Authorization: Basic cm9vdDpwYXNz
                                                                                  Accept: */*
                                                                                  2024-12-11 15:38:36 UTC421INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 15:38:36 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=92am2gmj9dfet64knotlgvj1p0; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  2024-12-11 15:38:36 UTC779INData Raw: 32 66 66 0d 0a 7b 22 66 65 65 5f 63 6f 6e 66 69 67 22 3a 5b 7b 22 69 64 22 3a 22 31 37 22 2c 22 66 65 65 5f 6d 6f 6e 22 3a 22 39 22 2c 22 66 65 65 5f 6d 6f 6e 33 22 3a 22 30 22 2c 22 66 65 65 5f 6d 6f 6e 36 22 3a 22 30 22 2c 22 66 65 65 5f 79 65 61 72 22 3a 22 31 39 22 2c 22 66 65 65 5f 79 65 61 72 33 22 3a 22 30 22 2c 22 66 65 65 5f 6c 69 66 65 74 69 6d 65 22 3a 22 33 39 22 2c 22 70 72 6f 64 75 63 74 5f 69 64 22 3a 22 31 30 33 31 22 2c 22 70 61 72 74 6e 65 72 5f 69 64 22 3a 22 30 22 2c 22 6f 70 65 6e 22 3a 22 31 22 2c 22 6c 65 76 65 6c 22 3a 22 30 22 2c 22 6c 69 6d 69 74 5f 63 6f 75 6e 74 22 3a 22 30 22 2c 22 75 69 64 5f 63 6f 75 6e 74 22 3a 22 33 22 2c 22 63 72 65 61 74 65 54 69 6d 65 22 3a 22 31 35 39 38 34 39 32 35 39 31 22 2c 22 6c 69 6d 69 74 5f 73
                                                                                  Data Ascii: 2ff{"fee_config":[{"id":"17","fee_mon":"9","fee_mon3":"0","fee_mon6":"0","fee_year":"19","fee_year3":"0","fee_lifetime":"39","product_id":"1031","partner_id":"0","open":"1","level":"0","limit_count":"0","uid_count":"3","createTime":"1598492591","limit_s


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.65001547.251.36.784431048C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-11 15:40:01 UTC187OUTGET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1
                                                                                  Host: vip.bitwarsoft.com
                                                                                  Authorization: Basic cm9vdDpwYXNz
                                                                                  Accept: */*
                                                                                  2024-12-11 15:40:02 UTC421INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 15:40:02 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=om4do4vadttejtnkncc7rhhat1; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  2024-12-11 15:40:02 UTC34INData Raw: 31 37 0d 0a 7b 22 72 65 73 75 6c 74 22 3a 31 2c 22 6f 70 65 6e 22 3a 22 31 22 7d 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 17{"result":1,"open":"1"}0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.65001647.251.36.784431048C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-11 15:40:04 UTC183OUTGET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1
                                                                                  Host: vip.bitwarsoft.com
                                                                                  Authorization: Basic cm9vdDpwYXNz
                                                                                  Accept: */*
                                                                                  2024-12-11 15:40:05 UTC421INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 15:40:05 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=r20070ku1aqri8m7kqe5ejmrk2; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  2024-12-11 15:40:05 UTC779INData Raw: 32 66 66 0d 0a 7b 22 66 65 65 5f 63 6f 6e 66 69 67 22 3a 5b 7b 22 69 64 22 3a 22 31 37 22 2c 22 66 65 65 5f 6d 6f 6e 22 3a 22 39 22 2c 22 66 65 65 5f 6d 6f 6e 33 22 3a 22 30 22 2c 22 66 65 65 5f 6d 6f 6e 36 22 3a 22 30 22 2c 22 66 65 65 5f 79 65 61 72 22 3a 22 31 39 22 2c 22 66 65 65 5f 79 65 61 72 33 22 3a 22 30 22 2c 22 66 65 65 5f 6c 69 66 65 74 69 6d 65 22 3a 22 33 39 22 2c 22 70 72 6f 64 75 63 74 5f 69 64 22 3a 22 31 30 33 31 22 2c 22 70 61 72 74 6e 65 72 5f 69 64 22 3a 22 30 22 2c 22 6f 70 65 6e 22 3a 22 31 22 2c 22 6c 65 76 65 6c 22 3a 22 30 22 2c 22 6c 69 6d 69 74 5f 63 6f 75 6e 74 22 3a 22 30 22 2c 22 75 69 64 5f 63 6f 75 6e 74 22 3a 22 33 22 2c 22 63 72 65 61 74 65 54 69 6d 65 22 3a 22 31 35 39 38 34 39 32 35 39 31 22 2c 22 6c 69 6d 69 74 5f 73
                                                                                  Data Ascii: 2ff{"fee_config":[{"id":"17","fee_mon":"9","fee_mon3":"0","fee_mon6":"0","fee_year":"19","fee_year3":"0","fee_lifetime":"39","product_id":"1031","partner_id":"0","open":"1","level":"0","limit_count":"0","uid_count":"3","createTime":"1598492591","limit_s


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.65001747.251.36.784437100C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-11 15:40:11 UTC187OUTGET /v1.0/share/openflag.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1
                                                                                  Host: vip.bitwarsoft.com
                                                                                  Authorization: Basic cm9vdDpwYXNz
                                                                                  Accept: */*
                                                                                  2024-12-11 15:40:12 UTC421INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 15:40:12 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=cjgf8i8leejed4357qqjvcm6c6; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  2024-12-11 15:40:12 UTC34INData Raw: 31 37 0d 0a 7b 22 72 65 73 75 6c 74 22 3a 31 2c 22 6f 70 65 6e 22 3a 22 31 22 7d 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 17{"result":1,"open":"1"}0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.65001847.251.36.784437100C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-11 15:40:13 UTC183OUTGET /v1.0/pay/config.php?lc=en_GB&product_id=1031&version=220&s=cd46c5ddfefe9b5a9403ee6032585805 HTTP/1.1
                                                                                  Host: vip.bitwarsoft.com
                                                                                  Authorization: Basic cm9vdDpwYXNz
                                                                                  Accept: */*
                                                                                  2024-12-11 15:40:14 UTC421INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 15:40:14 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=jb5lgn5mhniek703i84d4ck330; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  2024-12-11 15:40:14 UTC779INData Raw: 32 66 66 0d 0a 7b 22 66 65 65 5f 63 6f 6e 66 69 67 22 3a 5b 7b 22 69 64 22 3a 22 31 37 22 2c 22 66 65 65 5f 6d 6f 6e 22 3a 22 39 22 2c 22 66 65 65 5f 6d 6f 6e 33 22 3a 22 30 22 2c 22 66 65 65 5f 6d 6f 6e 36 22 3a 22 30 22 2c 22 66 65 65 5f 79 65 61 72 22 3a 22 31 39 22 2c 22 66 65 65 5f 79 65 61 72 33 22 3a 22 30 22 2c 22 66 65 65 5f 6c 69 66 65 74 69 6d 65 22 3a 22 33 39 22 2c 22 70 72 6f 64 75 63 74 5f 69 64 22 3a 22 31 30 33 31 22 2c 22 70 61 72 74 6e 65 72 5f 69 64 22 3a 22 30 22 2c 22 6f 70 65 6e 22 3a 22 31 22 2c 22 6c 65 76 65 6c 22 3a 22 30 22 2c 22 6c 69 6d 69 74 5f 63 6f 75 6e 74 22 3a 22 30 22 2c 22 75 69 64 5f 63 6f 75 6e 74 22 3a 22 33 22 2c 22 63 72 65 61 74 65 54 69 6d 65 22 3a 22 31 35 39 38 34 39 32 35 39 31 22 2c 22 6c 69 6d 69 74 5f 73
                                                                                  Data Ascii: 2ff{"fee_config":[{"id":"17","fee_mon":"9","fee_mon3":"0","fee_mon6":"0","fee_year":"19","fee_year3":"0","fee_lifetime":"39","product_id":"1031","partner_id":"0","open":"1","level":"0","limit_count":"0","uid_count":"3","createTime":"1598492591","limit_s


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:10:37:20
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Users\user\Desktop\wi86CSarYC.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\wi86CSarYC.exe"
                                                                                  Imagebase:0xf90000
                                                                                  File size:20'092'696 bytes
                                                                                  MD5 hash:0897B6AB5240BDB4BBEB3ADF924ADB19
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:10:38:30
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
                                                                                  Imagebase:0xf90000
                                                                                  File size:2'410'320 bytes
                                                                                  MD5 hash:95D5FAC09D8DF14A4890FB72E6BA046E
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2955765534.00000000098EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2949959454.0000000008869000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.3281325799.000000000936A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2950563614.000000000886E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2939685437.000000000886F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2946959041.0000000009364000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2934703112.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2943491260.0000000008869000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2946443072.0000000008865000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.3281969086.0000000009FA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2945820818.0000000009362000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2938024839.000000000887B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2952078384.000000000886A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2952078384.000000000886A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.3282499501.000000000B37F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.3282499501.000000000B37F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2933959466.000000000887A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2933959466.000000000887A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2952675287.0000000009364000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2952675287.0000000009364000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2951222884.0000000009360000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2951222884.0000000009360000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2935995229.00000000082E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000008.00000003.2935995229.00000000082E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:10:39:58
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
                                                                                  Imagebase:0xf90000
                                                                                  File size:2'410'320 bytes
                                                                                  MD5 hash:95D5FAC09D8DF14A4890FB72E6BA046E
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3837968195.00000000085C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3835520008.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3835520008.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3849575732.000000000804B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3849575732.000000000804B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4042529002.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000002.4042529002.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3841384821.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3841384821.00000000085C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4043144948.000000000964E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000002.4043144948.000000000964E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3837473236.0000000008049000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3837473236.0000000008049000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3838408464.00000000090D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3838408464.00000000090D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3835974239.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3835974239.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3845310118.0000000009659000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3845310118.0000000009659000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3893442861.000000000964A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3893442861.000000000964A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4042863226.0000000008B46000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000002.4042863226.0000000008B46000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3846624601.0000000008040000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3846624601.0000000008040000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3894502013.0000000009BCA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000009.00000003.3894502013.0000000009BCA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:10:39:59
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
                                                                                  Imagebase:0x1c0000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:10:40:00
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:10:40:00
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
                                                                                  Imagebase:0x1b0000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:10:40:08
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Programs\Ease Organizer Plus\EasePaint.exe"
                                                                                  Imagebase:0x7ff7b2a00000
                                                                                  File size:2'410'320 bytes
                                                                                  MD5 hash:95D5FAC09D8DF14A4890FB72E6BA046E
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3929757739.00000000087F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3929757739.00000000087F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3923212377.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3923212377.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3922758058.00000000087F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3922758058.00000000087F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4042673545.0000000008271000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000002.4042673545.0000000008271000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3929131466.0000000008D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3929131466.0000000008D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3925800807.00000000092FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3925800807.00000000092FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3926678062.0000000008277000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3926678062.0000000008277000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3924670964.0000000008D79000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3924670964.0000000008D79000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4042971149.0000000008D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000002.4042971149.0000000008D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3928597756.0000000009884000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3928597756.0000000009884000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.3925429184.00000000087F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 0000000D.00000003.3925429184.00000000087F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:12.3%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:1.4%
                                                                                    Total number of Nodes:516
                                                                                    Total number of Limit Nodes:24
                                                                                    execution_graph 2109 13e2eac 2112 13e3e79 2109->2112 2111 13e2eb1 2111->2111 2113 13e3e8f 2112->2113 2115 13e3e98 2113->2115 2116 13e3e2c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2113->2116 2115->2111 2116->2115 2117 13f63ec 2118 13f63f8 __dosmaperr 2117->2118 2123 1407849 EnterCriticalSection 2118->2123 2120 13f6407 __dosmaperr 2124 13f646b 2120->2124 2123->2120 2127 1407891 LeaveCriticalSection 2124->2127 2126 13f645d 2127->2126 2128 1465740 2129 13e2646 _ValidateLocalCookies 5 API calls 2128->2129 2130 1465753 2129->2130 1482 13efee6 1483 13efef2 __dosmaperr 1482->1483 1484 13efef9 GetLastError ExitThread 1483->1484 1485 13eff06 1483->1485 1496 140ed88 GetLastError 1485->1496 1487 13eff0b 1546 140e061 1487->1546 1490 13eff22 1550 13f00c5 1490->1550 1497 140eda4 1496->1497 1498 140ed9e 1496->1498 1524 140eda8 SetLastError 1497->1524 1564 140fc9f 1497->1564 1559 140fc60 1498->1559 1505 140ee38 1505->1487 1506 140ee3d 1587 13f753e 1506->1587 1508 140eddd 1511 140fc9f __dosmaperr 2 API calls 1508->1511 1509 140edee 1512 140fc9f __dosmaperr 2 API calls 1509->1512 1515 140edeb 1511->1515 1513 140edfa 1512->1513 1516 140ee15 1513->1516 1517 140edfe 1513->1517 1514 140ee54 1519 140fc9f __dosmaperr 2 API calls 1514->1519 1542 140ee5a 1514->1542 1576 140f3e4 1515->1576 1582 140ebb6 1516->1582 1520 140fc9f __dosmaperr 2 API calls 1517->1520 1518 140fc60 __dosmaperr 2 API calls 1518->1514 1523 140ee6e 1519->1523 1520->1515 1528 140f268 __dosmaperr 10 API calls 1523->1528 1523->1542 1524->1505 1524->1506 1526 13f753e 38 API calls 1529 140eed8 1526->1529 1527 140f3e4 ___free_lconv_mon 10 API calls 1527->1524 1530 140ee7e 1528->1530 1531 140ee86 1530->1531 1532 140ee9b 1530->1532 1534 140fc9f __dosmaperr 2 API calls 1531->1534 1533 140fc9f __dosmaperr 2 API calls 1532->1533 1535 140eea7 1533->1535 1536 140ee92 1534->1536 1537 140eeba 1535->1537 1538 140eeab 1535->1538 1539 140f3e4 ___free_lconv_mon 10 API calls 1536->1539 1541 140ebb6 __dosmaperr 10 API calls 1537->1541 1540 140fc9f __dosmaperr 2 API calls 1538->1540 1539->1542 1540->1536 1543 140eec5 1541->1543 1542->1526 1545 140ee5f 1542->1545 1544 140f3e4 ___free_lconv_mon 10 API calls 1543->1544 1544->1545 1545->1487 1547 13eff16 1546->1547 1548 140e071 1546->1548 1547->1490 1553 140ffc9 1547->1553 1548->1547 2064 140fad2 1548->2064 2067 13eff9b 1550->2067 1554 140fa0d __dosmaperr GetProcAddress 1553->1554 1555 140ffe5 1554->1555 1555->1490 1615 140fa0d 1559->1615 1561 140fc7c 1562 140fc85 1561->1562 1563 140fc97 TlsGetValue 1561->1563 1562->1497 1565 140fa0d __dosmaperr GetProcAddress 1564->1565 1566 140fcbb 1565->1566 1567 140edc0 1566->1567 1568 140fcd9 TlsSetValue 1566->1568 1567->1524 1569 140f268 1567->1569 1574 140f275 __dosmaperr 1569->1574 1570 140f2b5 1622 13f6fc7 1570->1622 1571 140f2a0 RtlAllocateHeap 1572 140edd5 1571->1572 1571->1574 1572->1508 1572->1509 1574->1570 1574->1571 1619 14095e9 1574->1619 1577 140f419 1576->1577 1578 140f3ef RtlFreeHeap 1576->1578 1577->1524 1578->1577 1579 140f404 GetLastError 1578->1579 1580 140f411 __dosmaperr 1579->1580 1581 13f6fc7 __dosmaperr 8 API calls 1580->1581 1581->1577 1659 140ea4a 1582->1659 1801 13f6536 1587->1801 1590 13f754e 1592 13f7577 1590->1592 1593 13f7558 IsProcessorFeaturePresent 1590->1593 1853 13ef3e2 1592->1853 1594 13f7564 1593->1594 1847 13f6cb7 1594->1847 1598 13f75aa 1600 13f75b1 1598->1600 1601 13f75d0 1598->1601 1599 13f7590 1856 13f7a6a 1599->1856 1606 13f759a 1600->1606 1860 13f7a84 1600->1860 1865 1411d27 1601->1865 1605 13f75df 1607 13f75e6 GetLastError 1605->1607 1608 13f760c 1605->1608 1610 13f7a84 11 API calls 1605->1610 1606->1514 1606->1518 1868 13f6f6d 1607->1868 1608->1606 1611 1411d27 MultiByteToWideChar 1608->1611 1610->1608 1613 13f7623 1611->1613 1613->1606 1613->1607 1614 13f6fc7 __dosmaperr 10 API calls 1614->1606 1616 140fa3d 1615->1616 1618 140fa39 __dosmaperr 1615->1618 1617 140fa57 GetProcAddress 1616->1617 1616->1618 1617->1618 1618->1561 1625 1409615 1619->1625 1636 140eed9 GetLastError 1622->1636 1624 13f6fcc 1624->1572 1626 1409621 __dosmaperr 1625->1626 1631 1407849 EnterCriticalSection 1626->1631 1628 140962c __dosmaperr 1632 1409663 1628->1632 1631->1628 1635 1407891 LeaveCriticalSection 1632->1635 1634 14095f4 1634->1574 1635->1634 1637 140eef5 1636->1637 1638 140eeef 1636->1638 1640 140fc9f __dosmaperr 2 API calls 1637->1640 1642 140eef9 SetLastError 1637->1642 1639 140fc60 __dosmaperr 2 API calls 1638->1639 1639->1637 1641 140ef11 1640->1641 1641->1642 1644 140f268 __dosmaperr 8 API calls 1641->1644 1642->1624 1645 140ef26 1644->1645 1646 140ef2e 1645->1646 1647 140ef3f 1645->1647 1648 140fc9f __dosmaperr 2 API calls 1646->1648 1649 140fc9f __dosmaperr 2 API calls 1647->1649 1650 140ef3c 1648->1650 1651 140ef4b 1649->1651 1655 140f3e4 ___free_lconv_mon 8 API calls 1650->1655 1652 140ef66 1651->1652 1653 140ef4f 1651->1653 1656 140ebb6 __dosmaperr 8 API calls 1652->1656 1654 140fc9f __dosmaperr 2 API calls 1653->1654 1654->1650 1655->1642 1657 140ef71 1656->1657 1658 140f3e4 ___free_lconv_mon 8 API calls 1657->1658 1658->1642 1660 140ea56 __dosmaperr 1659->1660 1673 1407849 EnterCriticalSection 1660->1673 1662 140ea60 1674 140ea90 1662->1674 1665 140eb5c 1666 140eb68 __dosmaperr 1665->1666 1678 1407849 EnterCriticalSection 1666->1678 1668 140eb72 1679 140ed3d 1668->1679 1670 140eb8a 1683 140ebaa 1670->1683 1673->1662 1677 1407891 LeaveCriticalSection 1674->1677 1676 140ea7e 1676->1665 1677->1676 1678->1668 1680 140ed73 __dosmaperr 1679->1680 1681 140ed4c __dosmaperr 1679->1681 1680->1670 1681->1680 1686 1417bfd 1681->1686 1800 1407891 LeaveCriticalSection 1683->1800 1685 140eb98 1685->1527 1687 1417c7d 1686->1687 1691 1417c13 1686->1691 1689 140f3e4 ___free_lconv_mon 10 API calls 1687->1689 1712 1417ccb 1687->1712 1692 1417c9f 1689->1692 1690 1417cd9 1702 1417d39 1690->1702 1711 140f3e4 10 API calls ___free_lconv_mon 1690->1711 1691->1687 1695 1417c46 1691->1695 1697 140f3e4 ___free_lconv_mon 10 API calls 1691->1697 1693 140f3e4 ___free_lconv_mon 10 API calls 1692->1693 1694 1417cb2 1693->1694 1699 140f3e4 ___free_lconv_mon 10 API calls 1694->1699 1700 140f3e4 ___free_lconv_mon 10 API calls 1695->1700 1713 1417c68 1695->1713 1696 140f3e4 ___free_lconv_mon 10 API calls 1701 1417c72 1696->1701 1698 1417c3b 1697->1698 1714 1416f4f 1698->1714 1704 1417cc0 1699->1704 1705 1417c5d 1700->1705 1706 140f3e4 ___free_lconv_mon 10 API calls 1701->1706 1707 140f3e4 ___free_lconv_mon 10 API calls 1702->1707 1709 140f3e4 ___free_lconv_mon 10 API calls 1704->1709 1742 14173ae 1705->1742 1706->1687 1708 1417d3f 1707->1708 1708->1680 1709->1712 1711->1690 1754 1417d6e 1712->1754 1713->1696 1715 1416f60 1714->1715 1716 1417049 1714->1716 1717 1416f71 1715->1717 1718 140f3e4 ___free_lconv_mon 10 API calls 1715->1718 1716->1695 1719 1416f83 1717->1719 1720 140f3e4 ___free_lconv_mon 10 API calls 1717->1720 1718->1717 1721 1416f95 1719->1721 1723 140f3e4 ___free_lconv_mon 10 API calls 1719->1723 1720->1719 1722 1416fa7 1721->1722 1724 140f3e4 ___free_lconv_mon 10 API calls 1721->1724 1725 1416fb9 1722->1725 1726 140f3e4 ___free_lconv_mon 10 API calls 1722->1726 1723->1721 1724->1722 1727 1416fcb 1725->1727 1728 140f3e4 ___free_lconv_mon 10 API calls 1725->1728 1726->1725 1729 1416fdd 1727->1729 1731 140f3e4 ___free_lconv_mon 10 API calls 1727->1731 1728->1727 1730 1416fef 1729->1730 1732 140f3e4 ___free_lconv_mon 10 API calls 1729->1732 1733 1417001 1730->1733 1734 140f3e4 ___free_lconv_mon 10 API calls 1730->1734 1731->1729 1732->1730 1735 1417013 1733->1735 1736 140f3e4 ___free_lconv_mon 10 API calls 1733->1736 1734->1733 1737 1417025 1735->1737 1739 140f3e4 ___free_lconv_mon 10 API calls 1735->1739 1736->1735 1738 1417037 1737->1738 1740 140f3e4 ___free_lconv_mon 10 API calls 1737->1740 1738->1716 1741 140f3e4 ___free_lconv_mon 10 API calls 1738->1741 1739->1737 1740->1738 1741->1716 1743 14173bb 1742->1743 1753 1417413 1742->1753 1744 14173cb 1743->1744 1745 140f3e4 ___free_lconv_mon 10 API calls 1743->1745 1746 140f3e4 ___free_lconv_mon 10 API calls 1744->1746 1748 14173dd 1744->1748 1745->1744 1746->1748 1747 14173ef 1750 140f3e4 ___free_lconv_mon 10 API calls 1747->1750 1751 1417401 1747->1751 1748->1747 1749 140f3e4 ___free_lconv_mon 10 API calls 1748->1749 1749->1747 1750->1751 1752 140f3e4 ___free_lconv_mon 10 API calls 1751->1752 1751->1753 1752->1753 1753->1713 1755 1417d7b 1754->1755 1759 1417d9a 1754->1759 1755->1759 1760 14178d5 1755->1760 1758 140f3e4 ___free_lconv_mon 10 API calls 1758->1759 1759->1690 1761 14179b3 1760->1761 1762 14178e6 1760->1762 1761->1758 1796 1417634 1762->1796 1765 1417634 __dosmaperr 10 API calls 1766 14178f9 1765->1766 1767 1417634 __dosmaperr 10 API calls 1766->1767 1768 1417904 1767->1768 1769 1417634 __dosmaperr 10 API calls 1768->1769 1770 141790f 1769->1770 1771 1417634 __dosmaperr 10 API calls 1770->1771 1772 141791d 1771->1772 1773 140f3e4 ___free_lconv_mon 10 API calls 1772->1773 1774 1417928 1773->1774 1775 140f3e4 ___free_lconv_mon 10 API calls 1774->1775 1776 1417933 1775->1776 1777 140f3e4 ___free_lconv_mon 10 API calls 1776->1777 1778 141793e 1777->1778 1779 1417634 __dosmaperr 10 API calls 1778->1779 1780 141794c 1779->1780 1781 1417634 __dosmaperr 10 API calls 1780->1781 1782 141795a 1781->1782 1783 1417634 __dosmaperr 10 API calls 1782->1783 1784 141796b 1783->1784 1785 1417634 __dosmaperr 10 API calls 1784->1785 1786 1417979 1785->1786 1787 1417634 __dosmaperr 10 API calls 1786->1787 1788 1417987 1787->1788 1789 140f3e4 ___free_lconv_mon 10 API calls 1788->1789 1790 1417992 1789->1790 1791 140f3e4 ___free_lconv_mon 10 API calls 1790->1791 1792 141799d 1791->1792 1793 140f3e4 ___free_lconv_mon 10 API calls 1792->1793 1794 14179a8 1793->1794 1795 140f3e4 ___free_lconv_mon 10 API calls 1794->1795 1795->1761 1797 1417646 1796->1797 1798 1417655 1797->1798 1799 140f3e4 ___free_lconv_mon 10 API calls 1797->1799 1798->1765 1799->1797 1800->1685 1873 13f6384 1801->1873 1804 13f657b 1807 13f6587 __dosmaperr 1804->1807 1805 140eed9 __dosmaperr 10 API calls 1814 13f65b8 1805->1814 1806 13f65d7 1810 13f6fc7 __dosmaperr 10 API calls 1806->1810 1807->1805 1807->1806 1809 13f65e9 1807->1809 1807->1814 1808 13f65c1 1808->1590 1811 13f661f __dosmaperr 1809->1811 1887 1407849 EnterCriticalSection 1809->1887 1812 13f65dc 1810->1812 1817 13f665c 1811->1817 1818 13f6759 1811->1818 1829 13f668a 1811->1829 1884 13f6eb3 1812->1884 1814->1806 1814->1808 1814->1809 1824 140ed88 38 API calls 1817->1824 1817->1829 1820 13f6764 1818->1820 1892 1407891 LeaveCriticalSection 1818->1892 1822 13ef3e2 17 API calls 1820->1822 1828 13f676c __dosmaperr 1822->1828 1823 13f66df 1823->1808 1833 140ed88 38 API calls 1823->1833 1826 13f667f 1824->1826 1825 140ed88 38 API calls 1825->1823 1827 140ed88 38 API calls 1826->1827 1827->1829 1830 13f6795 1828->1830 1835 13f67a3 1828->1835 1888 13f6705 1829->1888 1893 13f6504 1830->1893 1832 13f686d 1904 1407849 EnterCriticalSection 1832->1904 1833->1808 1835->1832 1836 13f67d3 1835->1836 1838 140eed9 __dosmaperr 10 API calls 1836->1838 1846 13f679d 1836->1846 1837 13f687a 1839 13f689c SetConsoleCtrlHandler 1837->1839 1845 13f68ad __dosmaperr 1837->1845 1840 13f67eb 1838->1840 1841 13f68b6 GetLastError 1839->1841 1839->1845 1840->1846 1897 141011a 1840->1897 1905 13f6fb4 1841->1905 1908 13f6915 1845->1908 1846->1590 1848 13f6cd3 1847->1848 1849 13f6cff IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1848->1849 1852 13f6dd0 1849->1852 1851 13f6dee 1851->1592 1976 13e2646 1852->1976 1984 13ef252 1853->1984 1857 13f7a75 1856->1857 1858 13f7a7d 1856->1858 1859 140f3e4 ___free_lconv_mon 10 API calls 1857->1859 1858->1606 1859->1858 1861 13f7a6a 10 API calls 1860->1861 1862 13f7a92 1861->1862 2059 13f7ac3 1862->2059 2062 1411c8f 1865->2062 1869 13f6fb4 __dosmaperr 10 API calls 1868->1869 1870 13f6f78 __dosmaperr 1869->1870 1871 13f6fc7 __dosmaperr 10 API calls 1870->1871 1872 13f6f8b 1871->1872 1872->1614 1874 13f6390 __dosmaperr 1873->1874 1879 1407849 EnterCriticalSection 1874->1879 1876 13f639e 1880 13f63e0 1876->1880 1879->1876 1883 1407891 LeaveCriticalSection 1880->1883 1882 13f63c9 1882->1590 1882->1804 1883->1882 1911 13f6dff 1884->1911 1887->1811 1889 13f6709 1888->1889 1890 13f66d1 1888->1890 1974 1407891 LeaveCriticalSection 1889->1974 1890->1808 1890->1823 1890->1825 1892->1820 1894 13f652b 1893->1894 1895 13f6511 1893->1895 1894->1846 1895->1894 1896 13f6fc7 __dosmaperr 10 API calls 1895->1896 1896->1894 1898 1410158 1897->1898 1902 1410128 __dosmaperr 1897->1902 1900 13f6fc7 __dosmaperr 10 API calls 1898->1900 1899 1410143 RtlAllocateHeap 1901 1410156 1899->1901 1899->1902 1900->1901 1901->1846 1902->1898 1902->1899 1903 14095e9 __dosmaperr 2 API calls 1902->1903 1903->1902 1904->1837 1906 140eed9 __dosmaperr 10 API calls 1905->1906 1907 13f6fb9 1906->1907 1907->1845 1975 1407891 LeaveCriticalSection 1908->1975 1910 13f691c 1910->1846 1912 13f6e11 1911->1912 1917 13f6e36 1912->1917 1914 13f6e29 1928 13ef55a 1914->1928 1918 13f6e46 1917->1918 1919 13f6e4d 1917->1919 1934 13ef6ca GetLastError 1918->1934 1924 13f6e5b 1919->1924 1938 13f6c8e 1919->1938 1922 13f6e82 1922->1924 1941 13f6ee0 IsProcessorFeaturePresent 1922->1941 1924->1914 1925 13f6eb2 1926 13f6dff 40 API calls 1925->1926 1927 13f6ebf 1926->1927 1927->1914 1929 13ef566 1928->1929 1930 13ef57d 1929->1930 1967 13ef710 1929->1967 1932 13ef590 1930->1932 1933 13ef710 40 API calls 1930->1933 1932->1808 1933->1932 1935 13ef6e3 1934->1935 1945 140ef8d 1935->1945 1939 13f6c99 GetLastError SetLastError 1938->1939 1940 13f6cb2 1938->1940 1939->1922 1940->1922 1942 13f6eec 1941->1942 1943 13f6cb7 8 API calls 1942->1943 1944 13f6f01 GetCurrentProcess TerminateProcess 1943->1944 1944->1925 1946 140efa0 1945->1946 1947 140efa6 1945->1947 1949 140fc60 __dosmaperr 2 API calls 1946->1949 1948 140fc9f __dosmaperr 2 API calls 1947->1948 1965 13ef6fb SetLastError 1947->1965 1950 140efc0 1948->1950 1949->1947 1951 140f268 __dosmaperr 10 API calls 1950->1951 1950->1965 1952 140efd0 1951->1952 1953 140efd8 1952->1953 1954 140efed 1952->1954 1956 140fc9f __dosmaperr 2 API calls 1953->1956 1955 140fc9f __dosmaperr 2 API calls 1954->1955 1957 140eff9 1955->1957 1958 140efe4 1956->1958 1959 140f00c 1957->1959 1960 140effd 1957->1960 1963 140f3e4 ___free_lconv_mon 10 API calls 1958->1963 1962 140ebb6 __dosmaperr 10 API calls 1959->1962 1961 140fc9f __dosmaperr 2 API calls 1960->1961 1961->1958 1964 140f017 1962->1964 1963->1965 1966 140f3e4 ___free_lconv_mon 10 API calls 1964->1966 1965->1919 1966->1965 1968 13ef71a 1967->1968 1969 13ef723 1967->1969 1970 13ef6ca 12 API calls 1968->1970 1969->1930 1971 13ef71f 1970->1971 1971->1969 1972 13f753e 40 API calls 1971->1972 1973 13ef72c 1972->1973 1973->1930 1974->1890 1975->1910 1977 13e264e 1976->1977 1978 13e264f IsProcessorFeaturePresent 1976->1978 1977->1851 1980 13e33fc 1978->1980 1983 13e33bf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1980->1983 1982 13e34df 1982->1851 1983->1982 1985 13ef27f 1984->1985 1986 13ef291 1984->1986 2011 13e3d80 GetModuleHandleW 1985->2011 1996 13ef0e3 1986->1996 1991 13ef2ce 1991->1598 1991->1599 1995 13ef2e3 1997 13ef0ef __dosmaperr 1996->1997 2019 1407849 EnterCriticalSection 1997->2019 1999 13ef0f9 2020 13ef16a 1999->2020 2001 13ef106 2024 13ef124 2001->2024 2004 13ef2e9 2049 13ef31a 2004->2049 2006 13ef2f3 2007 13ef307 2006->2007 2008 13ef2f7 GetCurrentProcess TerminateProcess 2006->2008 2009 13ef333 3 API calls 2007->2009 2008->2007 2010 13ef30f ExitProcess 2009->2010 2012 13e3d8c 2011->2012 2012->1986 2013 13ef333 GetModuleHandleExW 2012->2013 2014 13ef372 GetProcAddress 2013->2014 2015 13ef393 2013->2015 2014->2015 2018 13ef386 2014->2018 2016 13ef399 FreeLibrary 2015->2016 2017 13ef290 2015->2017 2016->2017 2017->1986 2018->2015 2019->1999 2023 13ef176 __dosmaperr 2020->2023 2022 13ef1da 2022->2001 2023->2022 2027 140a235 2023->2027 2048 1407891 LeaveCriticalSection 2024->2048 2026 13ef112 2026->1991 2026->2004 2028 140a241 __EH_prolog3 2027->2028 2031 1409f8d 2028->2031 2030 140a268 2030->2022 2032 1409f99 __dosmaperr 2031->2032 2039 1407849 EnterCriticalSection 2032->2039 2034 1409fa7 2040 140a145 2034->2040 2039->2034 2041 1409fb4 2040->2041 2042 140a164 2040->2042 2044 1409fdc 2041->2044 2042->2041 2043 140f3e4 ___free_lconv_mon 10 API calls 2042->2043 2043->2041 2047 1407891 LeaveCriticalSection 2044->2047 2046 1409fc5 2046->2030 2047->2046 2048->2026 2052 140e09b 2049->2052 2051 13ef31f 2051->2006 2053 140e0aa 2052->2053 2054 140e0b7 2053->2054 2056 140fa92 2053->2056 2054->2051 2057 140fa0d __dosmaperr GetProcAddress 2056->2057 2058 140faae 2057->2058 2058->2054 2060 141011a 11 API calls 2059->2060 2061 13f7aa3 2060->2061 2061->1606 2063 1411ca0 MultiByteToWideChar 2062->2063 2063->1605 2065 140fa0d __dosmaperr GetProcAddress 2064->2065 2066 140faee 2065->2066 2066->1547 2068 140eed9 __dosmaperr 10 API calls 2067->2068 2070 13effa6 2068->2070 2069 13effe8 ExitThread 2070->2069 2072 13effbf 2070->2072 2076 1410004 2070->2076 2073 13effd2 2072->2073 2074 13effcb CloseHandle 2072->2074 2073->2069 2075 13effde FreeLibraryAndExitThread 2073->2075 2074->2073 2075->2069 2077 140fa0d __dosmaperr GetProcAddress 2076->2077 2078 141001d 2077->2078 2078->2072 2079 141011a 2080 1410158 2079->2080 2084 1410128 __dosmaperr 2079->2084 2082 13f6fc7 __dosmaperr 10 API calls 2080->2082 2081 1410143 RtlAllocateHeap 2083 1410156 2081->2083 2081->2084 2082->2083 2084->2080 2084->2081 2085 14095e9 __dosmaperr 2 API calls 2084->2085 2085->2084 2086 13ef3e2 2087 13ef252 17 API calls 2086->2087 2088 13ef3f3 2087->2088 2089 13e4370 2090 13e438e 2089->2090 2105 13e4330 2090->2105 2092 13e443d 2093 13e440e 2093->2092 2095 13e4330 _ValidateLocalCookies 5 API calls 2093->2095 2094 13e43ac ___except_validate_context_record 2094->2092 2094->2093 2098 13e444a __IsNonwritableInCurrentImage 2094->2098 2095->2092 2096 13e8530 RtlUnwind 2097 13e4497 2096->2097 2099 13e4330 _ValidateLocalCookies 5 API calls 2097->2099 2098->2096 2101 13e44bd 2099->2101 2100 13e451e 2101->2100 2102 13e4508 2101->2102 2103 140379f 40 API calls 2101->2103 2104 13f5db9 10 API calls 2102->2104 2103->2102 2104->2100 2106 13e434f 2105->2106 2107 13e4342 2105->2107 2108 13e2646 _ValidateLocalCookies 5 API calls 2107->2108 2108->2106 2134 13e84a0 2135 13e84b2 2134->2135 2137 13e84c0 2134->2137 2136 13e2646 _ValidateLocalCookies 5 API calls 2135->2136 2136->2137

                                                                                    Callgraph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    • Opacity -> Relevance
                                                                                    • Disassembly available
                                                                                    callgraph 0 Function_013F753E 7 Function_013F6536 0->7 39 Function_013F657B 0->39 44 Function_013F6F6D 0->44 48 Function_013F7A6A 0->48 53 Function_01411D27 0->53 67 Function_013F6CB7 0->67 86 Function_013F7A84 0->86 106 Function_013EF3E2 0->106 120 Function_013F6FC7 0->120 1 Function_013E3B3D 2 Function_01417D45 3 Function_0140A145 80 Function_0140F3E4 3->80 4 Function_01465740 61 Function_013E2646 4->61 5 Function_01465340 6 Function_013F6E36 85 Function_013F6C8E 6->85 91 Function_013F6DFF 6->91 113 Function_013F6EE0 6->113 118 Function_013EF6CA 6->118 87 Function_013F6384 7->87 8 Function_01407849 9 Function_0140EA4A 9->8 99 Function_0140EA90 9->99 108 Function_013E3BE0 9->108 10 Function_013EF333 11 Function_013E8530 12 Function_013E4330 12->61 13 Function_013E4830 14 Function_01416F4F 14->80 15 Function_013EF130 16 Function_0140E04E 17 Function_013E3E2C 18 Function_013F6F2A 19 Function_013EF124 100 Function_01407891 19->100 20 Function_013E3E24 21 Function_0140EB5C 21->8 64 Function_0140ED3D 21->64 21->108 116 Function_0140EBAA 21->116 22 Function_0140FC60 42 Function_0140FA0D 22->42 23 Function_0140E061 23->16 74 Function_0140FAD2 23->74 24 Function_01409663 24->100 25 Function_013E3B1A 26 Function_013EF31A 63 Function_0140E03C 26->63 105 Function_0140E09B 26->105 27 Function_0140F268 29 Function_0140BC6B 27->29 83 Function_014095E9 27->83 27->120 28 Function_013F6915 28->100 30 Function_013F6F14 31 Function_013EF512 32 Function_0140966C 76 Function_0140EED9 32->76 33 Function_013EF710 33->0 56 Function_0140EA34 33->56 33->118 34 Function_013E8510 123 Function_013EF0C0 34->123 35 Function_01417D6E 75 Function_014178D5 35->75 35->80 36 Function_013F6705 36->100 37 Function_013F6504 37->120 38 Function_013E8400 110 Function_013EF0E0 38->110 38->123 39->8 39->13 39->15 39->28 39->36 39->37 51 Function_0141011A 39->51 57 Function_013EF14B 39->57 70 Function_013F6FB4 39->70 71 Function_013F6EB3 39->71 39->76 82 Function_013F649A 39->82 94 Function_0140ED88 39->94 39->100 39->106 39->108 115 Function_013F64DC 39->115 39->120 40 Function_01410004 40->42 41 Function_013E3E79 41->17 42->57 43 Function_013E4370 43->11 43->12 43->30 43->34 49 Function_01465613 43->49 55 Function_013E8550 43->55 66 Function_013F5DB9 43->66 79 Function_013E839C 43->79 93 Function_01465280 43->93 98 Function_013E84F0 43->98 114 Function_0140379F 43->114 44->18 44->70 44->120 45 Function_013EF16A 45->15 59 Function_0140A235 45->59 84 Function_0140A4EB 45->84 45->108 46 Function_013F646B 46->100 47 Function_01409615 47->8 47->15 47->24 47->108 48->80 50 Function_01051950 51->29 51->83 51->120 52 Function_013EF55A 52->33 97 Function_01411C8F 53->97 54 Function_013EF252 54->10 90 Function_013E3D80 54->90 103 Function_013EF2E9 54->103 107 Function_013EF0E3 54->107 55->38 58 Function_01417634 58->80 59->1 59->25 95 Function_01409F8D 59->95 60 Function_01465230 65 Function_013E33BF 61->65 62 Function_013E8545 68 Function_01417DC8 64->68 88 Function_01417BFD 64->88 92 Function_01417B80 64->92 66->80 67->20 67->61 72 Function_013E4DB0 67->72 109 Function_01417D9F 68->109 69 Function_0140FFC9 69->42 70->76 71->91 73 Function_013E2EAC 73->41 74->42 75->58 75->80 76->22 76->27 76->80 111 Function_0140FC9F 76->111 119 Function_0140EBB6 76->119 77 Function_01409FDC 77->100 78 Function_013E84A0 78->38 78->61 80->18 80->120 81 Function_013EFF9B 81->40 81->76 83->47 86->48 122 Function_013F7AC3 86->122 87->8 87->108 112 Function_013F63E0 87->112 88->14 88->35 88->80 117 Function_014173AE 88->117 89 Function_0146BDFB 89->61 91->6 91->31 91->52 92->2 93->5 93->60 94->0 94->22 94->27 94->80 94->111 94->119 95->3 95->8 95->77 95->108 96 Function_0140EF8D 96->22 96->27 96->80 96->111 96->119 99->100 101 Function_0140FA92 101->42 102 Function_013F63EC 102->8 102->15 102->46 102->108 103->10 103->26 104 Function_013EFEE6 104->23 104->32 104->69 104->94 104->108 121 Function_013F00C5 104->121 105->16 105->101 106->54 107->8 107->19 107->45 107->108 111->42 112->100 113->67 114->71 114->120 116->100 117->80 118->96 119->9 119->21 120->76 121->81 122->51

                                                                                    Executed Functions

                                                                                    Function 013EFF9B Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0140EED9: GetLastError.KERNEL32(00000000,?,013F6FCC,0140F2BA,?,?,0140EDD5,00000001,00000364,?,00000006,000000FF,?,013EFF0B,015B3860,0000000C), ref: 0140EEDD
                                                                                      • Part of subcall function 0140EED9: SetLastError.KERNEL32(00000000), ref: 0140EF7F
                                                                                    • CloseHandle.KERNEL32(?,?,?,013F00D2,?,?,013EFF44,00000000), ref: 013EFFCC
                                                                                    • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,013F00D2,?,?,013EFF44,00000000), ref: 013EFFE2
                                                                                    • ExitThread.KERNEL32 ref: 013EFFEB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 1991824761-0
                                                                                    • Opcode ID: a7080b257df925b79e75d13c29db65ea436a19bbf75cf6ad8b0b6889f3b4677e
                                                                                    • Instruction ID: b62a0b7c6f9172be5ec6e0384aaf3180516474eeff66a021e3cee98f5a4ed64e
                                                                                    • Opcode Fuzzy Hash: a7080b257df925b79e75d13c29db65ea436a19bbf75cf6ad8b0b6889f3b4677e
                                                                                    • Instruction Fuzzy Hash: BAF0E2B0000321ABEB316A79D80CA1A3EDC6F0237CB084614FA25D30F0DBB1D99AC7D0
                                                                                    Function 013EF2E9 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000002,?,013EF2E3,013F7581,013F7581,?,00000002,2FA5AB4D,013F7581,00000002), ref: 013EF2FA
                                                                                    • TerminateProcess.KERNEL32(00000000,?,013EF2E3,013F7581,013F7581,?,00000002,2FA5AB4D,013F7581,00000002), ref: 013EF301
                                                                                    • ExitProcess.KERNEL32 ref: 013EF313
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: e8b9e601c745a10c02c41031b60fe930dda8328b64874c724e08d374acf468d7
                                                                                    • Instruction ID: eda2d9a11dd03a952727ecb032c850961fa7e1d2d9144b3bbed9a48f03fe3816
                                                                                    • Opcode Fuzzy Hash: e8b9e601c745a10c02c41031b60fe930dda8328b64874c724e08d374acf468d7
                                                                                    • Instruction Fuzzy Hash: E5D09E32000218AFDF217F65E91C9593F69AF50349B444014F99549074CF7599969B81
                                                                                    Function 013EFEE6 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(015B3860,0000000C), ref: 013EFEF9
                                                                                    • ExitThread.KERNEL32 ref: 013EFF00
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastThread
                                                                                    • String ID:
                                                                                    • API String ID: 1611280651-0
                                                                                    • Opcode ID: 9b9a47c3f0b6ab808dc8cf89686106a5dde529aa53957566f36b86b7576fc4df
                                                                                    • Instruction ID: 5896d97a863907e08893c8059b0df18abd1660991766230d7238e0e4a36b07ae
                                                                                    • Opcode Fuzzy Hash: 9b9a47c3f0b6ab808dc8cf89686106a5dde529aa53957566f36b86b7576fc4df
                                                                                    • Instruction Fuzzy Hash: 01F0C2B09003169FDB16BFB6C419A6E3B74FF25614F10045EF506A72B1CB749946CBA2
                                                                                    Function 0140F3E4 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 40 140f3e4-140f3ed 41 140f41c-140f41d 40->41 42 140f3ef-140f402 RtlFreeHeap 40->42 42->41 43 140f404-140f41b GetLastError call 13f6f2a call 13f6fc7 42->43 43->41
                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,0141764D,?,00000000,?,?,014178EE,?,00000007,?,?,01417D94,?,?), ref: 0140F3FA
                                                                                    • GetLastError.KERNEL32(?,?,0141764D,?,00000000,?,?,014178EE,?,00000007,?,?,01417D94,?,?), ref: 0140F405
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 485612231-0
                                                                                    • Opcode ID: b34fcb4085419c45152d365550f01a9f53b21a621e2e2150f02ffe9c16db635e
                                                                                    • Instruction ID: 4c0c4cc14180c029f679620d1c028136f6e466a002020a3eb3d8f3a9b5b78fb2
                                                                                    • Opcode Fuzzy Hash: b34fcb4085419c45152d365550f01a9f53b21a621e2e2150f02ffe9c16db635e
                                                                                    • Instruction Fuzzy Hash: FFE08C72100215ABCB322FA9FC08B8A3E5CEB502A9F118035FB08C61B5DA308998CB84
                                                                                    Function 0140F268 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 48 140f268-140f273 49 140f281-140f287 48->49 50 140f275-140f27f 48->50 52 140f2a0-140f2b1 RtlAllocateHeap 49->52 53 140f289-140f28a 49->53 50->49 51 140f2b5-140f2c0 call 13f6fc7 50->51 58 140f2c2-140f2c4 51->58 54 140f2b3 52->54 55 140f28c-140f293 call 140bc6b 52->55 53->52 54->58 55->51 61 140f295-140f29e call 14095e9 55->61 61->51 61->52
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,?,?,0140EDD5,00000001,00000364,?,00000006,000000FF,?,013EFF0B,015B3860,0000000C), ref: 0140F2A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 6926e92ad13a5297b1dcf66c921bcaca703b742943c01670ef41af6a6e7e71b3
                                                                                    • Instruction ID: 6916bcac25e37bb5334fb2246b9eb7a4a8b30043abfb0733227aaa71ec26b2da
                                                                                    • Opcode Fuzzy Hash: 6926e92ad13a5297b1dcf66c921bcaca703b742943c01670ef41af6a6e7e71b3
                                                                                    • Instruction Fuzzy Hash: AAF0543A6155266BEB335B2B9C05B6B3B489F51760B18813FED04DB2F4DA32D40A86E4
                                                                                    Function 0141011A Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 64 141011a-1410126 65 1410158-1410163 call 13f6fc7 64->65 66 1410128-141012a 64->66 74 1410165-1410167 65->74 67 1410143-1410154 RtlAllocateHeap 66->67 68 141012c-141012d 66->68 70 1410156 67->70 71 141012f-1410136 call 140bc6b 67->71 68->67 70->74 71->65 76 1410138-1410141 call 14095e9 71->76 76->65 76->67
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000000,013F760C,?,?,013F7AD0,?,?,013F7AA3,?,00000000,?,?,?,?,013F760C,0140EE42), ref: 0141014C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 64d45777a91853ebcf434bd24ffb897ca3bbb3c99dbea06d4ab63abf7f2a844c
                                                                                    • Instruction ID: a8b40fc99d1085bec9b12e806815cf14dd0fbe21119197e0642b1155cd3814b8
                                                                                    • Opcode Fuzzy Hash: 64d45777a91853ebcf434bd24ffb897ca3bbb3c99dbea06d4ab63abf7f2a844c
                                                                                    • Instruction Fuzzy Hash: C8E065311412525BE7322A6A9C15B5B3A4C9F522A1F154127FE05E72F8CB7AC98182A5

                                                                                    Non-executed Functions

                                                                                    Function 013F6CB7 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 013F6DAF
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 013F6DB9
                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 013F6DC6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                    • String ID:
                                                                                    • API String ID: 3906539128-0
                                                                                    • Opcode ID: 970ac43b3155f3f79b56940a6827418b7d52fe66cf8618394558d97102b261ba
                                                                                    • Instruction ID: affdb030e6855189244cff74371803a930f8a8ae87c2a9f1ec62bc1399859320
                                                                                    • Opcode Fuzzy Hash: 970ac43b3155f3f79b56940a6827418b7d52fe66cf8618394558d97102b261ba
                                                                                    • Instruction Fuzzy Hash: 8531D474901329ABCB21DF28D8887CDBBF8BF18314F5041EAE51CA7290E7709B858F44
                                                                                    Function 013E4370 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 150 13e4370-13e43c1 call 1465613 call 13e4330 call 13e839c 157 13e441d-13e4420 150->157 158 13e43c3-13e43d5 150->158 159 13e4422-13e442f call 13e8550 157->159 160 13e4440-13e4449 157->160 158->160 161 13e43d7-13e43ee 158->161 165 13e4434-13e443d call 13e4330 159->165 163 13e4404 161->163 164 13e43f0-13e43fe call 13e84f0 161->164 167 13e4407-13e440c 163->167 173 13e4414-13e441b 164->173 174 13e4400 164->174 165->160 167->161 170 13e440e-13e4410 167->170 170->160 171 13e4412 170->171 171->165 173->165 175 13e444a-13e4453 174->175 176 13e4402 174->176 177 13e448d-13e449d call 13e8530 175->177 178 13e4455-13e445c 175->178 176->167 183 13e449f-13e44ae call 13e8550 177->183 184 13e44b1-13e44d9 call 13e4330 call 13e8510 177->184 178->177 180 13e445e-13e446d call 1465280 178->180 188 13e446f-13e4487 180->188 189 13e448a 180->189 183->184 196 13e44db-13e44df 184->196 197 13e4523-13e452a 184->197 188->189 189->177 196->197 198 13e44e1 196->198 199 13e452e-13e4530 197->199 200 13e44e4-13e44e9 198->200 200->200 201 13e44eb-13e44fd call 13f6f14 200->201 204 13e44ff-13e4514 call 140379f 201->204 205 13e4518-13e4519 call 13f5db9 201->205 204->205 209 13e451e-13e4521 205->209 209->199
                                                                                    APIs
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 013E43A7
                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 013E43AF
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 013E4438
                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 013E4463
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 013E44B8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                    • String ID: csm
                                                                                    • API String ID: 1170836740-1018135373
                                                                                    • Opcode ID: ab0a1c1622e78978acb4e94b4408dba7f82cf4577ec580b2a56d2154faa00507
                                                                                    • Instruction ID: ce8007427bcd97364e901c2aeaeb9c3437920f1ea559c4a74d981ed176d9f7d2
                                                                                    • Opcode Fuzzy Hash: ab0a1c1622e78978acb4e94b4408dba7f82cf4577ec580b2a56d2154faa00507
                                                                                    • Instruction Fuzzy Hash: 3851C434A00329AFCB10DF6DD888A9EBBE5AF4921CF148159E914AB3D1D731E915CF91
                                                                                    Function 013EF333 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 210 13ef333-13ef370 GetModuleHandleExW 211 13ef372-13ef384 GetProcAddress 210->211 212 13ef393-13ef397 210->212 211->212 215 13ef386-13ef391 211->215 213 13ef399-13ef39c FreeLibrary 212->213 214 13ef3a2-13ef3af 212->214 213->214 215->212
                                                                                    APIs
                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2FA5AB4D,?,?,00000000,01465740,000000FF,?,013EF30F,00000002,?,013EF2E3,013F7581), ref: 013EF368
                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 013EF37A
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,01465740,000000FF,?,013EF30F,00000002,?,013EF2E3,013F7581), ref: 013EF39C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2891311133.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2891169415.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.000000000146F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2891886150.0000000001588000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892093844.00000000015B8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892126194.00000000015C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892156172.00000000015C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.00000000015C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001602000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892181590.0000000001604000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.0000000001607000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000161A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2892294662.000000000201A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f90000_wi86CSarYC.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                    • API String ID: 4061214504-1276376045
                                                                                    • Opcode ID: 6edebcd392d1bfd19d9db0cf48df0acf709c42cd4041596c2bb8d797cacc1623
                                                                                    • Instruction ID: fcf23ec929843a5a6abb3c65cbe9357ce67edce937fe36aaa71844a58d239961
                                                                                    • Opcode Fuzzy Hash: 6edebcd392d1bfd19d9db0cf48df0acf709c42cd4041596c2bb8d797cacc1623
                                                                                    • Instruction Fuzzy Hash: 2301DB75704729EFDB218F55DC09FAEBBBCFB04B18F000629F851A62A4D7B59904CB91

                                                                                    Execution Graph

                                                                                    Execution Coverage:1.9%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:3.6%
                                                                                    Total number of Nodes:1030
                                                                                    Total number of Limit Nodes:53
                                                                                    execution_graph 99250 1001e900 99253 1001e840 99250->99253 99252 1001e90c 99254 1001e844 99253->99254 99255 1001e848 99253->99255 99254->99252 99256 1001e862 99255->99256 99257 1001e84e 99255->99257 99259 1001e884 curl_multi_setopt curl_multi_add_handle 99256->99259 99280 10022b10 174 API calls 99256->99280 99279 1000a8c0 104 API calls __crtCompareStringA_stat 99257->99279 99262 1001e8a4 curl_multi_cleanup 99259->99262 99263 1001e8bf 99259->99263 99260 1001e859 99260->99252 99262->99252 99265 1001e8c9 curl_multi_remove_handle 99263->99265 99266 1001e8dd 99263->99266 99264 1001e873 99264->99259 99268 1001e87c 99264->99268 99265->99252 99270 1001e740 99266->99270 99268->99252 99273 1001e750 99270->99273 99272 1001e761 curl_multi_wait 99272->99273 99277 1001e814 curl_multi_remove_handle 99272->99277 99274 1001e7d8 curl_multi_perform 99273->99274 99276 1001e7fa curl_multi_info_read 99273->99276 99273->99277 99278 100287d0 WSASetLastError Sleep 99273->99278 99281 10001940 GetTickCount 99273->99281 99282 10001940 GetTickCount 99273->99282 99274->99273 99274->99277 99276->99273 99276->99277 99277->99252 99278->99273 99279->99260 99280->99264 99281->99272 99282->99273 99283 1001e680 99284 1001e6f5 99283->99284 99285 1001e68a 99283->99285 99298 1000fe10 99284->99298 99307 1003c7d0 14 API calls 99285->99307 99288 1001e6fe 99289 1001e6cb 99290 1001e70c 99289->99290 99308 1001e480 16 API calls __crtCompareStringA_stat 99289->99308 99292 1001e6d4 99292->99290 99293 1001e6d8 curl_pushheader_bynum 99292->99293 99293->99290 99294 1001e6e1 99293->99294 99309 10027c80 99294->99309 99296 1001e6e6 99315 10018740 curl_version 99296->99315 99316 10044b24 99298->99316 99300 1000fe27 99300->99288 99301 1000fe2c curl_pushheader_bynum 99302 1000fe4d 99301->99302 99303 1000fe5d 99301->99303 99302->99288 99305 1000fe86 99303->99305 99323 1001be80 curl_slist_free_all 99303->99323 99305->99288 99307->99289 99308->99292 99310 10027cc2 99309->99310 99311 10027c89 socket 99309->99311 99310->99296 99312 10027cb0 99311->99312 99313 10027c9a 99311->99313 99353 10021870 99312->99353 99313->99296 99315->99284 99324 10044a06 99316->99324 99318 10044b3c 99319 1000fe1e 99318->99319 99337 10044fd2 65 API calls _raise 99318->99337 99319->99300 99319->99301 99321 10044b52 99321->99319 99338 10044fd2 65 API calls _raise 99321->99338 99323->99305 99325 10044a12 ___lock_fhandle 99324->99325 99326 10044a2a 99325->99326 99336 10044a49 _memset 99325->99336 99339 10044fd2 65 API calls _raise 99326->99339 99328 10044a2f 99340 100468e9 65 API calls 2 library calls 99328->99340 99330 10044abb RtlAllocateHeap 99330->99336 99331 10044a3f ___lock_fhandle 99331->99318 99336->99330 99336->99331 99341 10049029 99336->99341 99348 1004cf13 5 API calls 2 library calls 99336->99348 99349 10044b02 LeaveCriticalSection __fcloseall 99336->99349 99350 1004c5ac 65 API calls __mtterm 99336->99350 99337->99321 99338->99319 99339->99328 99342 1004903c 99341->99342 99343 1004904f EnterCriticalSection 99341->99343 99351 10048f66 65 API calls 10 library calls 99342->99351 99343->99336 99345 10049042 99345->99343 99352 1004b201 65 API calls 3 library calls 99345->99352 99347 1004904e 99347->99343 99348->99336 99349->99336 99350->99336 99351->99345 99352->99347 99354 100218a9 closesocket 99353->99354 99355 1002187e 99353->99355 99354->99310 99355->99354 99356 100218b5 99355->99356 99356->99310 99357 1003e260 99432 1000a830 99357->99432 99360 1003e2cc 99362 1003e2d3 99360->99362 99363 1003e2e8 99360->99363 99361 1003e2b9 99364 1000a830 104 API calls 99361->99364 99365 1000a830 104 API calls 99362->99365 99366 1003e2ee 99363->99366 99369 1003e301 99363->99369 99386 1003e2c4 99364->99386 99365->99386 99367 1000a830 104 API calls 99366->99367 99367->99386 99368 1000a830 104 API calls 99427 1003e453 __cftoe2_l 99368->99427 99392 1003e384 99369->99392 99403 1003e3e4 99369->99403 99440 10044b63 99369->99440 99370 1000a830 104 API calls 99382 1003e6f1 99370->99382 99371 1003e6bd 99372 1000a830 104 API calls 99371->99372 99376 1003e6d0 99372->99376 99373 1000a830 104 API calls 99377 1003e39a 99373->99377 99374 1003e740 99385 1003e8c0 99374->99385 99391 100429b0 _memcpy_s __VEC_memcpy 99374->99391 99375 1003e349 99379 1003e350 99375->99379 99380 1003e36d 99375->99380 99381 1000a830 104 API calls 99376->99381 99506 1000a530 recv 99377->99506 99505 1000a8c0 104 API calls __crtCompareStringA_stat 99379->99505 99387 1000a830 104 API calls 99380->99387 99381->99386 99382->99374 99513 1003a040 99382->99513 99383 1003e3bc 99389 1003e406 99383->99389 99390 1003e3cc 99383->99390 99386->99370 99387->99392 99397 1003e40e 99389->99397 99399 1003e3fe 99389->99399 99394 1003e3e9 99390->99394 99395 1003e3d9 99390->99395 99396 1003e871 __cftoe2_l 99391->99396 99392->99373 99394->99399 99400 1003e3ee 99394->99400 99398 1000a830 104 API calls 99395->99398 99406 1000a830 104 API calls 99396->99406 99401 1000a830 104 API calls 99397->99401 99398->99403 99399->99403 99405 1000a830 104 API calls 99399->99405 99404 1000a830 104 API calls 99400->99404 99401->99403 99402 1000a830 104 API calls 99402->99374 99403->99368 99404->99403 99405->99403 99408 1003e893 99406->99408 99407 1003e74c 99410 1003e758 99407->99410 99411 1003e77c 99407->99411 99409 1000a830 104 API calls 99408->99409 99412 1003e8a6 99409->99412 99415 1000a830 104 API calls 99410->99415 99519 100274b0 72 API calls 4 library calls 99411->99519 99414 1003e7fd 99414->99386 99418 1000a830 104 API calls 99414->99418 99415->99386 99416 1003e78d 99417 1000a830 104 API calls 99416->99417 99417->99386 99418->99386 99420 1003e7be 99422 1000a830 104 API calls 99420->99422 99421 1003e7d1 99423 1000a830 104 API calls 99421->99423 99422->99386 99423->99386 99424 1003e7a1 99520 1000a8c0 104 API calls __crtCompareStringA_stat 99424->99520 99427->99371 99427->99407 99427->99414 99427->99420 99427->99421 99427->99424 99428 1003e7ea 99427->99428 99429 1000a830 104 API calls 99427->99429 99481 1003ea30 99427->99481 99509 100429b0 99427->99509 99430 1000a830 104 API calls 99428->99430 99429->99427 99430->99386 99433 1000a89d 99432->99433 99434 1000a850 99432->99434 99521 1003ef38 99433->99521 99434->99433 99436 1000a859 curl_mvsnprintf 99434->99436 99438 1000a882 99436->99438 99437 1000a8af 99437->99360 99437->99361 99526 1000a6f0 103 API calls __crtCompareStringA_stat 99438->99526 99441 10044b6f ___lock_fhandle 99440->99441 99442 10044b84 99441->99442 99443 10044b76 99441->99443 99445 10044b97 99442->99445 99446 10044b8b 99442->99446 99527 10044ed4 65 API calls 5 library calls 99443->99527 99453 10044d09 99445->99453 99479 10044ba4 ___sbh_resize_block ___sbh_find_block 99445->99479 99528 10044df7 99446->99528 99447 10044b7e 99463 10044b91 ___lock_fhandle __dosmaperr 99447->99463 99449 10044d3c 99549 1004c5ac 65 API calls __mtterm 99449->99549 99450 10044d0e RtlReAllocateHeap 99450->99453 99450->99463 99451 10049029 __lock 65 API calls 99451->99479 99453->99449 99453->99450 99455 10044d60 99453->99455 99460 10044d56 99453->99460 99548 1004c5ac 65 API calls __mtterm 99453->99548 99454 10044d42 99550 10044fd2 65 API calls _raise 99454->99550 99455->99463 99552 10044fd2 65 API calls _raise 99455->99552 99459 10044d69 GetLastError 99459->99463 99551 10044fd2 65 API calls _raise 99460->99551 99463->99375 99464 10044c2f HeapAlloc 99472 10044c29 99464->99472 99464->99479 99465 10044cd7 99465->99463 99467 10044cdc GetLastError 99465->99467 99466 10044c84 HeapReAlloc 99466->99479 99467->99463 99469 10044cef 99469->99463 99547 10044fd2 65 API calls _raise 99469->99547 99470 100429b0 _memcpy_s __VEC_memcpy 99470->99472 99472->99464 99472->99470 99472->99479 99543 1004c76a VirtualFree VirtualFree HeapFree __cftoe2_l 99472->99543 99475 10044cfc 99475->99459 99475->99463 99476 10044cd2 99546 10044fd2 65 API calls _raise 99476->99546 99477 100429b0 _memcpy_s __VEC_memcpy 99477->99479 99479->99449 99479->99451 99479->99463 99479->99464 99479->99466 99479->99469 99479->99472 99479->99476 99479->99477 99541 1004cf13 5 API calls 2 library calls 99479->99541 99542 1004c76a VirtualFree VirtualFree HeapFree __cftoe2_l 99479->99542 99544 10044ca7 LeaveCriticalSection __fcloseall 99479->99544 99545 1004c5ac 65 API calls __mtterm 99479->99545 99482 1003ea63 99481->99482 99483 1003ea74 99481->99483 99482->99427 99488 1003eaab 99483->99488 99556 10020dc0 GetTickCount 99483->99556 99486 1003ea84 99489 1003ea8b 99486->99489 99557 1003d370 99486->99557 99487 1003eb70 99490 1003eb6b 99487->99490 99673 1003dd90 133 API calls 99487->99673 99488->99487 99488->99489 99488->99490 99497 1003eafd 99488->99497 99614 10020dc0 GetTickCount 99488->99614 99615 1003d860 99488->99615 99671 1000a8c0 104 API calls __crtCompareStringA_stat 99489->99671 99490->99427 99494 1003ea96 99494->99427 99497->99488 99498 1003ebd9 WSAGetLastError 99497->99498 99500 1003ebfc 99497->99500 99672 10028800 11 API calls 99497->99672 99674 1000a8c0 104 API calls __crtCompareStringA_stat 99498->99674 99502 1003ec03 99500->99502 99675 1000a8c0 104 API calls __crtCompareStringA_stat 99500->99675 99501 1003ebef 99501->99427 99502->99427 99504 1003ec23 99504->99490 99505->99386 99507 1000a562 99506->99507 99508 1000a54c WSAGetLastError 99506->99508 99507->99383 99508->99383 99511 100429c8 99509->99511 99510 100429f7 99510->99427 99511->99510 99512 100429ef __VEC_memcpy 99511->99512 99512->99510 99720 100444d0 99513->99720 99515 1003a067 GetVersionExA 99516 1003a085 99515->99516 99517 1003ef38 __crtCompareStringA_stat 4 API calls 99516->99517 99518 1003a173 99517->99518 99518->99374 99518->99402 99519->99416 99520->99386 99522 1003ef40 99521->99522 99523 1003ef49 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99521->99523 99522->99523 99525 1003ef48 99522->99525 99523->99437 99525->99437 99526->99433 99527->99447 99529 10044e03 ___lock_fhandle 99528->99529 99531 10049029 __lock 63 API calls 99529->99531 99535 10044e7c ___lock_fhandle __dosmaperr 99529->99535 99540 10044e42 99529->99540 99530 10044e57 RtlFreeHeap 99532 10044e69 99530->99532 99530->99535 99537 10044e1a ___sbh_find_block 99531->99537 99555 10044fd2 65 API calls _raise 99532->99555 99534 10044e6e GetLastError 99534->99535 99535->99463 99536 10044e34 99554 10044e4d LeaveCriticalSection __fcloseall 99536->99554 99537->99536 99553 1004c76a VirtualFree VirtualFree HeapFree __cftoe2_l 99537->99553 99540->99530 99540->99535 99541->99479 99542->99479 99543->99472 99544->99479 99545->99479 99546->99465 99547->99475 99548->99453 99549->99454 99550->99463 99551->99465 99552->99459 99553->99536 99554->99540 99555->99534 99556->99486 99558 1003d3b7 99557->99558 99559 1000a830 104 API calls 99558->99559 99560 1003d3fb 99559->99560 99561 1003a040 5 API calls 99560->99561 99562 1003d408 99561->99562 99563 1000a830 104 API calls 99562->99563 99569 1003d41a 99562->99569 99563->99569 99564 1003d653 99682 10026b60 65 API calls __getdcwd_nolock 99564->99682 99566 1003d664 99573 1003d67f 99566->99573 99683 10026b60 65 API calls __getdcwd_nolock 99566->99683 99567 1000a830 104 API calls 99571 1003d691 99567->99571 99568 1003d4a6 _memset 99568->99564 99574 1000a830 104 API calls 99568->99574 99569->99568 99572 1000a830 104 API calls 99569->99572 99579 1003d590 99571->99579 99580 1003d6ee 99571->99580 99575 1003d48d 99572->99575 99573->99567 99573->99571 99576 1003d528 99574->99576 99577 1000a830 104 API calls 99575->99577 99578 1003d546 99576->99578 99581 1000a830 104 API calls 99576->99581 99577->99568 99582 1003d640 99578->99582 99583 1003d558 99578->99583 99677 1000a8c0 104 API calls __crtCompareStringA_stat 99579->99677 99589 1003d786 99580->99589 99590 1003d745 99580->99590 99605 1003d59b 99580->99605 99581->99578 99681 1000a8c0 104 API calls __crtCompareStringA_stat 99582->99681 99598 1003d55f 99583->99598 99676 1003d280 104 API calls 99583->99676 99587 1003ef38 __crtCompareStringA_stat 4 API calls 99588 1003d82b 99587->99588 99588->99488 99591 1000a830 104 API calls 99589->99591 99592 1003d75b 99590->99592 99593 1003d74c 99590->99593 99594 1003d796 99591->99594 99685 100274b0 72 API calls 4 library calls 99592->99685 99684 100274b0 72 API calls 4 library calls 99593->99684 99687 1000ae10 99594->99687 99598->99564 99598->99579 99601 1003d5ff 99598->99601 99598->99605 99599 1003d753 99686 1000a8c0 104 API calls __crtCompareStringA_stat 99599->99686 99603 1003d606 99601->99603 99604 1003d615 99601->99604 99678 100274b0 72 API calls 4 library calls 99603->99678 99679 100274b0 72 API calls 4 library calls 99604->99679 99605->99587 99608 1003d60d 99680 1000a8c0 104 API calls __crtCompareStringA_stat 99608->99680 99609 1003d804 99690 1000a8c0 104 API calls __crtCompareStringA_stat 99609->99690 99611 1003d7de 99613 1000a830 104 API calls 99611->99613 99613->99605 99614->99488 99616 1003d897 99615->99616 99617 1000a830 104 API calls 99616->99617 99618 1003d8e8 99617->99618 99619 1003d9a8 99618->99619 99620 1003d923 99618->99620 99627 1003d98d 99618->99627 99637 1003dc96 99618->99637 99621 1003da12 99619->99621 99623 1000a530 2 API calls 99619->99623 99713 1000a8c0 104 API calls __crtCompareStringA_stat 99620->99713 99624 1000a830 104 API calls 99621->99624 99626 1003d9e0 99623->99626 99636 1003da28 99624->99636 99625 1003d92e 99625->99488 99628 1003dc66 99626->99628 99629 1003d9ec 99626->99629 99714 1000a8c0 104 API calls __crtCompareStringA_stat 99627->99714 99635 1000a830 104 API calls 99628->99635 99632 1003dc8b 99629->99632 99634 1003da00 99629->99634 99631 1003d998 99631->99488 99717 1000a8c0 104 API calls __crtCompareStringA_stat 99632->99717 99638 1000a830 104 API calls 99634->99638 99639 1003dc7e 99635->99639 99636->99620 99640 1003dab1 99636->99640 99637->99488 99638->99621 99639->99488 99641 100429b0 _memcpy_s __VEC_memcpy 99640->99641 99642 1003dabf 99641->99642 99642->99625 99643 1003db20 99642->99643 99644 1003dca6 99642->99644 99646 1003dc1b 99643->99646 99652 1003dcf3 99643->99652 99662 1003db3c 99643->99662 99645 1000a830 104 API calls 99644->99645 99649 1003dcbf 99645->99649 99647 1003dc33 99646->99647 99648 1003dccc 99646->99648 99715 100274b0 72 API calls 4 library calls 99647->99715 99651 1000a830 104 API calls 99648->99651 99649->99488 99654 1003dce6 99651->99654 99652->99647 99655 1003dcff 99652->99655 99653 1003dc3e 99716 1000a8c0 104 API calls __crtCompareStringA_stat 99653->99716 99654->99488 99718 100274b0 72 API calls 4 library calls 99655->99718 99657 1000a830 104 API calls 99657->99662 99659 1003dbbb 99663 1000a830 104 API calls 99659->99663 99664 1003dd3e 99659->99664 99660 1003dc4a 99660->99488 99661 1000ae10 126 API calls 99661->99662 99662->99657 99662->99659 99662->99661 99665 1003dd15 99662->99665 99666 1003dbe2 __cftoe2_l 99663->99666 99667 1000a830 104 API calls 99664->99667 99670 1003dd4b 99664->99670 99719 1000a8c0 104 API calls __crtCompareStringA_stat 99665->99719 99666->99646 99666->99664 99667->99670 99669 1003dd2e 99669->99488 99670->99488 99671->99494 99672->99497 99673->99490 99674->99501 99675->99504 99676->99598 99677->99605 99678->99608 99679->99608 99680->99605 99681->99605 99682->99566 99683->99573 99684->99599 99685->99599 99686->99605 99691 1000ad80 99687->99691 99689 1000ae39 99689->99609 99689->99611 99690->99605 99701 1000acd0 99691->99701 99693 1000ad97 send 99694 1000adee 99693->99694 99695 1000adbb WSAGetLastError 99693->99695 99694->99689 99696 1000add9 99695->99696 99697 1000adcc 99695->99697 99710 100273b0 73 API calls 4 library calls 99696->99710 99697->99689 99699 1000ade0 99711 1000a8c0 104 API calls __crtCompareStringA_stat 99699->99711 99702 1000acf4 99701->99702 99703 1000ad6d 99701->99703 99702->99703 99704 1000ad0a 99702->99704 99703->99693 99712 10028800 11 API calls 99704->99712 99706 1000ad16 99706->99703 99707 1000ad4f recv 99706->99707 99709 1000ad6a 99706->99709 99707->99703 99708 1000ad63 99707->99708 99708->99693 99709->99703 99710->99699 99711->99694 99712->99706 99713->99625 99714->99631 99715->99653 99716->99660 99717->99637 99718->99653 99719->99669 99721 100444dc __VEC_memzero 99720->99721 99721->99515 99722 10034c80 99766 10026b60 65 API calls __getdcwd_nolock 99722->99766 99724 10034cb1 99725 10034cb8 99724->99725 99726 10034cdf 99724->99726 99798 1002c780 htons 99725->99798 99767 10026b60 65 API calls __getdcwd_nolock 99726->99767 99729 10034cca 99731 1003ef38 __crtCompareStringA_stat 4 API calls 99729->99731 99730 10034cec 99732 10034cf3 99730->99732 99736 10034d1a 99730->99736 99734 10034cdb 99731->99734 99799 1002c780 htons 99732->99799 99733 10034d39 curl_msnprintf 99768 10034990 99733->99768 99736->99733 99742 10027c80 2 API calls 99736->99742 99738 10034d05 99739 1003ef38 __crtCompareStringA_stat 4 API calls 99738->99739 99741 10034d16 99739->99741 99742->99733 99743 10034d95 99744 10034db8 99743->99744 99745 10034d9c 99743->99745 99781 10044fd2 65 API calls _raise 99744->99781 99747 1003ef38 __crtCompareStringA_stat 4 API calls 99745->99747 99749 10034db4 99747->99749 99748 10034dbd 99782 100273b0 73 API calls 4 library calls 99748->99782 99751 10034dc6 99752 1000a830 104 API calls 99751->99752 99753 10034dd5 99752->99753 99783 1002c440 99753->99783 99755 10034dea 99756 10034df1 WSAGetLastError 99755->99756 99757 10034e26 99755->99757 99800 100273b0 73 API calls 4 library calls 99756->99800 99758 1003ef38 __crtCompareStringA_stat 4 API calls 99757->99758 99760 10034e39 99758->99760 99761 10034dfe 99762 1000a830 104 API calls 99761->99762 99763 10034e0e 99762->99763 99764 1003ef38 __crtCompareStringA_stat 4 API calls 99763->99764 99765 10034e22 99764->99765 99766->99724 99767->99730 99769 100349a4 99768->99769 99780 10034a29 99769->99780 99801 100347a0 InitializeCriticalSection DeleteCriticalSection _memset 99769->99801 99772 10034a3b 99807 10044fd2 65 API calls _raise 99772->99807 99774 10034a43 99774->99743 99775 100349e5 99775->99780 99802 10033550 99775->99802 99778 10034a50 99778->99743 99806 10034910 6 API calls 99780->99806 99781->99748 99782->99751 99784 1002c469 getaddrinfo WSASetLastError 99783->99784 99785 1002c45e 99783->99785 99787 1002c490 99784->99787 99790 1002c498 99784->99790 99933 1002c230 12 API calls __crtCompareStringA_stat 99785->99933 99787->99755 99788 1002c5f8 WSASetLastError 99793 1002c5ce 99788->99793 99789 1002c464 99789->99784 99790->99788 99796 100429b0 _memcpy_s __VEC_memcpy 99790->99796 99797 1002c569 99790->99797 99791 1002c5c5 99791->99788 99791->99793 99792 1002c5b9 99934 1002c230 12 API calls __crtCompareStringA_stat 99792->99934 99793->99755 99795 1002c5c0 99795->99791 99796->99790 99797->99791 99797->99792 99798->99729 99799->99738 99800->99761 99801->99775 99808 100451a6 99802->99808 99805 10044fd2 65 API calls _raise 99805->99780 99806->99772 99807->99774 99809 100451d4 99808->99809 99810 100451b8 99808->99810 99829 10046249 TlsGetValue 99809->99829 99859 10044fd2 65 API calls _raise 99810->99859 99814 100451bd 99860 100468e9 65 API calls 2 library calls 99814->99860 99818 10045238 99820 10044df7 __crtCompareStringA_stat 65 API calls 99818->99820 99822 1004523e 99820->99822 99823 10033567 99822->99823 99861 10044ff8 65 API calls 2 library calls 99822->99861 99823->99778 99823->99805 99826 100451fc CreateThread 99826->99823 99828 1004522f GetLastError 99826->99828 99898 10045126 99826->99898 99828->99818 99830 100451da 99829->99830 99831 1004625c 99829->99831 99834 1004b07f 99830->99834 99862 100461b7 65 API calls __CRT_INIT@12 99831->99862 99833 10046267 TlsSetValue 99833->99830 99837 1004b083 99834->99837 99835 10044a06 __calloc_impl 64 API calls 99835->99837 99836 100451e6 99836->99818 99840 10046407 99836->99840 99837->99835 99837->99836 99838 1004b0a3 Sleep 99837->99838 99839 1004b0b8 99838->99839 99839->99836 99839->99837 99863 10046390 GetLastError 99840->99863 99842 1004640d 99843 100451f3 99842->99843 99878 1004b201 65 API calls 3 library calls 99842->99878 99845 100462d1 99843->99845 99880 100472c0 99845->99880 99847 100462dd GetModuleHandleA 99848 1004632e InterlockedIncrement 99847->99848 99849 100462ff 99847->99849 99851 10049029 __lock 61 API calls 99848->99851 99896 100460d4 65 API calls 2 library calls 99849->99896 99853 10046355 99851->99853 99852 10046304 99852->99848 99854 10046308 GetProcAddress GetProcAddress 99852->99854 99881 10045f0e InterlockedIncrement 99853->99881 99854->99848 99856 10046374 99893 10046387 99856->99893 99858 10046381 ___lock_fhandle 99858->99826 99859->99814 99861->99823 99862->99833 99864 10046249 __CRT_INIT@12 62 API calls 99863->99864 99865 100463a5 99864->99865 99866 100463fb SetLastError 99865->99866 99867 1004b07f __calloc_crt 62 API calls 99865->99867 99866->99842 99868 100463b9 99867->99868 99868->99866 99869 100463c1 99868->99869 99879 100461b7 65 API calls __CRT_INIT@12 99869->99879 99871 100463d3 99872 100463f2 99871->99872 99873 100463da 99871->99873 99874 10044df7 __crtCompareStringA_stat 62 API calls 99872->99874 99875 100462d1 __CRT_INIT@12 62 API calls 99873->99875 99877 100463f8 99874->99877 99876 100463e2 GetCurrentThreadId 99875->99876 99876->99866 99877->99866 99878->99843 99879->99871 99880->99847 99882 10045f2c 99881->99882 99883 10045f29 InterlockedIncrement 99881->99883 99884 10045f36 InterlockedIncrement 99882->99884 99885 10045f39 99882->99885 99883->99882 99884->99885 99886 10045f46 99885->99886 99887 10045f43 InterlockedIncrement 99885->99887 99888 10045f50 InterlockedIncrement 99886->99888 99890 10045f53 99886->99890 99887->99886 99888->99890 99889 10045f68 InterlockedIncrement 99889->99890 99890->99889 99891 10045f78 InterlockedIncrement 99890->99891 99892 10045f81 InterlockedIncrement 99890->99892 99891->99890 99892->99856 99897 10048f51 LeaveCriticalSection 99893->99897 99895 1004638e 99895->99858 99896->99852 99897->99895 99899 10046249 __CRT_INIT@12 65 API calls 99898->99899 99900 1004512c 99899->99900 99913 1004622e TlsGetValue 99900->99913 99903 10045166 99924 1004641f 74 API calls 6 library calls 99903->99924 99904 1004513b 99923 1004627b 65 API calls __mtterm 99904->99923 99906 10045182 __cinit 99915 100450e5 99906->99915 99909 1004514b 99911 1004515c GetCurrentThreadId 99909->99911 99912 1004514f GetLastError ExitThread 99909->99912 99911->99906 99914 10045137 99913->99914 99914->99903 99914->99904 99916 100450f1 ___lock_fhandle 99915->99916 99917 10046407 _LocaleUpdate::_LocaleUpdate 65 API calls 99916->99917 99918 100450f6 99917->99918 99925 100450ac 99918->99925 99923->99909 99924->99906 99926 100450b5 __cinit 99925->99926 99927 10046390 _raise 65 API calls 99926->99927 99928 100450cf 99927->99928 99929 100450da ExitThread 99928->99929 99932 10046540 77 API calls 2 library calls 99928->99932 99931 100450d9 99931->99929 99932->99931 99933->99789 99934->99795 99935 100456c1 99936 100456cd 99935->99936 99937 100456c8 99935->99937 99941 100455cb 99936->99941 99949 1003eeca GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 99937->99949 99940 100456de 99942 100455d7 ___lock_fhandle 99941->99942 99946 10045674 ___lock_fhandle 99942->99946 99947 10045624 ___DllMainCRTStartup 99942->99947 99950 100453f2 99942->99950 99944 10045654 99945 100453f2 __CRT_INIT@12 164 API calls 99944->99945 99944->99946 99945->99946 99946->99940 99947->99944 99947->99946 99948 100453f2 __CRT_INIT@12 164 API calls 99947->99948 99948->99944 99949->99936 99951 10045405 GetProcessHeap HeapAlloc 99950->99951 99952 1004551c 99950->99952 99953 10045422 99951->99953 99954 10045429 GetVersionExA 99951->99954 99955 10045557 99952->99955 99956 10045522 99952->99956 99953->99947 99957 10045444 GetProcessHeap HeapFree 99954->99957 99958 10045439 GetProcessHeap HeapFree 99954->99958 99959 100455b5 99955->99959 99960 1004555c 99955->99960 99956->99953 99963 10045541 99956->99963 100023 1004b4a2 65 API calls __CRT_INIT@12 99956->100023 99961 10045470 99957->99961 99958->99953 99959->99953 100028 10046540 77 API calls 2 library calls 99959->100028 99962 10046249 __CRT_INIT@12 65 API calls 99960->99962 100004 1004c629 HeapCreate 99961->100004 99966 10045561 99962->99966 99963->99953 100024 10046ea7 66 API calls __crtCompareStringA_stat 99963->100024 99969 1004b07f __calloc_crt 65 API calls 99966->99969 99972 1004556d 99969->99972 99970 100454a6 99970->99953 99973 100454af 99970->99973 99971 1004554b 100025 10046294 68 API calls 2 library calls 99971->100025 99972->99953 99976 10045579 99972->99976 100014 100465a9 76 API calls 5 library calls 99973->100014 100027 100461b7 65 API calls __CRT_INIT@12 99976->100027 99978 10045550 100026 1004c683 VirtualFree HeapFree HeapFree HeapDestroy 99978->100026 99981 100454b4 __RTC_Initialize 99983 100454c7 GetCommandLineA 99981->99983 99997 100454b8 99981->99997 99982 1004558b 99984 10045592 99982->99984 99985 100455a9 99982->99985 100016 1004dca0 75 API calls 3 library calls 99983->100016 99987 100462d1 __CRT_INIT@12 65 API calls 99984->99987 99988 10044df7 __crtCompareStringA_stat 65 API calls 99985->99988 99990 10045599 GetCurrentThreadId 99987->99990 100003 100454bd 99988->100003 99989 100454d7 100017 10046c53 70 API calls 3 library calls 99989->100017 99990->99953 99992 100454e1 99993 100454e5 99992->99993 100019 1004dbe7 110 API calls 3 library calls 99992->100019 100018 10046294 68 API calls 2 library calls 99993->100018 99996 100454f1 99998 10045505 99996->99998 100020 1004d974 109 API calls 6 library calls 99996->100020 100015 1004c683 VirtualFree HeapFree HeapFree HeapDestroy 99997->100015 99998->100003 100022 10046ea7 66 API calls __crtCompareStringA_stat 99998->100022 100001 100454fa 100001->99998 100021 1004b31d 73 API calls 3 library calls 100001->100021 100003->99953 100005 1004c64c 100004->100005 100006 1004c649 100004->100006 100029 1004c5ce 65 API calls 3 library calls 100005->100029 100006->99970 100008 1004c651 100009 1004c67f 100008->100009 100010 1004c65b 100008->100010 100009->99970 100030 1004c6f7 HeapAlloc 100010->100030 100012 1004c665 100012->100009 100013 1004c66a HeapDestroy 100012->100013 100013->100006 100014->99981 100015->100003 100016->99989 100017->99992 100018->99997 100019->99996 100020->100001 100021->99998 100022->99993 100023->99963 100024->99971 100025->99978 100026->99953 100027->99982 100028->99953 100029->100008 100030->100012 100031 ff3df0 100114 10541ee 100031->100114 100034 ff3e77 CoInitialize DefWindowProcW InitCommonControlsEx 100119 ff0d90 100034->100119 100035 ff3e55 SetForegroundWindow IsIconic 100037 ff3e67 ShowWindow 100035->100037 100038 ff3e70 100035->100038 100037->100038 100481 103316c 100038->100481 100042 ff3ec1 100044 ff3ee4 100042->100044 100448 1033d26 EnterCriticalSection 100042->100448 100043 ff4248 100128 10167a0 100044->100128 100048 ff4258 100048->100044 100453 1010310 GetModuleFileNameW PathRemoveFileSpecW 100048->100453 100053 ff4279 100488 10335ad 29 API calls __onexit 100053->100488 100056 ff4283 100489 1033cdc EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100056->100489 100497 10569f1 100114->100497 100116 10541f7 100117 10569f1 __set_se_translator 56 API calls 100116->100117 100118 ff3e2f SetUnhandledExceptionFilter FindWindowW 100117->100118 100118->100034 100118->100035 100121 ff0dc7 GetCurrentThreadId 100119->100121 100532 1033182 9 API calls 4 library calls 100121->100532 100123 ff0e3c 100124 fd0630 100123->100124 100125 fd06ef 100124->100125 100126 fd0643 GetModuleHandleW GetProcAddress 100124->100126 100125->100042 100126->100125 100127 fd0667 LoadCursorW RegisterClassExW 100126->100127 100127->100042 100533 fd3f90 100128->100533 100452 1033d3a 100448->100452 100449 1033d3f LeaveCriticalSection 100449->100048 100452->100449 101545 1033dd2 LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100452->101545 100454 10267a0 56 API calls 100453->100454 100455 101036a 100454->100455 100456 fc3c30 27 API calls 100455->100456 100457 101037f 100456->100457 101546 10118b0 100457->101546 100460 fc3c30 27 API calls 100461 10103c1 100460->100461 100462 1011ad0 77 API calls 100461->100462 100463 10103eb 100462->100463 100464 101041d GetPrivateProfileIntW 100463->100464 100465 1010445 SHSetValueW 100464->100465 100466 10104cd SHGetValueW 100464->100466 100467 fc4fd0 39 API calls 100465->100467 100470 101051d 100466->100470 100469 101046e 100467->100469 100471 1010541 100469->100471 100472 1010478 100469->100472 100470->100053 100473 fc4150 RaiseException 100471->100473 100475 fc4980 52 API calls 100472->100475 100474 101054b 100473->100474 100474->100053 100476 1010498 WritePrivateProfileStringW 100475->100476 100476->100466 100477 10104c5 100476->100477 100477->100466 100482 1033177 IsProcessorFeaturePresent 100481->100482 100483 1033175 100481->100483 100485 10335fe 100482->100485 100483->100043 101575 10335c2 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 100485->101575 100487 10336e1 100487->100043 100488->100056 100489->100044 100522 10569ff 9 API calls 3 library calls 100497->100522 100499 10569f6 100500 10569fe 100499->100500 100523 109e7fb EnterCriticalSection LeaveCriticalSection _abort 100499->100523 100500->100116 100502 1090a5f 100503 1090a6a 100502->100503 100524 109e85f 46 API calls 4 library calls 100502->100524 100505 1090a92 100503->100505 100506 1090a74 IsProcessorFeaturePresent 100503->100506 100526 108b76e 28 API calls _abort 100505->100526 100507 1090a7f 100506->100507 100525 106f55f 8 API calls 3 library calls 100507->100525 100510 1090a9c 100527 1062ecd 46 API calls 2 library calls 100510->100527 100512 1090ab1 100513 1090abc 100512->100513 100514 1090b07 100512->100514 100528 1090d31 46 API calls _abort 100513->100528 100515 1090b2e 100514->100515 100529 10a3f3d 46 API calls _abort 100514->100529 100519 1090b34 100515->100519 100530 1081823 20 API calls _abort 100515->100530 100531 109c1bb 46 API calls _abort 100519->100531 100521 1090ac6 100521->100116 100522->100499 100523->100502 100524->100503 100525->100505 100526->100510 100527->100512 100528->100521 100529->100515 100530->100519 100531->100521 100532->100123 100534 fd3ec0 100533->100534 101545->100452 101547 1052af0 __Getcvt 101546->101547 101548 1011904 SHGetValueW 101547->101548 101549 10119b4 SHGetValueW 101548->101549 101550 101193b 101548->101550 101551 1011a50 101549->101551 101552 10119dd PathRemoveExtensionW PathFindFileNameW 101549->101552 101553 fc4fd0 39 API calls 101550->101553 101554 fc4fd0 39 API calls 101551->101554 101552->101551 101555 1011a02 _wcschr 101552->101555 101556 1011940 101553->101556 101557 1011a77 101554->101557 101555->101551 101563 1011a13 lstrlenW 101555->101563 101558 1011ab5 101556->101558 101559 101194a 101556->101559 101560 1011abf 101557->101560 101571 1011973 101557->101571 101561 fc4150 RaiseException 101558->101561 101566 1011975 101559->101566 101567 1011968 101559->101567 101562 fc4150 RaiseException 101560->101562 101561->101560 101564 1011ac9 101562->101564 101563->101551 101565 1011a21 SHSetValueW 101563->101565 101568 fc91f0 48 API calls 101565->101568 101573 fc5c80 27 API calls 101566->101573 101569 fc5150 35 API calls 101567->101569 101570 1011a44 101568->101570 101569->101571 101570->101571 101572 103316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 101571->101572 101574 10103ac 101572->101574 101573->101571 101574->100460 101575->100487 101577 10012310 101578 10012320 101577->101578 101579 10012509 101577->101579 101595 10023d90 101578->101595 101581 10012326 101582 10012330 curl_multi_remove_handle 101581->101582 101583 1001233a 101581->101583 101582->101583 101584 10012341 curl_multi_cleanup 101583->101584 101585 1001234a 101583->101585 101584->101585 101599 1003d0a0 101585->101599 101588 10012460 101592 10044df7 65 API calls 101588->101592 101589 10012473 101603 10006150 101589->101603 101591 10012481 101593 10044df7 65 API calls 101591->101593 101592->101589 101593->101579 101594 10044df7 65 API calls 101594->101588 101596 10023d9c 101595->101596 101598 10023ddc 101595->101598 101597 1000a830 104 API calls 101596->101597 101596->101598 101597->101598 101598->101581 101600 100123e9 101599->101600 101601 1003d0af 101599->101601 101600->101594 101601->101600 101602 1003d0b6 curl_slist_free_all 101601->101602 101602->101600 101602->101602 101604 10006163 101603->101604 101605 100061ad 101603->101605 101606 10006172 101604->101606 101613 100060d0 166 API calls 101604->101613 101607 100061bb curl_slist_free_all 101605->101607 101612 100061ab 101605->101612 101614 10005be0 165 API calls 2 library calls 101606->101614 101607->101612 101610 10006192 101611 1000a830 104 API calls 101610->101611 101610->101612 101611->101612 101612->101591 101613->101606 101614->101610 101615 1001e630 101616 1001e639 101615->101616 101618 1001e66e 101615->101618 101617 1001e663 WSACleanup 101616->101617 101616->101618 101620 1002d6d0 101617->101620 101621 1002d6f4 101620->101621 101622 1002d6d9 FreeLibrary 101620->101622 101621->101618 101622->101621 101623 10021a70 101680 100218d0 101623->101680 101626 10021ad3 101628 1003ef38 __crtCompareStringA_stat 4 API calls 101626->101628 101627 10021aec 101688 10021450 101627->101688 101630 10021ae5 101628->101630 101631 10021b02 101632 10021b43 101631->101632 101633 10021b06 101631->101633 101634 1000a830 104 API calls 101632->101634 101719 10044fd2 65 API calls _raise 101633->101719 101640 10021b5a 101634->101640 101636 10021b0b 101720 10044fd2 65 API calls _raise 101636->101720 101638 10021b7a 101709 100216e0 101638->101709 101639 10021b12 101721 100273b0 73 API calls 4 library calls 101639->101721 101640->101638 101700 10021680 setsockopt 101640->101700 101643 10021b1d 101722 1000a8c0 104 API calls __crtCompareStringA_stat 101643->101722 101647 10021b30 101648 10021870 closesocket 101647->101648 101673 10021b3b 101648->101673 101649 10021bce 101651 10021c02 101649->101651 101652 10021c48 101649->101652 101724 10020e90 162 API calls 4 library calls 101651->101724 101717 1002d9a0 ioctlsocket 101652->101717 101653 10021bae 101653->101649 101654 10021bdc 101653->101654 101658 10021870 closesocket 101654->101658 101656 1003ef38 __crtCompareStringA_stat 4 API calls 101660 10021d72 101656->101660 101658->101673 101659 10021c50 101718 10001940 GetTickCount 101659->101718 101661 10021c19 101664 10021c26 101661->101664 101665 10021c44 101661->101665 101663 10021c58 101666 10021c7c 101663->101666 101725 10023c10 105 API calls 101663->101725 101667 10021870 closesocket 101664->101667 101665->101652 101670 10021ca0 connect 101666->101670 101671 10021cb8 WSAGetLastError 101666->101671 101666->101673 101669 10021c2d 101667->101669 101669->101673 101670->101671 101674 10021cca 101670->101674 101671->101674 101673->101656 101674->101673 101726 100273b0 73 API calls 4 library calls 101674->101726 101676 10021cfb 101677 1000a830 104 API calls 101676->101677 101678 10021d13 101677->101678 101679 10021870 closesocket 101678->101679 101679->101673 101681 1002190a 101680->101681 101682 100429b0 _memcpy_s __VEC_memcpy 101681->101682 101683 10021956 101682->101683 101684 10021974 socket 101683->101684 101685 10021963 101683->101685 101684->101685 101686 1003ef38 __crtCompareStringA_stat 4 API calls 101685->101686 101687 100219ba 101686->101687 101687->101626 101687->101627 101689 10021488 101688->101689 101690 10021458 101688->101690 101728 100280c0 67 API calls __getdcwd_nolock 101689->101728 101691 100214b3 101690->101691 101727 100280c0 67 API calls __getdcwd_nolock 101690->101727 101729 10044fd2 65 API calls _raise 101691->101729 101694 10021496 101694->101691 101697 1002149d htons 101694->101697 101696 1002146b 101696->101691 101699 10021472 htons 101696->101699 101697->101631 101698 100214c1 101698->101631 101699->101631 101701 100216aa WSAGetLastError 101700->101701 101702 100216c9 101700->101702 101730 100273b0 73 API calls 4 library calls 101701->101730 101703 1000a830 104 API calls 101702->101703 101705 100216d4 101703->101705 101705->101638 101706 100216b7 101707 1000a830 104 API calls 101706->101707 101708 100216c3 101707->101708 101708->101638 101710 10021703 101709->101710 101715 1002170f 101709->101715 101711 1003a040 5 API calls 101710->101711 101711->101715 101712 10021735 getsockopt 101713 10021763 setsockopt 101712->101713 101714 10021759 101712->101714 101716 10021716 101713->101716 101714->101713 101714->101716 101715->101712 101715->101716 101716->101653 101723 10020d00 107 API calls 101716->101723 101717->101659 101718->101663 101719->101636 101720->101639 101721->101643 101722->101647 101723->101653 101724->101661 101725->101666 101726->101676 101727->101696 101728->101694 101729->101698 101730->101706 101731 1002d670 101732 1002d679 101731->101732 101738 1002d6aa 101731->101738 101733 1003a040 5 API calls 101732->101733 101734 1002d686 101733->101734 101739 1003a190 GetModuleHandleA 101734->101739 101736 1002d69e 101737 1002d6b0 GetProcAddress 101736->101737 101736->101738 101737->101738 101740 1003a1a6 101739->101740 101741 1003a1aa GetProcAddress 101739->101741 101740->101736 101742 1003a1cd _strpbrk 101741->101742 101743 1003a1f6 101742->101743 101744 1003a1d4 101742->101744 101745 1003a1fa GetProcAddress 101743->101745 101746 1003a21c GetSystemDirectoryA 101743->101746 101747 1003a1e7 LoadLibraryA 101744->101747 101748 1003a1d8 101744->101748 101745->101746 101749 1003a20a LoadLibraryExA 101745->101749 101750 1003a2ca 101746->101750 101751 1003a230 101746->101751 101747->101736 101748->101736 101749->101736 101750->101736 101751->101750 101752 1003a254 GetSystemDirectoryA 101751->101752 101752->101750 101753 1003a260 101752->101753 101754 1003a2c1 LoadLibraryA 101753->101754 101755 1003a2a6 101753->101755 101754->101750 101755->101736 101756 10021fb0 101757 10022006 101756->101757 101758 10021fec 101756->101758 101805 10001940 GetTickCount 101757->101805 101759 1003ef38 __crtCompareStringA_stat 4 API calls 101758->101759 101761 10022002 101759->101761 101762 1002200c 101763 10022081 101762->101763 101775 100220a7 101762->101775 101847 1000a8c0 104 API calls __crtCompareStringA_stat 101763->101847 101765 1002208c 101766 1003ef38 __crtCompareStringA_stat 4 API calls 101765->101766 101768 100220a3 101766->101768 101769 1002226a 101770 1002239e 101769->101770 101776 10022287 101769->101776 101851 10021ee0 177 API calls 101769->101851 101772 1003ef38 __crtCompareStringA_stat 4 API calls 101770->101772 101773 100223b4 101772->101773 101775->101769 101780 100222ae 101775->101780 101783 100220e0 101775->101783 101806 10021360 SleepEx getsockopt 101775->101806 101848 10028800 11 API calls 101775->101848 101776->101770 101854 100273b0 73 API calls 4 library calls 101776->101854 101778 100221dc WSASetLastError 101778->101775 101778->101783 101779 10021360 3 API calls 101779->101783 101784 100222e0 101780->101784 101785 100222f1 101780->101785 101781 10022386 101855 1000a8c0 104 API calls __crtCompareStringA_stat 101781->101855 101783->101775 101783->101778 101783->101779 101786 1000a830 104 API calls 101783->101786 101802 10021ee0 177 API calls 101783->101802 101849 10001e00 67 API calls 101783->101849 101850 100273b0 73 API calls 4 library calls 101783->101850 101788 10021870 closesocket 101784->101788 101809 10010590 179 API calls 101785->101809 101786->101783 101790 100222e7 101788->101790 101790->101785 101791 100222f8 101791->101770 101793 10022303 101791->101793 101794 1002232b 101793->101794 101795 1002231c 101793->101795 101810 100214d0 101794->101810 101852 10002970 GetTickCount 101795->101852 101798 10022328 101798->101794 101801 1002233f 101803 1003ef38 __crtCompareStringA_stat 4 API calls 101801->101803 101802->101783 101804 10022353 101803->101804 101805->101762 101807 100213a0 WSAGetLastError 101806->101807 101808 100213aa 101806->101808 101807->101808 101808->101775 101809->101791 101811 10021501 101810->101811 101817 10021561 101810->101817 101813 1002151d getpeername 101811->101813 101811->101817 101812 1003ef38 __crtCompareStringA_stat 4 API calls 101814 10021676 101812->101814 101815 10021545 WSAGetLastError 101813->101815 101816 10021569 _memset 101813->101816 101853 100106b0 104 API calls 101814->101853 101856 100273b0 73 API calls 4 library calls 101815->101856 101820 1002157a getsockname 101816->101820 101817->101812 101819 10021554 101857 1000a8c0 104 API calls __crtCompareStringA_stat 101819->101857 101822 10021592 WSAGetLastError 101820->101822 101823 100215b6 101820->101823 101858 100273b0 73 API calls 4 library calls 101822->101858 101824 10021450 69 API calls 101823->101824 101826 100215ce 101824->101826 101828 100215d2 101826->101828 101829 10021601 101826->101829 101827 100215a1 101859 1000a8c0 104 API calls __crtCompareStringA_stat 101827->101859 101860 10044fd2 65 API calls _raise 101828->101860 101832 10021450 69 API calls 101829->101832 101834 10021628 101832->101834 101833 100215d7 101861 10044fd2 65 API calls _raise 101833->101861 101834->101817 101864 10044fd2 65 API calls _raise 101834->101864 101837 100215de 101862 100273b0 73 API calls 4 library calls 101837->101862 101838 10021631 101865 10044fd2 65 API calls _raise 101838->101865 101841 100215e9 101863 1000a8c0 104 API calls __crtCompareStringA_stat 101841->101863 101842 10021638 101866 100273b0 73 API calls 4 library calls 101842->101866 101845 10021643 101867 1000a8c0 104 API calls __crtCompareStringA_stat 101845->101867 101847->101765 101848->101775 101849->101783 101850->101783 101851->101776 101852->101798 101853->101801 101854->101781 101855->101770 101856->101819 101857->101817 101858->101827 101859->101817 101860->101833 101861->101837 101862->101841 101863->101817 101864->101838 101865->101842 101866->101845 101867->101817 101868 100289b7 101884 100289c0 101868->101884 101869 10028a12 select 101870 10028a99 101869->101870 101871 10028a3e WSAGetLastError 101869->101871 101872 1002887f 101870->101872 101874 10028ae5 101870->101874 101875 10028abf __WSAFDIsSet 101870->101875 101871->101884 101876 10028af4 __WSAFDIsSet 101874->101876 101877 10028b18 101874->101877 101878 10028ad1 101875->101878 101879 10028ad6 __WSAFDIsSet 101875->101879 101880 10028b06 101876->101880 101881 10028b09 __WSAFDIsSet 101876->101881 101882 10028b27 __WSAFDIsSet 101877->101882 101883 10028b4b 101877->101883 101878->101879 101879->101874 101880->101881 101881->101877 101885 10028b39 101882->101885 101886 10028b3c __WSAFDIsSet 101882->101886 101884->101869 101884->101870 101884->101872 101887 10001940 GetTickCount 101884->101887 101885->101886 101886->101883 101887->101884 101888 f926e5 101893 1025fa0 101888->101893 101890 f926ea 101925 10335ad 29 API calls __onexit 101890->101925 101892 f926f4 101894 fc4fd0 39 API calls 101893->101894 101895 1025fef 101894->101895 101896 102613b 101895->101896 101897 1025ff9 101895->101897 101898 fc4150 RaiseException 101896->101898 101901 fc4fd0 39 API calls 101897->101901 101899 1026145 101898->101899 101900 fc4150 RaiseException 101899->101900 101902 102614f 101900->101902 101903 1026018 101901->101903 101904 fc4150 RaiseException 101902->101904 101903->101899 101905 1026022 101903->101905 101906 1026159 101904->101906 101908 fc4fd0 39 API calls 101905->101908 101907 fc4150 RaiseException 101906->101907 101909 1026163 101907->101909 101910 1026068 101908->101910 101911 10261b0 FreeLibrary 101909->101911 101912 10261b7 101909->101912 101910->101902 101913 1026072 101910->101913 101911->101912 101914 10261be CloseHandle 101912->101914 101915 10261c5 101912->101915 101916 fc4fd0 39 API calls 101913->101916 101914->101915 101915->101890 101917 102608e 101916->101917 101917->101906 101918 1026098 __Getcvt 101917->101918 101919 10260c0 GetModuleFileNameW PathRemoveFileSpecW lstrcatW LoadLibraryW 101918->101919 101920 1026114 101919->101920 101921 102610a 101919->101921 101922 103316c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 101920->101922 101926 f98a90 52 API calls 3 library calls 101921->101926 101924 1026137 101922->101924 101924->101890 101925->101892 101926->101920 101927 10028d5c 101931 10028d60 101927->101931 101928 10028db4 select 101929 10028dea WSAGetLastError 101928->101929 101935 10028e45 101928->101935 101929->101931 101931->101928 101933 10028d20 101931->101933 101931->101935 101937 10001940 GetTickCount 101931->101937 101932 10028e7d __WSAFDIsSet 101934 10028e93 __WSAFDIsSet 101932->101934 101932->101935 101934->101935 101936 10028ea9 __WSAFDIsSet 101934->101936 101935->101932 101935->101933 101935->101934 101935->101936 101936->101935 101937->101931

                                                                                    Executed Functions

                                                                                    Function 010162A0 Relevance: 65.1, APIs: 17, Strings: 20, Instructions: 377COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 141 10162a0-1016343 call fd3f90 call 1052af0 GetPrivateProfileStringW * 2 146 1016345-101634e 141->146 147 101636d-1016392 GetPrivateProfileStringW 141->147 148 1016351-101635a 146->148 149 1016394-101639d 147->149 150 10163bc-10163e2 GetPrivateProfileStringW 147->150 148->148 154 101635c-1016368 call fc5c80 148->154 151 10163a0-10163a9 149->151 152 10163e4-10163ed 150->152 153 101640c-1016431 GetPrivateProfileStringW 150->153 151->151 155 10163ab-10163b7 call fc5c80 151->155 156 10163f0-10163f9 152->156 157 1016433-101643f 153->157 158 101645c-1016481 GetPrivateProfileStringW 153->158 154->147 155->150 156->156 161 10163fb-1016407 call fc5c80 156->161 162 1016440-1016449 157->162 163 1016483-101648f 158->163 164 10164ac-10164d1 GetPrivateProfileStringW 158->164 161->153 162->162 168 101644b-1016457 call fc5c80 162->168 169 1016490-1016499 163->169 165 10164d3-10164df 164->165 166 10164fc-1016521 GetPrivateProfileStringW 164->166 171 10164e0-10164e9 165->171 172 1016523-101652f 166->172 173 101654c-1016571 GetPrivateProfileStringW 166->173 168->158 169->169 170 101649b-10164a7 call fc5c80 169->170 170->164 171->171 176 10164eb-10164f7 call fc5c80 171->176 177 1016530-1016539 172->177 178 1016573-101657f 173->178 179 101659c-10165c1 GetPrivateProfileStringW 173->179 176->166 177->177 183 101653b-1016547 call fc5c80 177->183 184 1016580-1016589 178->184 180 10165c3-10165cf 179->180 181 10165ec-1016611 GetPrivateProfileStringW 179->181 185 10165d0-10165d9 180->185 186 1016613-101661f 181->186 187 101663c-1016661 GetPrivateProfileStringW 181->187 183->173 184->184 189 101658b-1016597 call fc5c80 184->189 185->185 191 10165db-10165e7 call fc5c80 185->191 192 1016620-1016629 186->192 193 1016663-101666f 187->193 194 101668c-10166b1 GetPrivateProfileStringW 187->194 189->179 191->181 192->192 198 101662b-1016637 call fc5c80 192->198 199 1016670-1016679 193->199 195 10166b3-10166bf 194->195 196 10166dc-1016768 GetPrivateProfileIntW * 4 194->196 200 10166c0-10166c9 195->200 201 1016772-1016792 call 103316c 196->201 202 101676a-101676d 196->202 198->187 199->199 204 101667b-1016687 call fc5c80 199->204 200->200 205 10166cb-10166d7 call fc5c80 200->205 202->201 204->194 205->196
                                                                                    APIs
                                                                                    • GetPrivateProfileStringW.KERNEL32(Partner,010D72BC,010C8660,01120FA0,00000010,?), ref: 0101631C
                                                                                    • GetPrivateProfileStringW.KERNEL32(Partner,NewVersion,010C8660,?,00000104,?), ref: 0101633F
                                                                                    • GetPrivateProfileStringW.KERNEL32(Partner,Update,010C8660,?,00000104,?), ref: 0101638E
                                                                                    • GetPrivateProfileStringW.KERNEL32(URL,Line,?,00000104,?), ref: 010163DE
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,TitleLogo,010C8660,?,00000104,?), ref: 0101642D
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,TitleText,010C8660,?,00000104,?), ref: 0101647D
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,AboutLogo,010C8660,?,00000104,?), ref: 010164CD
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,ProductName,010C8660,?,00000104,?), ref: 0101651D
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,ShortName,010C8660,?,00000104,?), ref: 0101656D
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,CompanyName,010C8660,?,00000104,?), ref: 010165BD
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,OfficialSite,010C8660,?,00000104,?), ref: 0101660D
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,DlgBgImage,010C8660,?,00000104,?), ref: 0101665D
                                                                                    • GetPrivateProfileStringW.KERNEL32(010D2A80,MsgPayLogo,010C8660,?,00000104,?), ref: 010166AD
                                                                                    • GetPrivateProfileIntW.KERNEL32(010D2A80,ShowOfficial,00000001,?), ref: 010166F4
                                                                                    • GetPrivateProfileIntW.KERNEL32(010D2A80,ShowPrivacy,00000001,?), ref: 01016710
                                                                                    • GetPrivateProfileIntW.KERNEL32(Other,LairtEmit,00000005,?), ref: 0101672C
                                                                                    • GetPrivateProfileIntW.KERNEL32(Other,ShowActive,00000001,?), ref: 01016743
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfile$String
                                                                                    • String ID: AboutLogo$CompanyName$DlgBgImage$LairtEmit$Line$MsgPayLogo$NewVersion$OfficialSite$Other$Partner$ProductName$ShortName$ShowActive$ShowOfficial$ShowPrivacy$TitleLogo$TitleText$URL$Update$oem.ini
                                                                                    • API String ID: 83056003-3115500347
                                                                                    • Opcode ID: a17aecc5320c6c4311ff93750ce9367db0b36a8a2039d2d1d87247f578f0400c
                                                                                    • Instruction ID: 6cb0aa215b0df59e3e0f3e8a92f8d75ea6221e52de2b33efba8b9bf0e95fa266
                                                                                    • Opcode Fuzzy Hash: a17aecc5320c6c4311ff93750ce9367db0b36a8a2039d2d1d87247f578f0400c
                                                                                    • Instruction Fuzzy Hash: 71D1DA74A8031FABCB60DB65CC86FE5B779EF50B44F0082D9F58466044EBB4A689CF54
                                                                                    Function 00FF3DF0 Relevance: 44.1, APIs: 18, Strings: 7, Instructions: 354windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 210 ff3df0-ff3e53 call 10541ee SetUnhandledExceptionFilter FindWindowW 213 ff3e77-ff3ede CoInitialize DefWindowProcW InitCommonControlsEx call ff0d90 call fd0630 210->213 214 ff3e55-ff3e65 SetForegroundWindow IsIconic 210->214 224 ff424e-ff4262 call 1033d26 213->224 225 ff3ee4-ff3f08 call 10167a0 call 1014380 call fd42c0 213->225 216 ff3e67-ff3e6a ShowWindow 214->216 217 ff3e70-ff3e72 214->217 216->217 219 ff4230-ff424b call 103316c 217->219 224->225 231 ff4268-ff4274 call 1010310 224->231 239 ff3f0e-ff3fa8 call fd4140 call 10162a0 call 1013560 call fd4b50 call fff1c0 call fc91f0 call fd3710 * 2 call f98bc0 225->239 240 ff429c-ff42b0 call 1033d26 225->240 235 ff4279-ff4297 call 10335ad call 1033cdc 231->235 235->225 270 ff3faa-ff3fad 239->270 271 ff3fb2-ff3fbe call ff10b0 239->271 240->239 247 ff42b6-ff42e5 call 1029830 call 10335ad call 1033cdc 240->247 247->239 270->271 274 ff40c7-ff40cb call ff2a60 271->274 275 ff3fc4-ff4001 SHGetValueW call fc4fd0 271->275 279 ff40d0-ff40dc 274->279 280 ff42ea-ff4300 call fc4150 275->280 281 ff4007-ff403f call fc4980 PathFileExistsW 275->281 282 ff40de-ff40e5 call fce5d0 279->282 283 ff40ea-ff4114 EnterCriticalSection 279->283 316 ff40a8-ff40bd 281->316 317 ff4041-ff4059 call 1085942 281->317 282->283 285 ff415e-ff4182 LeaveCriticalSection 283->285 286 ff4116-ff411a 283->286 291 ff4184-ff4188 285->291 292 ff41c2-ff41ca 285->292 288 ff412c-ff412e 286->288 289 ff411c-ff4126 DestroyWindow 286->289 288->285 294 ff4130-ff4134 288->294 289->288 298 ff418a-ff4193 call 106fe09 291->298 299 ff4199-ff419e 291->299 295 ff41cc-ff41cf 292->295 296 ff41f4-ff4202 292->296 300 ff4136-ff413f call 106fe09 294->300 301 ff4145-ff415b call 10331b2 294->301 295->296 302 ff41d1-ff41d6 295->302 307 ff421e-ff422e call ff3250 CoUninitialize 296->307 308 ff4204-ff4208 296->308 298->299 305 ff41b0-ff41bf call 10331b2 299->305 306 ff41a0-ff41a9 call 106fe09 299->306 300->301 301->285 314 ff41de-ff41f2 302->314 315 ff41d8-ff41da 302->315 305->292 306->305 307->219 319 ff420a-ff4211 308->319 320 ff4217-ff421c 308->320 314->296 314->302 315->314 316->274 325 ff40bf-ff40c2 316->325 317->316 331 ff405b-ff407d SHSetValueW 317->331 319->320 320->307 320->308 325->274 332 ff407f-ff4084 331->332 333 ff40a6 331->333 332->333 334 ff4086-ff40a4 call fcfbd0 call fc3ad0 332->334 333->316 334->274
                                                                                    APIs
                                                                                    • __set_se_translator.LIBVCRUNTIME ref: 00FF3E2A
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00061440), ref: 00FF3E37
                                                                                    • FindWindowW.USER32(EasePaintWndClass,00000000), ref: 00FF3E49
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00FF3E56
                                                                                    • IsIconic.USER32(00000000), ref: 00FF3E5D
                                                                                    • ShowWindow.USER32(00000000,00000009), ref: 00FF3E6A
                                                                                    • CoInitialize.OLE32(00000000), ref: 00FF3E79
                                                                                    • DefWindowProcW.USER32(00000000,00000000,00000000,00000000), ref: 00FF3E87
                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FF3E9F
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpDumpDay,00000000,00000000,00000004,0156CA88), ref: 00FF3FF2
                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00FF4037
                                                                                    • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpDumpDay,00000004,00000000,00000004), ref: 00FF4072
                                                                                    • EnterCriticalSection.KERNEL32(0112074C,?,?,0156CA88), ref: 00FF4102
                                                                                    • DestroyWindow.USER32(00000000,?,?,0156CA88), ref: 00FF4120
                                                                                    • LeaveCriticalSection.KERNEL32(0112074C,?,?,0156CA88), ref: 00FF4169
                                                                                    • CoUninitialize.OLE32(?,?,0156CA88), ref: 00FF4228
                                                                                    • __Init_thread_footer.LIBCMT ref: 00FF428F
                                                                                    • __Init_thread_footer.LIBCMT ref: 00FF42DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CriticalInit_thread_footerSectionValue$CommonControlsDestroyEnterExceptionExistsFileFilterFindForegroundIconicInitInitializeLeavePathProcShowUnhandledUninitialize__set_se_translator
                                                                                    • String ID: %s/%s$C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$EasePaintWndClass$Error.tmp$Software\EasePaintWatermarkRemover$UpDumpDay$run.dat
                                                                                    • API String ID: 2657830758-2213215147
                                                                                    • Opcode ID: 01b0e11278b09aee406177deef2885964eed078088c86950ecaed66eddb9eaf9
                                                                                    • Instruction ID: f59cadc27ea44a555d0156832d6aa9617ad366ace8dc23babeb4dc084cb2d3ba
                                                                                    • Opcode Fuzzy Hash: 01b0e11278b09aee406177deef2885964eed078088c86950ecaed66eddb9eaf9
                                                                                    • Instruction Fuzzy Hash: 21D101719002099FDB34EFA4CC05BAEB7B0FF14720F144228FA91AB394DBB5A954DB91
                                                                                    Function 00FAE7E0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 230libraryloadernativeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 639 fae7e0-fae851 call 1033910 call 1052af0 * 2 GetVersionExW 646 fae9ef-faea05 call 1052570 639->646 647 fae857-fae869 LoadLibraryA 639->647 654 faea08-faea0a 646->654 649 fae86f-fae884 GetProcAddress 647->649 650 faeb26-faeb3d call 103316c 647->650 649->650 653 fae88a-fae89e GetProcAddress 649->653 653->650 656 fae8a4-fae8b8 GetProcAddress 653->656 657 faea10-faeaae 654->657 656->650 658 fae8be-fae8d5 GetProcAddress 656->658 657->657 659 faeab4-faeabf 657->659 658->650 660 fae8db-fae95c NtOpenSection 658->660 661 faeac0-faeb04 call fae580 call fadfe0 call 1073170 659->661 660->650 664 fae962-fae9bc NtMapViewOfSection 660->664 667 faeb06-faeb0d 661->667 666 fae9c2-fae9e8 call 1053320 NtUnmapViewOfSection 664->666 664->667 666->654 677 fae9ea 666->677 671 faeb0f-faeb10 CloseHandle 667->671 672 faeb16-faeb1d 667->672 671->672 672->650 675 faeb1f-faeb20 FreeLibrary 672->675 675->650 677->667
                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(00000114), ref: 00FAE844
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00FAE85C
                                                                                    • GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 00FAE87B
                                                                                    • GetProcAddress.KERNEL32(ZwMapViewOfSection), ref: 00FAE895
                                                                                    • GetProcAddress.KERNEL32(ZwUnmapViewOfSection), ref: 00FAE8AF
                                                                                    • GetProcAddress.KERNEL32(RtlInitUnicodeString), ref: 00FAE8C9
                                                                                    • NtOpenSection.NTDLL(0111E294,00000004,00000018), ref: 00FAE954
                                                                                    • NtMapViewOfSection.NTDLL(000000FF,00000000,00000000,00001000,?,?,00000001,00000000,00000002), ref: 00FAE9B4
                                                                                    • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00FAE9E0
                                                                                    • _strncat.LIBCMT ref: 00FAEAF3
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FAEB10
                                                                                    • FreeLibrary.KERNEL32(77310000), ref: 00FAEB20
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$Section$LibraryView$CloseFreeHandleLoadOpenUnmapVersion_strncat
                                                                                    • String ID: %04X$RtlInitUnicodeString$ZwMapViewOfSection$ZwOpenSection$ZwUnmapViewOfSection$ntdll.dll
                                                                                    • API String ID: 1990131577-1503435361
                                                                                    • Opcode ID: 4dc97e519968f7a05745d5cc0a0268a1a747e729082819ae1c89737c3ea469d7
                                                                                    • Instruction ID: 83633f91401859b2a339551df4380841544d8d48e1656e8099d65f5d608d58bc
                                                                                    • Opcode Fuzzy Hash: 4dc97e519968f7a05745d5cc0a0268a1a747e729082819ae1c89737c3ea469d7
                                                                                    • Instruction Fuzzy Hash: 8D8116B1F002199FDB298FA4DC55BDAB7B9AB58350F004139FD49E72C4FB75A9808B90
                                                                                    Function 00FD4140 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 116COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 871 fd4140-fd41c7 call fd3ec0 call fc3c30 876 fd41c9-fd41cc 871->876 877 fd41d1-fd4218 call fd3ec0 call fc3c30 871->877 876->877 882 fd421a-fd421d 877->882 883 fd4222-fd42b2 GetPrivateProfileIntW * 5 call fd4580 877->883 882->883
                                                                                    APIs
                                                                                    • GetPrivateProfileIntW.KERNEL32(Setting,SendAction,00000001,FFFFFFFF), ref: 00FD423A
                                                                                    • GetPrivateProfileIntW.KERNEL32(Setting,RepeatShare,00000000,FFFFFFFF), ref: 00FD424E
                                                                                    • GetPrivateProfileIntW.KERNEL32(Setting,OpenTutorial,00000001,FFFFFFFF), ref: 00FD4262
                                                                                    • GetPrivateProfileIntW.KERNEL32(Setting,EnableShadow,00000001,?), ref: 00FD427B
                                                                                    • GetPrivateProfileIntW.KERNEL32(Setting,ShowDlgBorder,00000000,?), ref: 00FD428F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfile
                                                                                    • String ID: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$Config.ini$EnableShadow$OpenTutorial$RepeatShare$SendAction$Setting$ShowDlgBorder
                                                                                    • API String ID: 1469295129-466980516
                                                                                    • Opcode ID: 07e4cbabc0fa161293ea5f63ab2cd6e538866b6bd35e4e3128ad76665c0f1aff
                                                                                    • Instruction ID: 4f95097523ab8e06fe137ab9fe29f93085ae8bad76007c48a7c69282b5406a09
                                                                                    • Opcode Fuzzy Hash: 07e4cbabc0fa161293ea5f63ab2cd6e538866b6bd35e4e3128ad76665c0f1aff
                                                                                    • Instruction Fuzzy Hash: C941BF71A40705EBC710DFA5DC45B9ABBB5FB04720F048329F825AB281DBB9AA10CFD0
                                                                                    Function 01010310 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 206COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Programs\Ease Organizer Plus,00000104,B69A1A1E,?,00000000,00000000,?,00000000,00000000), ref: 01010350
                                                                                    • PathRemoveFileSpecW.SHLWAPI(C:\Users\user\AppData\Local\Programs\Ease Organizer Plus), ref: 0101035B
                                                                                    • GetPrivateProfileIntW.KERNEL32(Config,UtilFlag,00000000,?), ref: 01010436
                                                                                    • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000004,00000000,00000004,?,?,00000000), ref: 01010463
                                                                                    • WritePrivateProfileStringW.KERNEL32(Config,UtilFlag,00000000,?), ref: 010104AC
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000000,00000000,00000000), ref: 01010513
                                                                                      • Part of subcall function 00FC4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC4167
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FilePrivateProfileValue$Exception@8ModuleNamePathRemoveSpecStringThrowWrite
                                                                                    • String ID: C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$Config$Config.ini$Software\EasePaintWatermarkRemover$UtilFlag
                                                                                    • API String ID: 987694952-3649662921
                                                                                    • Opcode ID: b6480c85caeae3d67cd8d17b1871319872dacea5148fb2131704e93444608a95
                                                                                    • Instruction ID: 422b9d7fd40022ca567fc078e8c93a8da2978f5cfff5a8854ada53b383ac983a
                                                                                    • Opcode Fuzzy Hash: b6480c85caeae3d67cd8d17b1871319872dacea5148fb2131704e93444608a95
                                                                                    • Instruction Fuzzy Hash: 0171D170A0060AEFDB10DFA9CC49B9EBBB8FF44324F148269F554EB295D7799900CB90
                                                                                    Function 00FC96D0 Relevance: 10.8, APIs: 7, Instructions: 348networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,B69A1A1E), ref: 00FC970E
                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00FC9792
                                                                                    • InternetOpenW.WININET(010C8660,00000000,00000000,00000000,00000000), ref: 00FC987D
                                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00FC9899
                                                                                    • InternetReadFile.WININET(00000000,00000000,00001000,00000000), ref: 00FC98EF
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00FC9933
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$ByteCharMultiOpenWide$CloseFileHandleRead
                                                                                    • String ID:
                                                                                    • API String ID: 414901677-0
                                                                                    • Opcode ID: b1ff81461d65475b3da4b0e3e9905b87fa58dbac150595b23c4fedd464b03fcc
                                                                                    • Instruction ID: fe26b566777905feb34c97fc510395f2240c35e14aaf8ec780ce0d3df258422f
                                                                                    • Opcode Fuzzy Hash: b1ff81461d65475b3da4b0e3e9905b87fa58dbac150595b23c4fedd464b03fcc
                                                                                    • Instruction Fuzzy Hash: 3BC1A171901249ABDB10DF68CD0AF9EBBB8EF45324F14825DF815AB3C1D7B99A04CB91
                                                                                    Function 00FAFA50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?), ref: 00FAFAAB
                                                                                    • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 00FAFAF4
                                                                                    • DeviceIoControl.KERNEL32(00000000,0007C088,00000200,00000020,0111CA20,00000210,00000000,00000000), ref: 00FAFBB1
                                                                                    • _strncat.LIBCMT ref: 00FAFC31
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00FAFC47
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ControlDevice$CloseCreateFileHandle_strncat
                                                                                    • String ID: \\.\PhysicalDrive%d
                                                                                    • API String ID: 1198454261-2935326385
                                                                                    • Opcode ID: f655ec2d477bbda5e3db8f2f723e6b1ce0297aa692061c616875d56cb8183677
                                                                                    • Instruction ID: fe063272b272753937056f4ef0c8efc7029474e4253a071fb857c3101cc5a727
                                                                                    • Opcode Fuzzy Hash: f655ec2d477bbda5e3db8f2f723e6b1ce0297aa692061c616875d56cb8183677
                                                                                    • Instruction Fuzzy Hash: 2E513771E807689EE730CB74CD46BDAB778AF56344F1402D9E548AB182E7B16BC88F44
                                                                                    Function 00FAEBF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(00000114), ref: 00FAEC2C
                                                                                    • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00FAECA8
                                                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00001000,?,00000000), ref: 00FAECD9
                                                                                    • _strncat.LIBCMT ref: 00FAED05
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FAED0E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseControlCreateDeviceFileHandleVersion_strncat
                                                                                    • String ID: \\.\PhysicalDrive%d
                                                                                    • API String ID: 222023302-2935326385
                                                                                    • Opcode ID: f224c0cd02c51d8b2367900517311a2f8e83c3baa97ce84cd6f6474186bd52e8
                                                                                    • Instruction ID: eff8ed2dd823121945510bc89b22c47f858696c0dc1ab209a5b101d76524d900
                                                                                    • Opcode Fuzzy Hash: f224c0cd02c51d8b2367900517311a2f8e83c3baa97ce84cd6f6474186bd52e8
                                                                                    • Instruction Fuzzy Hash: 9B41FEB1E402186BD730DB54DC86FEEB3BCAB19750F0400B9FA89E6281D7B59F849B51
                                                                                    Function 00FF2A60 Relevance: 72.2, APIs: 27, Strings: 14, Instructions: 460windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 ff2a60-ff2aa7 call 1015ec0 3 ff2aa9-ff2af5 call 1012660 MessageBoxW 0->3 4 ff2b08-ff2b32 ?SetInstance@CPaintManagerUI@DuiLib@@SAXPAUHINSTANCE__@@@Z ?SetSkinExt@CPaintManagerUI@DuiLib@@SAXPB_W@Z call fc4fd0 0->4 9 ff2afb-ff2b03 3->9 10 ff3085-ff30a2 call 103316c 3->10 11 ff2b38-ff2b5c call fd3870 4->11 12 ff30a3-ff30a8 call fc4150 4->12 9->10 23 ff2b5e-ff2b63 11->23 24 ff2b86-ff2bed call fd3710 * 2 ?SetSkinPath@CPaintManagerUI@DuiLib@@SAXPB_W@Z 11->24 16 ff30ad-ff30da call fc4150 12->16 25 ff30dc-ff30e9 call 1027580 16->25 26 ff3127-ff3134 call 103316c 16->26 28 ff2b66-ff2b6f 23->28 40 ff2bef-ff2bf2 24->40 41 ff2bf7-ff2c13 ?SetResourceZip@CPaintManagerUI@DuiLib@@SAXPB_W@Z call 1053b03 24->41 25->26 37 ff30eb-ff3124 call 1052af0 GetModuleFileNameW call 10839dd 25->37 28->28 32 ff2b71-ff2b81 call fc5c80 28->32 32->24 37->26 40->41 47 ff2c19-ff2c28 FindWindowW 41->47 48 ff2d34-ff2d44 call 1053b03 41->48 49 ff2c2a-ff2c31 PostMessageW 47->49 50 ff2c37-ff2c47 call fc4fd0 47->50 55 ff2d4a-ff2d65 call fcf120 call 1027bd0 48->55 56 ff2de2-ff2df2 call 1053b03 48->56 49->50 50->16 57 ff2c4d-ff2c74 call fd3870 50->57 55->10 73 ff2d6b-ff2ddd call fc92a0 call fc4980 call fc41c0 call 1013fd0 55->73 63 ff2df8-ff2e29 call 1052af0 GetModuleFileNameW call 10134d0 56->63 64 ff2ed2-ff2f03 call 1053b03 call 1026370 56->64 74 ff2c76-ff2c7f 57->74 75 ff2ca0-ff2d21 call fd3710 * 2 ShellExecuteW 57->75 89 ff2e2f-ff2e37 IsUserAnAdmin 63->89 90 ff2eb3-ff2ecd ShellExecuteW 63->90 87 ff2f27-ff2f50 call ff0cb0 PathFileExistsW 64->87 88 ff2f05-ff2f11 call 1027a20 64->88 118 ff3080 call fc3ad0 73->118 80 ff2c80-ff2c89 74->80 75->10 104 ff2d27-ff2d2f 75->104 80->80 86 ff2c8b-ff2c9b call fc5c80 80->86 86->75 106 ff2f5e-ff2fc2 GdiplusStartup call fcf120 call 1033182 87->106 107 ff2f52-ff2f58 LoadLibraryW 87->107 88->87 102 ff2f13-ff2f21 call 10287a0 88->102 89->90 91 ff2e39-ff2e3e 89->91 90->10 98 ff2e44-ff2e4d 91->98 98->98 103 ff2e4f-ff2e5a 98->103 102->10 102->87 109 ff2e60-ff2e69 103->109 104->10 124 ff2fcf 106->124 125 ff2fc4-ff2fcd call 1000740 106->125 107->106 109->109 113 ff2e6b-ff2e96 call fcb4e0 109->113 113->90 123 ff2e98-ff2eae CloseHandle * 2 113->123 118->10 123->10 126 ff2fd1-ff2fd7 124->126 125->126 128 ff2fdd-ff3039 call fefb80 ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ ?SetIcon@CWindowWnd@DuiLib@@QAEXI@Z call 1027900 126->128 129 ff3063-ff306b 126->129 137 ff304e-ff305e ?MessageLoop@CPaintManagerUI@DuiLib@@SAXXZ call fc3ad0 128->137 138 ff303b-ff3049 ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ call 1026380 128->138 132 ff306d-ff306e GdiplusShutdown 129->132 133 ff3073-ff307a 129->133 132->133 133->118 137->129 138->137
                                                                                    APIs
                                                                                    • MessageBoxW.USER32(00000000,00000000,Error,00000040), ref: 00FF2AD4
                                                                                      • Part of subcall function 00FC4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC4167
                                                                                      • Part of subcall function 01027580: GetPrivateProfileIntW.KERNEL32(Config,ExcepRunAuto,00000001,B69A1A1E), ref: 01027616
                                                                                    • ?SetInstance@CPaintManagerUI@DuiLib@@SAXPAUHINSTANCE__@@@Z.YCOMUIU(B69A1A1E), ref: 00FF2B0E
                                                                                    • ?SetSkinExt@CPaintManagerUI@DuiLib@@SAXPB_W@Z.YCOMUIU(.skin), ref: 00FF2B19
                                                                                    • ?SetSkinPath@CPaintManagerUI@DuiLib@@SAXPB_W@Z.YCOMUIU(?,010C8660,\skin\,C:\Users\user\AppData\Local\Programs\Ease Organizer Plus), ref: 00FF2BBB
                                                                                    • ?SetResourceZip@CPaintManagerUI@DuiLib@@SAXPB_W@Z.YCOMUIU ref: 00FF2BFD
                                                                                    • _wcsstr.LIBVCRUNTIME ref: 00FF2C09
                                                                                    • FindWindowW.USER32(EasePaintWndClass,00000000), ref: 00FF2C20
                                                                                    • PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00FF2C31
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00FF310F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@ManagerPaint$MessageSkin$E__@@@Exception@8Ext@FileFindInstance@ModuleNamePath@PostPrivateProfileResourceThrowWindowZip@_wcsstr
                                                                                    • String ID: .skin$/debug$/install$/tjuninstall$/uninstall$C:\Users\user\AppData\Local\Programs\Ease Organizer Plus$D$EasePaintWndClass$Error$SkinLost$\skin\$ext.dll$open$uninst.exe
                                                                                    • API String ID: 2991314517-521379311
                                                                                    • Opcode ID: 5848d47a68f3497389bacfa891cde23fd32053b90f2a67c68e8a5ad0399d70b9
                                                                                    • Instruction ID: 5f0d3ee8670c981835ad2271f36d5e50e29d471f47cc8d07170305bc2b7d2de7
                                                                                    • Opcode Fuzzy Hash: 5848d47a68f3497389bacfa891cde23fd32053b90f2a67c68e8a5ad0399d70b9
                                                                                    • Instruction Fuzzy Hash: BA024470E00219ABDB34EB64DC4ABADB7B4EF14310F104298FA49AB2D1DBB59B44DF51
                                                                                    Function 1003D370 Relevance: 33.6, APIs: 1, Strings: 18, Instructions: 369COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 522 1003d370-1003d3b5 523 1003d3b7-1003d3cc 522->523 524 1003d3da-1003d3e0 522->524 523->524 525 1003d3ce-1003d3d8 523->525 526 1003d3e4-1003d40d call 1000a830 call 1003a040 524->526 525->526 531 1003d40f-1003d41a call 1000a830 526->531 532 1003d41d-1003d42e 526->532 531->532 534 1003d450 532->534 535 1003d430-1003d446 532->535 538 1003d456-1003d458 534->538 535->534 537 1003d448-1003d44e 535->537 537->538 539 1003d4b2-1003d4b5 538->539 540 1003d45a-1003d479 call 1003c980 call 1003c9c0 538->540 541 1003d653-1003d669 call 10026b60 539->541 542 1003d4bb-1003d4d9 call 100444d0 539->542 557 1003d47b-1003d4a6 call 1000a830 * 2 540->557 558 1003d4a9-1003d4af call 1003c9a0 540->558 551 1003d686-1003d691 call 1000a830 541->551 552 1003d66b-1003d684 call 10026b60 541->552 553 1003d512 542->553 554 1003d4db-1003d509 542->554 566 1003d694-1003d6e8 551->566 552->551 552->566 556 1003d51d 553->556 554->556 560 1003d50b-1003d510 554->560 562 1003d522-1003d531 call 1000a830 556->562 557->558 558->539 560->562 573 1003d533-1003d546 call 1000a830 562->573 574 1003d549-1003d552 562->574 576 1003d590-1003d59b call 1000a8c0 566->576 577 1003d6ee-1003d701 566->577 573->574 579 1003d640-1003d64e call 1000a8c0 574->579 580 1003d558 574->580 583 1003d59e-1003d5a3 576->583 582 1003d707-1003d743 577->582 577->583 597 1003d814 579->597 586 1003d5b2-1003d5ba 580->586 587 1003d569-1003d576 call 1003d280 580->587 588 1003d5a8-1003d5b0 580->588 589 1003d55f-1003d567 580->589 601 1003d786-1003d7d8 call 1000a830 call 1000ae10 582->601 602 1003d745-1003d74a 582->602 591 1003d819-1003d831 call 1003ef38 583->591 592 1003d57e-1003d58e 586->592 587->591 603 1003d57c 587->603 588->592 589->592 592->576 604 1003d5bc-1003d5f8 592->604 597->591 626 1003d804-1003d811 call 1000a8c0 601->626 627 1003d7da-1003d7dc 601->627 606 1003d75b-1003d763 call 100274b0 602->606 607 1003d74c-1003d759 call 100274b0 602->607 603->592 612 1003d5fb-1003d5fd 604->612 615 1003d768-1003d781 call 1000a8c0 606->615 607->615 612->541 617 1003d5ff-1003d604 612->617 615->597 619 1003d606-1003d613 call 100274b0 617->619 620 1003d615-1003d61d call 100274b0 617->620 629 1003d622-1003d63b call 1000a8c0 619->629 620->629 626->597 627->626 632 1003d7de-1003d802 call 1000a830 627->632 629->597 632->591
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 1003D4C3
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    Strings
                                                                                    • schannel: WinSSL version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 1003D40F
                                                                                    • schannel: using IP address, SNI is not supported by OS., xrefs: 1003D686
                                                                                    • schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates., xrefs: 1003D53B
                                                                                    • schannel: disabled server certificate revocation checks, xrefs: 1003D51D
                                                                                    • schannel: incremented credential handle refcount = %d, xrefs: 1003D49B
                                                                                    • , xrefs: 1003D4DB
                                                                                    • schannel: initial InitializeSecurityContext failed: %s, xrefs: 1003D763
                                                                                    • Microsoft Unified Security Protocol Provider, xrefs: 1003D5F3
                                                                                    • schannel: unable to allocate memory, xrefs: 1003D590
                                                                                    • Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 1003D640
                                                                                    • schannel: sending initial handshake data: sending %lu bytes..., xrefs: 1003D78B
                                                                                    • schannel: AcquireCredentialsHandle failed: %s, xrefs: 1003D61D
                                                                                    • schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 1003D806
                                                                                    • schannel: re-using existing credential handle, xrefs: 1003D47F
                                                                                    • schannel: SNI or certificate check failed: %s, xrefs: 1003D60E, 1003D754
                                                                                    • schannel: checking server certificate revocation, xrefs: 1003D50B
                                                                                    • schannel: sent initial handshake data: sent %zd bytes, xrefs: 1003D7DF
                                                                                    • schannel: SSL/TLS connection with %s port %hu (step 1/3), xrefs: 1003D3F0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memsetcurl_mvsnprintf
                                                                                    • String ID: $Microsoft Unified Security Protocol Provider$Unrecognized parameter passed via CURLOPT_SSLVERSION$schannel: AcquireCredentialsHandle failed: %s$schannel: SNI or certificate check failed: %s$schannel: SSL/TLS connection with %s port %hu (step 1/3)$schannel: WinSSL version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: checking server certificate revocation$schannel: disabled server certificate revocation checks$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: incremented credential handle refcount = %d$schannel: initial InitializeSecurityContext failed: %s$schannel: re-using existing credential handle$schannel: sending initial handshake data: sending %lu bytes...$schannel: sent initial handshake data: sent %zd bytes$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
                                                                                    • API String ID: 926105211-3817584845
                                                                                    • Opcode ID: ea5f28f5e4f4368224f52a52a17f662bfeb6ba5ad64fb36dc30dbb44edf96b19
                                                                                    • Instruction ID: fd4b1318cba020bc302aa20b8360608302c45bcabf82e56543e9648241753749
                                                                                    • Opcode Fuzzy Hash: ea5f28f5e4f4368224f52a52a17f662bfeb6ba5ad64fb36dc30dbb44edf96b19
                                                                                    • Instruction Fuzzy Hash: 22D1A1B5904341AFD715DF18EC81E6BB7E8FB88745F00892EF9498B242D774E944CBA2
                                                                                    Function 01013560 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 300COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 678 1013560-10135ea call 1052af0 SHGetValueW 681 1013621-101362a 678->681 682 10135ec-10135f2 678->682 684 1013630-1013667 SHGetValueW 681->684 685 1013903-101390c 681->685 682->681 683 10135f4-10135fd 682->683 686 1013600-1013609 683->686 687 1013681-10136ae SHGetValueW 684->687 688 1013669-101367c 684->688 689 1013961-101397b call 103316c 685->689 690 101390e-101392d call 1052af0 call fcd240 685->690 686->686 692 101360b-101361c call fc5c80 686->692 693 10136b0-10136b6 687->693 694 10136e2-101370f SHGetValueW 687->694 688->687 710 1013932-101393e 690->710 692->681 693->694 700 10136b8-10136be 693->700 696 1013711-1013717 694->696 697 1013743-1013770 SHGetValueW 694->697 696->697 702 1013719-101371f 696->702 703 1013772-1013778 697->703 704 10137a9-10137d6 SHGetValueW 697->704 705 10136c1-10136ca 700->705 711 1013722-101372b 702->711 703->704 712 101377a-1013780 703->712 707 10138a2-10138cf SHGetValueW 704->707 708 10137dc-10137e2 704->708 705->705 709 10136cc-10136dd call fc5c80 705->709 707->685 716 10138d1-10138d7 707->716 708->707 713 10137e8-1013800 call fc4fd0 708->713 709->694 715 1013940-1013949 710->715 711->711 717 101372d-101373e call fc5c80 711->717 718 1013783-101378c 712->718 728 1013806-1013822 713->728 729 101397c-1013986 call fc4150 713->729 715->715 720 101394b-101395c call fc5c80 715->720 716->685 721 10138d9-10138df 716->721 717->697 718->718 723 101378e-1013795 718->723 720->689 726 10138e2-10138eb 721->726 723->704 727 1013797-10137a4 call fc5c80 723->727 726->726 730 10138ed-10138fe call fc5c80 726->730 727->704 736 1013831-101383a 728->736 737 1013824-101382f call fc5150 728->737 730->685 739 1013840-1013849 736->739 742 101385e-1013876 call 1013310 737->742 739->739 741 101384b-1013859 call fc5c80 739->741 741->742 742->707 746 1013878-101387e 742->746 747 1013881-101388a 746->747 747->747 748 101388c-101389d call fc5c80 747->748 748->707
                                                                                    APIs
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UserName,00000000,?,?,B69A1A1E), ref: 010135E6
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,type,00000000,00000000,00000208), ref: 01013663
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,NickName,00000000,?,00000004), ref: 010136AA
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,token,00000000,?,00000208), ref: 0101370B
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,mobile,00000000,?,00000208), ref: 0101376C
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,email,00000000,?,00000208), ref: 010137D2
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,HeadImage,00000000,?,00000208), ref: 010138CB
                                                                                      • Part of subcall function 00FC4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC4167
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$Exception@8Throw
                                                                                    • String ID: HeadImage$Message$NickName$Software\EasePaintWatermarkRemover$Title$UserName$email$mobile$token$type
                                                                                    • API String ID: 977719429-3498454798
                                                                                    • Opcode ID: c51dcef74c0fe4841c8f03808e5e000b2156bebb753eac35a63debb0edc8e24e
                                                                                    • Instruction ID: 1550ad6fba2fa07d6009436139126083814a1217fca1f228432af915b476ca88
                                                                                    • Opcode Fuzzy Hash: c51dcef74c0fe4841c8f03808e5e000b2156bebb753eac35a63debb0edc8e24e
                                                                                    • Instruction Fuzzy Hash: 9AB1E7B494021D9EDB68DB18CC85FEA73B8FF04704F4042EDE945AA145EB746ACACF94
                                                                                    Function 01015EC0 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 238COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 750 1015ec0-1015ef9 call fc4fd0 753 1016203-101620d call fc4150 750->753 754 1015eff-1015f21 750->754 758 1016015-101601a 754->758 759 1015f27 754->759 760 101608a-101608f 758->760 761 101601c 758->761 762 1015f2d-1015f35 759->762 763 1015fec-1016010 call fd3f90 call fc3c30 759->763 764 1016091-10160b5 call fd3f90 call fc3c30 760->764 765 10160b7-10160d6 call fd3f90 call fc3c30 760->765 766 1016064-1016088 call fd3f90 call fc3c30 761->766 767 101601e-1016023 761->767 762->764 768 1015f3b-1015f42 762->768 803 10160db-10160f2 763->803 764->803 765->803 766->803 771 1016025-1016028 767->771 772 1016047-101605f call fd3f90 767->772 768->764 773 1015f81-1015f99 call fd3f90 768->773 774 1015fb5-1015fcd call fd3f90 768->774 775 1015f49-1015f5d call fd3f90 768->775 776 1015f9b-1015fb3 call fd3f90 768->776 777 1015fcf-1015fe7 call fd3f90 768->777 771->764 784 101602a-1016042 call fd3f90 771->784 804 1015f61-1015f7c call fc3c30 call fc3ad0 772->804 773->804 774->804 775->804 776->804 777->804 784->804 809 10160f4-10160f7 803->809 810 10160fc-101610a PathFileExistsW 803->810 804->810 809->810 811 10161c1 810->811 812 1016110-1016149 call 1089d92 PathRemoveFileSpecW 810->812 815 10161c3-10161db 811->815 821 1016150-1016159 812->821 817 10161e5-1016202 call 103316c 815->817 818 10161dd-10161e0 815->818 818->817 821->821 823 101615b-101618f call fc5c80 call fd3710 PathFindFileNameW 821->823 829 1016191-101619e call fc5c80 823->829 830 10161a0-10161a2 823->830 829->815 832 10161a5-10161ae 830->832 832->832 834 10161b0-10161bf call fc5c80 832->834 834->815
                                                                                    APIs
                                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,?,?), ref: 01016102
                                                                                    • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?), ref: 0101613A
                                                                                    • PathFindFileNameW.SHLWAPI(?,010D1560,?,?,?,?,?,?,?), ref: 01016182
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FilePath$ExistsFindNameRemoveSpec
                                                                                    • String ID: skin\skin_ar.skin$skin\skin_de.skin$skin\skin_en.skin$skin\skin_es.skin$skin\skin_fr.skin$skin\skin_id.skin$skin\skin_jp.skin$skin\skin_ko.skin$skin\skin_pt.skin$skin\skin_ru.skin$skin\skin_tr.skin
                                                                                    • API String ID: 713544028-3662250206
                                                                                    • Opcode ID: ba83fa858ccbf1f37d258c54e6e5400250faada2ae53ec9ee8a142c05d6712b5
                                                                                    • Instruction ID: 98374b67043aa1528f3a6fb8dcaf272cc47207c73dac92b022178268d4269a43
                                                                                    • Opcode Fuzzy Hash: ba83fa858ccbf1f37d258c54e6e5400250faada2ae53ec9ee8a142c05d6712b5
                                                                                    • Instruction Fuzzy Hash: 7F912971D402089FCB14DBA8DC4AFDEBBB4EF11304F4881E9F445AB24AEB799B448B51
                                                                                    Function 1003A190 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 147libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32,?,?,?,1002D69E,secur32.dll,?,?,?,1001E4B8), ref: 1003A19A
                                                                                    • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 1003A1B2
                                                                                    • _strpbrk.LIBCMT ref: 1003A1C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc_strpbrk
                                                                                    • String ID: AddDllDirectory$LoadLibraryExA$kernel32
                                                                                    • API String ID: 1657965159-3327535076
                                                                                    • Opcode ID: e51a234bd61779233ed1a772e1228bc97965f471d17ccfb8ec78e0b1b978403a
                                                                                    • Instruction ID: 151e11d26e5a1c80487ff3c1013bfb5a512e2fb41e0c859c34685c00961649d1
                                                                                    • Opcode Fuzzy Hash: e51a234bd61779233ed1a772e1228bc97965f471d17ccfb8ec78e0b1b978403a
                                                                                    • Instruction Fuzzy Hash: A3313B367056115FE3029B6C6C58BA73BD9EF86263F254176F942CB351EF53D80882E0
                                                                                    Function 01014380 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 107COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • SHGetMalloc.SHELL32(?), ref: 010143A4
                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?), ref: 010143BD
                                                                                    • SHGetPathFromIDListW.SHELL32(?,?), ref: 010143EE
                                                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,?), ref: 01014487
                                                                                    • CreateDirectoryW.KERNEL32(00000000,?,?,?,?), ref: 01014498
                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 010144C0
                                                                                    • SHCreateDirectoryExW.SHELL32(00000000,00000000), ref: 010144F3
                                                                                    • SetFileAttributesW.KERNEL32(00000006), ref: 01014501
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$CreateDirectoryFile$AttributesExistsFolderFromListLocationMallocSpecialTemp
                                                                                    • String ID: %s%s\%s$%s\%s$EasePaintWatermarkRemover$data
                                                                                    • API String ID: 801663401-1024328609
                                                                                    • Opcode ID: daabe2aa115d77447ac105b2d5011c845ed5cfe5089c7d9ae7a5309494fb4342
                                                                                    • Instruction ID: 135a0c3ac77fa06eb7b973a1b4bf13c95e3f1f7f9c773d5b959c8f88dacfc6ac
                                                                                    • Opcode Fuzzy Hash: daabe2aa115d77447ac105b2d5011c845ed5cfe5089c7d9ae7a5309494fb4342
                                                                                    • Instruction Fuzzy Hash: 424127B454030CAFCB309F60DD06FEA7378EF08704F0081A8FA49D6146DB766A848F65
                                                                                    Function 01011AD0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 188COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1088 1011ad0-1011b21 call fc4fd0 1091 1011b27-1011b88 call 1052af0 GetModuleFileNameW GetFileVersionInfoSizeW 1088->1091 1092 1011d4a-1011d4f call fc4150 1088->1092 1100 1011c29-1011c2f 1091->1100 1101 1011b8e-1011bab call 1033967 GetFileVersionInfoW 1091->1101 1094 1011d54-1011d5f call fc4150 1092->1094 1102 1011c35-1011c7c call 1052af0 SHGetValueW 1100->1102 1103 1011d2c-1011d49 call 103316c 1100->1103 1109 1011bad-1011bc8 VerQueryValueW 1101->1109 1110 1011c1e-1011c26 call 10331b2 1101->1110 1102->1103 1113 1011c82-1011c8b call fc4fd0 1102->1113 1109->1110 1114 1011bca-1011c1b call fc4980 call 1072324 call fc4980 1109->1114 1110->1100 1113->1094 1120 1011c91-1011cb1 1113->1120 1114->1110 1126 1011cb3-1011cc2 call fc5150 1120->1126 1127 1011cc4-1011ccd 1120->1127 1132 1011cf2-1011d22 call fc3c30 1126->1132 1129 1011cd0-1011cd9 1127->1129 1129->1129 1131 1011cdb-1011ced call fc5c80 1129->1131 1131->1132 1132->1103 1136 1011d24-1011d27 1132->1136 1136->1103
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,01121620), ref: 01011B70
                                                                                    • GetFileVersionInfoSizeW.VERSION(?,00000000,?,01121620), ref: 01011B7F
                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,00000000,?,01121620), ref: 01011BA4
                                                                                    • VerQueryValueW.VERSION(00000000,010D1560,?,00000034,?,00000000,00000000,00000000,00000000,?,01121620), ref: 01011BC1
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,Version,00000000,?,00000208,?,?,00000000), ref: 01011C74
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$InfoValueVersion$ModuleNameQuerySize
                                                                                    • String ID: %d%d%d$%d.%d.%d.%d$4$Software\EasePaintWatermarkRemover$Version
                                                                                    • API String ID: 3751987224-2582149013
                                                                                    • Opcode ID: 0b8e91e4f078e0d9f61423379ae0cd154803a0cccd237d9c5e6936a7b5f17294
                                                                                    • Instruction ID: 30ffd96b9ed50420f1494496d47b7e43eb0c2553f778ef0f3040d99dc9b045ad
                                                                                    • Opcode Fuzzy Hash: 0b8e91e4f078e0d9f61423379ae0cd154803a0cccd237d9c5e6936a7b5f17294
                                                                                    • Instruction Fuzzy Hash: 5C61E3B1A00218ABDB60DB64CC45FEAB3FCEF08704F40419DFA49EB181DB79AA45CB54
                                                                                    Function 010118B0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,adid,00000000,?,00000208,?), ref: 01011935
                                                                                    • SHGetValueW.SHLWAPI(80000002,Software\EasePaintWatermarkRemover,InstallerName,00000000,?,00000208), ref: 010119D3
                                                                                    • PathRemoveExtensionW.SHLWAPI(?), ref: 010119EB
                                                                                    • PathFindFileNameW.SHLWAPI(?), ref: 010119F8
                                                                                    • _wcschr.LIBVCRUNTIME ref: 01011A05
                                                                                    • lstrlenW.KERNEL32(-00000002), ref: 01011A17
                                                                                    • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,adid,00000001,-00000002,00000000), ref: 01011A36
                                                                                      • Part of subcall function 00FC5150: FindResourceExW.KERNEL32(00000000,00000006,00FC5E74,00000000,00000000,00000000,00000000,?,00FC5E74,-00000010), ref: 00FC518E
                                                                                      • Part of subcall function 00FC5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00FC51D7
                                                                                      • Part of subcall function 00FC4FD0: GetProcessHeap.KERNEL32 ref: 00FC504E
                                                                                      • Part of subcall function 00FC4FD0: __Init_thread_footer.LIBCMT ref: 00FC5080
                                                                                      • Part of subcall function 00FC4FD0: __Init_thread_footer.LIBCMT ref: 00FC5104
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindValue$Init_thread_footerPathResource$ExtensionFileHeapNameProcessRemove_wcschrlstrlen
                                                                                    • String ID: InstallerName$Software\EasePaintWatermarkRemover$adid
                                                                                    • API String ID: 2661304214-246061220
                                                                                    • Opcode ID: 633937762e1a6e92873de302ca03b392d386beb1e05c393bc12b03e90dc33549
                                                                                    • Instruction ID: 63403a15072b7033d7ec8ec484e3c4a6a8457fb6127503974bd57eb90f1d0e13
                                                                                    • Opcode Fuzzy Hash: 633937762e1a6e92873de302ca03b392d386beb1e05c393bc12b03e90dc33549
                                                                                    • Instruction Fuzzy Hash: 0351F271A40209AFDB24DFA8CC49FAEBBF8EF04704F50419DFA85E7241DB799A448B54
                                                                                    Function 100214D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 130networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getpeername.WS2_32(?,?,?), ref: 1002153B
                                                                                    • WSAGetLastError.WS2_32 ref: 10021545
                                                                                      • Part of subcall function 100273B0: GetLastError.KERNEL32(?,00000000,00000000,?,1000ADE0,00000004,00000000), ref: 100273B4
                                                                                      • Part of subcall function 100273B0: _strerror.LIBCMT ref: 100273E8
                                                                                      • Part of subcall function 100273B0: _strncpy.LIBCMT ref: 100273F2
                                                                                      • Part of subcall function 100273B0: _strrchr.LIBCMT ref: 1002744A
                                                                                      • Part of subcall function 100273B0: _strrchr.LIBCMT ref: 10027465
                                                                                      • Part of subcall function 100273B0: GetLastError.KERNEL32 ref: 1002748D
                                                                                      • Part of subcall function 100273B0: SetLastError.KERNEL32(?), ref: 1002749C
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    • _memset.LIBCMT ref: 10021575
                                                                                    • getsockname.WS2_32(?,?,?), ref: 10021588
                                                                                    • WSAGetLastError.WS2_32(?,?,00000000), ref: 10021592
                                                                                    Strings
                                                                                    • getpeername() failed with errno %d: %s, xrefs: 10021556
                                                                                    • ssloc inet_ntop() failed with errno %d: %s, xrefs: 1002164B
                                                                                    • ssrem inet_ntop() failed with errno %d: %s, xrefs: 100215F1
                                                                                    • getsockname() failed with errno %d: %s, xrefs: 100215A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strrchr$_memset_strerror_strncpycurl_mvsnprintfgetpeernamegetsockname
                                                                                    • String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
                                                                                    • API String ID: 867746099-670633250
                                                                                    • Opcode ID: 04b0915740e1db2ac218f179d049961647459f6a07258ecd6644cf3c2270ed26
                                                                                    • Instruction ID: 3f809877a28bee7f0c5300d9e8da462c91e47c2ebb631adc889f25f64c885453
                                                                                    • Opcode Fuzzy Hash: 04b0915740e1db2ac218f179d049961647459f6a07258ecd6644cf3c2270ed26
                                                                                    • Instruction Fuzzy Hash: F841ACB9804345AFE720DF209C45BEF73ADEF95354F854528FD4993102EB34BA498BA2
                                                                                    Function 10028800 Relevance: 15.3, APIs: 10, Instructions: 268sleepnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00002726,?,00000020,?,00000004), ref: 10028865
                                                                                    • Sleep.KERNEL32(?,?,00000020,?,00000004), ref: 10028879
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1458359878-0
                                                                                    • Opcode ID: a6180787691984569e39d1361638d3a6ca2cef8e168cbe6e4b00737e74f32110
                                                                                    • Instruction ID: d15e2eccbf1f6dc6661903b2c13d9d73faa2caf62f3c0cd6f8376b803ce8ab5c
                                                                                    • Opcode Fuzzy Hash: a6180787691984569e39d1361638d3a6ca2cef8e168cbe6e4b00737e74f32110
                                                                                    • Instruction Fuzzy Hash: 8091B675A063514BD325CF69E8802AFB2D9EBC4760F954B2EF994C7280DB30DA458783
                                                                                    Function 01025FA0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 227librarystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 010260D1
                                                                                    • PathRemoveFileSpecW.SHLWAPI(?), ref: 010260DE
                                                                                    • lstrcatW.KERNEL32(?,\LiveUpdate.dll), ref: 010260F0
                                                                                    • LoadLibraryW.KERNEL32(?), ref: 010260FD
                                                                                      • Part of subcall function 00F98A90: OutputDebugStringW.KERNEL32(?), ref: 00F98AF4
                                                                                    • FreeLibrary.KERNEL32(?,B69A1A1E,?), ref: 010261B1
                                                                                    • CloseHandle.KERNEL32(?,B69A1A1E,?), ref: 010261BF
                                                                                      • Part of subcall function 00FC4FD0: GetProcessHeap.KERNEL32 ref: 00FC504E
                                                                                      • Part of subcall function 00FC4FD0: __Init_thread_footer.LIBCMT ref: 00FC5080
                                                                                      • Part of subcall function 00FC4FD0: __Init_thread_footer.LIBCMT ref: 00FC5104
                                                                                    Strings
                                                                                    • \LiveUpdate.dll, xrefs: 010260E4
                                                                                    • [update] Load liveupdate.dll failure., xrefs: 0102610A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileInit_thread_footerLibrary$CloseDebugFreeHandleHeapLoadModuleNameOutputPathProcessRemoveSpecStringlstrcat
                                                                                    • String ID: [update] Load liveupdate.dll failure.$\LiveUpdate.dll
                                                                                    • API String ID: 2596294035-540232465
                                                                                    • Opcode ID: bbe2ff80a89db082022545893f0a41ab63fd8f40645fbe9e7a61767f60694a7c
                                                                                    • Instruction ID: 83f715bcc9a6bd01494e56d0d7811bc5b9116c8a12cc9cca43e35c7cbf956203
                                                                                    • Opcode Fuzzy Hash: bbe2ff80a89db082022545893f0a41ab63fd8f40645fbe9e7a61767f60694a7c
                                                                                    • Instruction Fuzzy Hash: 5A91BD70900609DFD720DF68C848B9ABBF8EF45314F1486ADE899DB391DB75AA04CF91
                                                                                    Function 10028B60 Relevance: 13.8, APIs: 9, Instructions: 275sleepnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00002726,00000000,?), ref: 10028BAF
                                                                                    • Sleep.KERNEL32(?,00000000,?), ref: 10028BC2
                                                                                    • WSASetLastError.WS2_32(00002726,?,00000000,00000000,?), ref: 10028D1A
                                                                                    • Sleep.KERNEL32(?,?,00000000,00000000,?), ref: 10028D2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1458359878-0
                                                                                    • Opcode ID: 8faedb480c80d514e60cf6145257163ce7f0180c66afba4ea6a47e94ea04c322
                                                                                    • Instruction ID: 4478d44f039c218f7bd6ce1b32ab90c8a10959dd3bf5ff48f736cd26b6b94a79
                                                                                    • Opcode Fuzzy Hash: 8faedb480c80d514e60cf6145257163ce7f0180c66afba4ea6a47e94ea04c322
                                                                                    • Instruction Fuzzy Hash: E5A1F8799063418BD725CF28E88429EB3E5FFC43A0F954E2EF999C6280E7359B44C752
                                                                                    Function 00FAF850 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?), ref: 00FAF89B
                                                                                    • _strncpy.LIBCMT ref: 00FAF8F9
                                                                                    • DeviceIoControl.KERNEL32(00000000,0004D008,0000001C,0000003C,0000001C,0000022D,?,00000000), ref: 00FAF92C
                                                                                    • _strncat.LIBCMT ref: 00FAFA02
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FAFA20
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseControlCreateDeviceFileHandle_strncat_strncpy
                                                                                    • String ID: SCSIDISK$\\.\Scsi%d:
                                                                                    • API String ID: 1663224219-2176293039
                                                                                    • Opcode ID: 9ae2e1aa3f3260f0a34cf24c47bf24fffe61dc349c4f36c54d4278abbd50231f
                                                                                    • Instruction ID: 0ef0bdaab7abd952a730d3e5f859e8eccb36f5337b0a055c518d390f7effccbd
                                                                                    • Opcode Fuzzy Hash: 9ae2e1aa3f3260f0a34cf24c47bf24fffe61dc349c4f36c54d4278abbd50231f
                                                                                    • Instruction Fuzzy Hash: A351EB71D403186AEB21DB64DC85BE97378EF5A704F1002E5E54CE6182DB79ABC8DF40
                                                                                    Function 01012110 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 351stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • StgOpenStorage.OLE32(?,00000000,00000020,00000000,00000000,?,B69A1A1E,?,00000000,80004005,-4141412D,010BA4DF,000000FF), ref: 0101217B
                                                                                    • _wcschr.LIBVCRUNTIME ref: 01012273
                                                                                    • lstrlenW.KERNEL32(?), ref: 0101233D
                                                                                    • _wcsstr.LIBVCRUNTIME ref: 010124B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: OpenStorage_wcschr_wcsstrlstrlen
                                                                                    • String ID: $$
                                                                                    • API String ID: 3597257408-2352093064
                                                                                    • Opcode ID: 7c1aece931c50194d19ca108ff1029153ae871f2a961edc68d853163b8e1e259
                                                                                    • Instruction ID: eb481e9dc80c4ca7a3cf88276532ee50c7857b129e62555d477ff2bfcd261899
                                                                                    • Opcode Fuzzy Hash: 7c1aece931c50194d19ca108ff1029153ae871f2a961edc68d853163b8e1e259
                                                                                    • Instruction Fuzzy Hash: 49D1D471A00209DFEB20DF68CC84BDEB7F9FF54314F1482A9E8599B286D7759A44CB90
                                                                                    Function 10021A70 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Immediate connect fail for %s: %s, xrefs: 10021D08
                                                                                    • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 10021B25
                                                                                    • Trying %s..., xrefs: 10021B4F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Trying %s...$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
                                                                                    • API String ID: 0-3338264681
                                                                                    • Opcode ID: e807066a0783506454eca5aae056879f5b52ec7973785023d4a92a09d3bf242e
                                                                                    • Instruction ID: 67198c16e3601985cf26e505545d91b5d433617262efb492ea13cd4da0dac7cc
                                                                                    • Opcode Fuzzy Hash: e807066a0783506454eca5aae056879f5b52ec7973785023d4a92a09d3bf242e
                                                                                    • Instruction Fuzzy Hash: 4B81C179904381DFD720CF24E881BDFB3E8FB94794F904A29F95997242D730A945CBA2
                                                                                    Function 10044DF7 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock.LIBCMT ref: 10044E15
                                                                                      • Part of subcall function 10049029: __mtinitlocknum.LIBCMT ref: 1004903D
                                                                                      • Part of subcall function 10049029: __amsg_exit.LIBCMT ref: 10049049
                                                                                      • Part of subcall function 10049029: EnterCriticalSection.KERNEL32(-0000000F,-0000000F,?,10044A87,00000004,10064158,0000000C,1004B092,?,?,00000000,00000000,00000000,100463B9,00000001,00000214), ref: 10049051
                                                                                    • ___sbh_find_block.LIBCMT ref: 10044E20
                                                                                    • ___sbh_free_block.LIBCMT ref: 10044E2F
                                                                                    • RtlFreeHeap.NTDLL(00000000,?,10064198,0000000C,1004900A,00000000,10064388,0000000C,10049042,?,-0000000F,?,10044A87,00000004,10064158,0000000C), ref: 10044E5F
                                                                                    • GetLastError.KERNEL32(?,10044A87,00000004,10064158,0000000C,1004B092,?,?,00000000,00000000,00000000,100463B9,00000001,00000214,?,?), ref: 10044E70
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                    • String ID:
                                                                                    • API String ID: 2714421763-0
                                                                                    • Opcode ID: 2093eb53fd633afb39cdb052d9f52f107a033b7d30c744b7295b7a010028339e
                                                                                    • Instruction ID: a6ea8f720c7c1b1d0a8272f1f1ea9b8d2a6b39a979299dd5a79dc43e70b77437
                                                                                    • Opcode Fuzzy Hash: 2093eb53fd633afb39cdb052d9f52f107a033b7d30c744b7295b7a010028339e
                                                                                    • Instruction Fuzzy Hash: 6E016D75904715EBEB20DFB19C4AB4E3BA4FF007A5F320578F518EA091DF74A9408A5C
                                                                                    Function 00FD42C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileIntW.KERNEL32(Setting,LCID,00000000,?), ref: 00FD4320
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfile
                                                                                    • String ID: Config.ini$LCID$Setting
                                                                                    • API String ID: 1469295129-1763241224
                                                                                    • Opcode ID: 62377dcc77ade34e1f8ee1ffb1e7ba67dca1bd7fa4c80e0f5e7fba53fe021fc9
                                                                                    • Instruction ID: 423c9f9b5c5422a31dae53790ddac0f6c439f2673547195917fe45f646eea823
                                                                                    • Opcode Fuzzy Hash: 62377dcc77ade34e1f8ee1ffb1e7ba67dca1bd7fa4c80e0f5e7fba53fe021fc9
                                                                                    • Instruction Fuzzy Hash: 6041BF71801204EBE735CF54D54836C7666E70A324F2C4327ED68897E4C779B5C6B786
                                                                                    Function 010167A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileIntW.KERNEL32(LANG,LCID,00000000,?), ref: 010167EB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfile
                                                                                    • String ID: LANG$LCID$oem.ini
                                                                                    • API String ID: 1469295129-2603398421
                                                                                    • Opcode ID: 38f40c262f7feb6184a232e0cb213402ed8e928dac1a0f7bc86b71bf6fef74e8
                                                                                    • Instruction ID: c711d378db0b6eeba80e860f0af09b96af546e4ec791bc416ecc9f82c83346ca
                                                                                    • Opcode Fuzzy Hash: 38f40c262f7feb6184a232e0cb213402ed8e928dac1a0f7bc86b71bf6fef74e8
                                                                                    • Instruction Fuzzy Hash: 6F41E77180522997E7364F0CDE483EDBAADE304710F0542A6D9E96A29CC6FF9584C782
                                                                                    Function 1000AD80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1000ACD0: recv.WS2_32(?,?,?,00000000), ref: 1000AD59
                                                                                    • send.WS2_32(?,1002D204,?,00000000), ref: 1000ADA4
                                                                                    • WSAGetLastError.WS2_32 ref: 1000ADBC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastrecvsend
                                                                                    • String ID: 3'$Send failure: %s
                                                                                    • API String ID: 3418755260-1925326815
                                                                                    • Opcode ID: 924b537c18ca72cfcda4100037bb26c29ffd35aaeed7166a57129d1d32d2ae69
                                                                                    • Instruction ID: 351443b2c4e64be2ef50d14c7af8ed123cff3a83496d2efb5b298b24617083c1
                                                                                    • Opcode Fuzzy Hash: 924b537c18ca72cfcda4100037bb26c29ffd35aaeed7166a57129d1d32d2ae69
                                                                                    • Instruction Fuzzy Hash: 6601A7B6204215AFE300DF68DCC4EAB77E8EB8A361F010665FA05C7241D775AC859BA1
                                                                                    Function 10021680 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 100216A0
                                                                                    • WSAGetLastError.WS2_32 ref: 100216AA
                                                                                      • Part of subcall function 100273B0: GetLastError.KERNEL32(?,00000000,00000000,?,1000ADE0,00000004,00000000), ref: 100273B4
                                                                                      • Part of subcall function 100273B0: _strerror.LIBCMT ref: 100273E8
                                                                                      • Part of subcall function 100273B0: _strncpy.LIBCMT ref: 100273F2
                                                                                      • Part of subcall function 100273B0: _strrchr.LIBCMT ref: 1002744A
                                                                                      • Part of subcall function 100273B0: _strrchr.LIBCMT ref: 10027465
                                                                                      • Part of subcall function 100273B0: GetLastError.KERNEL32 ref: 1002748D
                                                                                      • Part of subcall function 100273B0: SetLastError.KERNEL32(?), ref: 1002749C
                                                                                      • Part of subcall function 1000A830: curl_mvsnprintf.LIBCURL(?,00000801,?,?,00000000), ref: 1000A873
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strrchr$_strerror_strncpycurl_mvsnprintfsetsockopt
                                                                                    • String ID: Could not set TCP_NODELAY: %s$TCP_NODELAY set
                                                                                    • API String ID: 3248710109-1562148346
                                                                                    • Opcode ID: dd558bdf1715b0c834073039c8a548791cf9d4ba498c716a660e4c4e733d9fc3
                                                                                    • Instruction ID: 0a9ee4a2c35d3c8e069b50f7701ddea9dd06443a9f7f2e1e8eac4db9e09a82bb
                                                                                    • Opcode Fuzzy Hash: dd558bdf1715b0c834073039c8a548791cf9d4ba498c716a660e4c4e733d9fc3
                                                                                    • Instruction Fuzzy Hash: FBF0A77A1141107BE600EB14BC45FDF776CEF86711F040119FA04D2051D7716586CBB6
                                                                                    Function 1002D670 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1003A040: _memset.LIBCMT ref: 1003A062
                                                                                      • Part of subcall function 1003A040: GetVersionExA.KERNEL32 ref: 1003A077
                                                                                    • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 1002D6B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProcVersion_memset
                                                                                    • String ID: InitSecurityInterfaceA$secur32.dll$security.dll
                                                                                    • API String ID: 4177973202-3788156360
                                                                                    • Opcode ID: a8efceae54aa60e987627661af7cb2462c9f94ce136db905083e4966316ab885
                                                                                    • Instruction ID: e51a3f70ad1b5894808afb3961112a096730dc2a0fab81f94a069e8bcdaca11b
                                                                                    • Opcode Fuzzy Hash: a8efceae54aa60e987627661af7cb2462c9f94ce136db905083e4966316ab885
                                                                                    • Instruction Fuzzy Hash: 35F039A4A002025AF751FB2AAD1EB4625D9EB00785F804522BA0CE81D2FBB8CC008AA5
                                                                                    Function 00FD53A0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 237COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FD3FF0: GetProcessHeap.KERNEL32 ref: 00FD406E
                                                                                      • Part of subcall function 00FD3FF0: __Init_thread_footer.LIBCMT ref: 00FD40A0
                                                                                      • Part of subcall function 00FD3FF0: __Init_thread_footer.LIBCMT ref: 00FD4124
                                                                                      • Part of subcall function 0102BCA0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,B69A1A1E), ref: 0102BE26
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FD5626
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Init_thread_footer$ByteCharCloseHandleHeapMultiProcessWide
                                                                                    • String ID: lc=%s&product_id=%d&version=%d$open$result
                                                                                    • API String ID: 2625542054-4117417349
                                                                                    • Opcode ID: 5b80c67de95f5343c1796ff994b2b70b66340582626bb39b2faf5a89d0f4b33b
                                                                                    • Instruction ID: f31aaef4d4db4601b73afc3d9ae5262e374692d84913aad840ac55826f0f84d7
                                                                                    • Opcode Fuzzy Hash: 5b80c67de95f5343c1796ff994b2b70b66340582626bb39b2faf5a89d0f4b33b
                                                                                    • Instruction Fuzzy Hash: E791F130D00609EFDB20DBA8CD45BDDBBB5EF14310F0841A9E118AB292DB749E44DF92
                                                                                    Function 00FCD240 Relevance: 6.1, APIs: 4, Instructions: 120stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(?), ref: 00FCD290
                                                                                    • lstrcpyW.KERNEL32(?,010D0EFC), ref: 00FCD2A6
                                                                                      • Part of subcall function 00FC4110: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,B69A1A1E,00000000,?,00FC5FDF,?,?,00000000,00000003,B69A1A1E,00000000,00000000), ref: 00FC4132
                                                                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00FCD303
                                                                                    • lstrcpynW.KERNEL32(?,00000000,?,?,?,?,00000003), ref: 00FCD373
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$lstrcpylstrcpynlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3832091381-0
                                                                                    • Opcode ID: 196b8205e826ea7376de4fbf0d34a60e6dc100198750d57e76b660d65eda275a
                                                                                    • Instruction ID: 877c0c97985010255ae37037908ad8b2d77afff3472187bc47cf39bb4580e710
                                                                                    • Opcode Fuzzy Hash: 196b8205e826ea7376de4fbf0d34a60e6dc100198750d57e76b660d65eda275a
                                                                                    • Instruction Fuzzy Hash: 2A410A3190020AABDB20EB64CD4AFEE777CDF44710F600658B949E7181E775BA05DBA0
                                                                                    Function 100451A6 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __calloc_crt.LIBCMT ref: 100451E1
                                                                                    • CreateThread.KERNEL32(?,?,10045126,00000000,?,?), ref: 10045225
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 1004522F
                                                                                    • __dosmaperr.LIBCMT ref: 10045247
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr
                                                                                    • String ID:
                                                                                    • API String ID: 84609068-0
                                                                                    • Opcode ID: 5d6604571715a4828c4f6e121817ffbbde5e79d97443ab6a0ffc3f67379bc6ce
                                                                                    • Instruction ID: 8d1c359575b3f189e30d847a98067157bcde2b429222456aeaafdeb341195ba1
                                                                                    • Opcode Fuzzy Hash: 5d6604571715a4828c4f6e121817ffbbde5e79d97443ab6a0ffc3f67379bc6ce
                                                                                    • Instruction Fuzzy Hash: 4A11E376505619FFDB00EFA4CD8298E7BE4EF05365B71403AF501E2492EBB2A9008B69
                                                                                    Function 10045126 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10046249: TlsGetValue.KERNEL32(?,100463A5,?,?,?,00000000), ref: 10046250
                                                                                      • Part of subcall function 10046249: TlsSetValue.KERNEL32(00000000,?,?,00000000), ref: 10046271
                                                                                      • Part of subcall function 1004622E: TlsGetValue.KERNEL32(?,10045137,00000000), ref: 10046238
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 1004514F
                                                                                    • ExitThread.KERNEL32 ref: 10045156
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1004515C
                                                                                    • __freefls@4.LIBCMT ref: 1004517D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$Thread$CurrentErrorExitLast__freefls@4
                                                                                    • String ID:
                                                                                    • API String ID: 3657912857-0
                                                                                    • Opcode ID: 41deb05de16f914b788e7334ac3ac06a1ac2d409441a207305d0680fdfc086a7
                                                                                    • Instruction ID: 1a5d19b20f6efbb5717f99c0ac64fd144e27509774a173a1ffaafe2b0f08b36d
                                                                                    • Opcode Fuzzy Hash: 41deb05de16f914b788e7334ac3ac06a1ac2d409441a207305d0680fdfc086a7
                                                                                    • Instruction Fuzzy Hash: 83016D38400A11EFE704EFA0CD49A0E7BE5EF48246B308478F800C7672FA75E942CB5A
                                                                                    Function 1002C440 Relevance: 4.7, APIs: 3, Instructions: 162networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getaddrinfo.WS2_32(?,?,?,?), ref: 1002C47D
                                                                                    • WSASetLastError.WS2_32(00000000), ref: 1002C482
                                                                                    • WSASetLastError.WS2_32 ref: 1002C605
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$getaddrinfo
                                                                                    • String ID:
                                                                                    • API String ID: 1863150271-0
                                                                                    • Opcode ID: 8fb979780b99e7bcf638865fec878e336c6fc9eb33ec9db0bd0807b2b69bac7b
                                                                                    • Instruction ID: 7527507114e42dc8c49a7d1cba71e0f21ea1ce73398a881d3524039657ec332e
                                                                                    • Opcode Fuzzy Hash: 8fb979780b99e7bcf638865fec878e336c6fc9eb33ec9db0bd0807b2b69bac7b
                                                                                    • Instruction Fuzzy Hash: 20512BB1504B2A9FD350DF99E88481BB7F5FB84640F90892EF459D3210DB75F9888BD2
                                                                                    Function 10021360 Relevance: 4.5, APIs: 3, Instructions: 33networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SleepEx.KERNEL32 ref: 10021377
                                                                                    • getsockopt.WS2_32(00000004,0000FFFF,00001007,00000000,00000000), ref: 10021396
                                                                                    • WSAGetLastError.WS2_32 ref: 100213A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleepgetsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 3033474312-0
                                                                                    • Opcode ID: 79874de3be1d53660a4d2e4b761ac33d50a6903ac12da6c63200c5e7f77d16b1
                                                                                    • Instruction ID: c69395863ca496f931906cccc5683a8ce5a1ce2eb0b07a7c3ba9094bb8c4f811
                                                                                    • Opcode Fuzzy Hash: 79874de3be1d53660a4d2e4b761ac33d50a6903ac12da6c63200c5e7f77d16b1
                                                                                    • Instruction Fuzzy Hash: E3F0B438208302ABF714DB10DC957AE36E5EF54B45F50892CE9C69AAD0E7799A048B52
                                                                                    Function 10012310 Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_multi_remove_handle.LIBCURL(CCC35F04,1001E8AA,?), ref: 10012332
                                                                                    • curl_multi_cleanup.LIBCURL(CCCCCCCC,?), ref: 10012342
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_multi_cleanupcurl_multi_remove_handle
                                                                                    • String ID:
                                                                                    • API String ID: 3059780880-0
                                                                                    • Opcode ID: 00f69769db4ad9382e80a4c13a56e645c30433e86a2461eec2e752a55cad80af
                                                                                    • Instruction ID: 14080083ad51cb1efdce88da328ccc8b47ed1d0cc55c3cddec60a30ffdc0259e
                                                                                    • Opcode Fuzzy Hash: 00f69769db4ad9382e80a4c13a56e645c30433e86a2461eec2e752a55cad80af
                                                                                    • Instruction Fuzzy Hash: FE517EB5801B10DBE221DF78DC84AABB7F9FF89302F00481EE19A96201DB75B441CF66
                                                                                    Function 10028D5C Relevance: 3.1, APIs: 2, Instructions: 66networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WS2_32(?,00000000,00000000,00000000,-00000001), ref: 10028DDD
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 10028DEA
                                                                                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 10028E86
                                                                                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 10028E9C
                                                                                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 10028EB5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastselect
                                                                                    • String ID:
                                                                                    • API String ID: 215497628-0
                                                                                    • Opcode ID: 084f6ed3f29176f5639360b559c14b08f93410c2ba5b77a141d9bbc54e2ce09a
                                                                                    • Instruction ID: 6779dd2681e5d7e9b0432db345bd975929d3c7404a1206d3574021e6e5cba124
                                                                                    • Opcode Fuzzy Hash: 084f6ed3f29176f5639360b559c14b08f93410c2ba5b77a141d9bbc54e2ce09a
                                                                                    • Instruction Fuzzy Hash: 6B21A4356053518FD72CCB28DC59A9F73E9EBC8350F458B2DF8998B294E730AA048B52
                                                                                    Function 100289B7 Relevance: 3.1, APIs: 2, Instructions: 64networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WS2_32(00000003,00000000,00000000,?,-00000001), ref: 10028A35
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 10028A3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastselect
                                                                                    • String ID:
                                                                                    • API String ID: 215497628-0
                                                                                    • Opcode ID: b1a7a451ffb4b65becc3764b753f6cf2f6305f4509c6f882e2555998268c58f3
                                                                                    • Instruction ID: 90cbadc435ed8a9dddb7c1292f50f013643afddcdd7ff2604fde66779d03a8e6
                                                                                    • Opcode Fuzzy Hash: b1a7a451ffb4b65becc3764b753f6cf2f6305f4509c6f882e2555998268c58f3
                                                                                    • Instruction Fuzzy Hash: 312196756053414BE328CB28D85569FB3E9FBC8350F494B2EF895C7194DB34EA448B53
                                                                                    Function 100289B5 Relevance: 3.1, APIs: 2, Instructions: 63networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WS2_32(00000003,00000000,00000000,?,-00000001), ref: 10028A35
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 10028A3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastselect
                                                                                    • String ID:
                                                                                    • API String ID: 215497628-0
                                                                                    • Opcode ID: 837d99b763e52c0bbdc7535c790b15034a6e7bad383e176d928be36da8633635
                                                                                    • Instruction ID: 631500e47e27b168dd458f8d977f4539971bb249f6a96d11674bd8cdd0eb2b1f
                                                                                    • Opcode Fuzzy Hash: 837d99b763e52c0bbdc7535c790b15034a6e7bad383e176d928be36da8633635
                                                                                    • Instruction Fuzzy Hash: 2411A5756053424BE328CB28D85569FB2E9FBC8350F494B2EF885C6194DB34EA448B53
                                                                                    Function 1004C629 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HeapCreate.KERNEL32(00000000,00001000,00000000,100454A6,00000001,?,?,00000001,?,?,10045624,00000001,?,?,100641F8,0000000C), ref: 1004C63A
                                                                                    • HeapDestroy.KERNEL32(?,?,00000001,?,?,10045624,00000001,?,?,100641F8,0000000C,100456DE,?), ref: 1004C670
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$CreateDestroy
                                                                                    • String ID:
                                                                                    • API String ID: 3296620671-0
                                                                                    • Opcode ID: 01d53901d6ac53fa89fce2cf49e7f298137a3e7446c519ee15c59037bab6f8b3
                                                                                    • Instruction ID: 05f8ef9b195b68a6f4290b9782fdf97a63a38640ecdea9a85d833166e83492b9
                                                                                    • Opcode Fuzzy Hash: 01d53901d6ac53fa89fce2cf49e7f298137a3e7446c519ee15c59037bab6f8b3
                                                                                    • Instruction Fuzzy Hash: A6E09AB1651316ABF7C0DB308D99F1A36E8F704386F22B839F508C91A0FBF096409A0D
                                                                                    Function 1000A530 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • recv.WS2_32(?,?,?,00000000), ref: 1000A541
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,00000004,?), ref: 1000A54C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastrecv
                                                                                    • String ID:
                                                                                    • API String ID: 2514157807-0
                                                                                    • Opcode ID: bae6b46201f02e70e53df59be01e70c33af4862558d035e216ef71bb5db784ee
                                                                                    • Instruction ID: fab9f87bac59bbb604141ecfc10debe1a00b10128ffa374c4c540b722d92cdcd
                                                                                    • Opcode Fuzzy Hash: bae6b46201f02e70e53df59be01e70c33af4862558d035e216ef71bb5db784ee
                                                                                    • Instruction Fuzzy Hash: EEE04FB65642025FE700CF74CC95A1A77A5EB85621F508B58F465C32D4D734D8409611
                                                                                    Function 100450AC Relevance: 3.0, APIs: 2, Instructions: 16threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __freeptd.LIBCMT ref: 100450D4
                                                                                    • ExitThread.KERNEL32 ref: 100450DE
                                                                                      • Part of subcall function 1004D740: __FindPESection.LIBCMT ref: 1004D799
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitFindSectionThread__freeptd
                                                                                    • String ID:
                                                                                    • API String ID: 3875298718-0
                                                                                    • Opcode ID: 227463c4a9f6d087c5238f07ba4ac4cde9e67b234381306154c5a01140f1f610
                                                                                    • Instruction ID: c3e92238a80b46df894d25e8c509e0a33f1c2e518d7be967990370a34083061c
                                                                                    • Opcode Fuzzy Hash: 227463c4a9f6d087c5238f07ba4ac4cde9e67b234381306154c5a01140f1f610
                                                                                    • Instruction Fuzzy Hash: 06D05E38011A00DBE656E7A0CD1931936A5EF54343F340134F402C0C62FFE19940C51E
                                                                                    Function 100287D0 Relevance: 3.0, APIs: 2, Instructions: 12sleepnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00002726,1001E7D1,000003E8,?,?,?,?,?,?,?,?,00000000), ref: 100287DF
                                                                                    • Sleep.KERNEL32(000003E8,1001E7D1,000003E8,?,?,?,?,?,?,?,?,00000000), ref: 100287EA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1458359878-0
                                                                                    • Opcode ID: c91b43f5157b207f1335725735dd9054d38ef7e1b48b5b4763cd62435da4e83a
                                                                                    • Instruction ID: 8d1f31afcca13fed068ad8f3870c0aaa2603cd8c19a47ee68cdeefbe2dad2120
                                                                                    • Opcode Fuzzy Hash: c91b43f5157b207f1335725735dd9054d38ef7e1b48b5b4763cd62435da4e83a
                                                                                    • Instruction Fuzzy Hash: 06C08C38B29A009BEB008B348C8E60A36E8BF40773BD20E80F224C00D0DB28D500D721
                                                                                    Function 00FCCF50 Relevance: 2.6, APIs: 2, Instructions: 126stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FAEBF0: GetVersionExW.KERNEL32(00000114), ref: 00FAEC2C
                                                                                      • Part of subcall function 00FAEBF0: CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00FAECA8
                                                                                      • Part of subcall function 00FAEBF0: DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00001000,?,00000000), ref: 00FAECD9
                                                                                      • Part of subcall function 00FAEBF0: _strncat.LIBCMT ref: 00FAED05
                                                                                      • Part of subcall function 00FAEBF0: CloseHandle.KERNEL32(00000000), ref: 00FAED0E
                                                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?), ref: 00FCD07C
                                                                                    • lstrcpynW.KERNEL32(?,00000000,?), ref: 00FCD094
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharCloseControlCreateDeviceFileHandleMultiVersionWide_strncatlstrcpyn
                                                                                    • String ID:
                                                                                    • API String ID: 3846494814-0
                                                                                    • Opcode ID: 1e34e92cabee3e5a8652fc52642a38a515ef1ad2e255eceac9c5d3b14ba5a411
                                                                                    • Instruction ID: 7079bc863238a77eda770d159a3ef893d450fc39df49bad03c6b66207cf4aedc
                                                                                    • Opcode Fuzzy Hash: 1e34e92cabee3e5a8652fc52642a38a515ef1ad2e255eceac9c5d3b14ba5a411
                                                                                    • Instruction Fuzzy Hash: DE418E35D042069FCB35DF38CC46FEEB7A5AF56300F0442D8E589DB185DA725A898B90
                                                                                    Function 1000FE10 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_pushheader_bynum.LIBCURL ref: 1000FE3F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_pushheader_bynum
                                                                                    • String ID:
                                                                                    • API String ID: 376554214-0
                                                                                    • Opcode ID: a988263b82cbff44de88ccb14fdc60c6ac9a760cc4c6ca26cda50bc3f200a16a
                                                                                    • Instruction ID: e7f61deacdce0bf58cbb0b0d6a6f8228f762bb88a8d2206a695652c61c0c5cd3
                                                                                    • Opcode Fuzzy Hash: a988263b82cbff44de88ccb14fdc60c6ac9a760cc4c6ca26cda50bc3f200a16a
                                                                                    • Instruction Fuzzy Hash: 3721CEB5904B108BE310DB78EC847C777E5EF88392F11082DE65EC7281DBB5B5498BA5
                                                                                    Function 100218D0 Relevance: 1.6, APIs: 1, Instructions: 76networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: socket
                                                                                    • String ID:
                                                                                    • API String ID: 98920635-0
                                                                                    • Opcode ID: 384acdaf1a5486f87e9e7390ada5d28d66f6411c509aae2ffde37371b6f803f6
                                                                                    • Instruction ID: 8fb3d7b65749b5aa8e6280e89e03732f75a9ffc30e49706cd9e317237de893fa
                                                                                    • Opcode Fuzzy Hash: 384acdaf1a5486f87e9e7390ada5d28d66f6411c509aae2ffde37371b6f803f6
                                                                                    • Instruction Fuzzy Hash: 743137796003419FD724CF24D890BA6B7E5FF89320F518A2DE9A98B381D734B884CB91
                                                                                    Function 10021870 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: closesocket
                                                                                    • String ID:
                                                                                    • API String ID: 2781271927-0
                                                                                    • Opcode ID: c8d1ac3c8cf88032b713f9fddb7db27ee2683201795cc1ed5681875e8a744d00
                                                                                    • Instruction ID: a9b0a5ede69b2dc485a30b6b832aa9420f798ddd93f5ce30d6351ae2d7326196
                                                                                    • Opcode Fuzzy Hash: c8d1ac3c8cf88032b713f9fddb7db27ee2683201795cc1ed5681875e8a744d00
                                                                                    • Instruction Fuzzy Hash: 2DF05E76A056209BE731DA25F848BDFB7F8EFD6721F41481DE49593240CB347841CAE2
                                                                                    Function 10027C80 Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WS2_32(00000017,00000002,00000000), ref: 10027C8F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: socket
                                                                                    • String ID:
                                                                                    • API String ID: 98920635-0
                                                                                    • Opcode ID: fa0552c5d250e0eac373ad4611dc27a52d96778ef368d73a8825e1ccac618e7e
                                                                                    • Instruction ID: f02bc398d36cbff8a96a0f41ba1e6fbdc6ee8cdb7a204e40ff927e101b4dc441
                                                                                    • Opcode Fuzzy Hash: fa0552c5d250e0eac373ad4611dc27a52d96778ef368d73a8825e1ccac618e7e
                                                                                    • Instruction Fuzzy Hash: AFE04F305022A0AAF3008B30AF8A7863291E7053B5F600639F32AD91E0D7F904688A11
                                                                                    Function 00FD4B50 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00045060,?,00000000,?), ref: 00FD4B6D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 2422867632-0
                                                                                    • Opcode ID: 2feca539756ae5516d945dd972b970ed298ce7be8d9d1065d06838152ff54ad9
                                                                                    • Instruction ID: 694d05150b3c0a2db3ede6fa43a2bdada92845178d1f87c3e5adf13777570f37
                                                                                    • Opcode Fuzzy Hash: 2feca539756ae5516d945dd972b970ed298ce7be8d9d1065d06838152ff54ad9
                                                                                    • Instruction Fuzzy Hash: B5D05B315543287FE230D6859C06F5377ACD705B31F14015BFA0451280D6F2B84087D5
                                                                                    Function 1002D9A0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ioctlsocket.WS2_32(?,8004667E,?), ref: 1002D9BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ioctlsocket
                                                                                    • String ID:
                                                                                    • API String ID: 3577187118-0
                                                                                    • Opcode ID: aed069c71e5c0cfa3219209636cd8395187ad99dced336599d1ea4b76da15681
                                                                                    • Instruction ID: 0982ca985f4c27fa0b768af8e4a128948c6bba3c03b58334d66b7b3f62e36230
                                                                                    • Opcode Fuzzy Hash: aed069c71e5c0cfa3219209636cd8395187ad99dced336599d1ea4b76da15681
                                                                                    • Instruction Fuzzy Hash: A0C0C970904201EBDB00CB30C94C81BB7E1EBC8601F51892DB04592020F630A954DA52
                                                                                    Function 1002D6D0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000,1001E66E), ref: 1002D6DA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 3664257935-0
                                                                                    • Opcode ID: d22518b044d8cc67c6806941a9f8acb8a6254700b13930dd8142b7190ffd131f
                                                                                    • Instruction ID: 90b963095b2c72a4205bb7d172bea3968e78259cc35b550ee49ec92fd888dd68
                                                                                    • Opcode Fuzzy Hash: d22518b044d8cc67c6806941a9f8acb8a6254700b13930dd8142b7190ffd131f
                                                                                    • Instruction Fuzzy Hash: AAC04CB4100A218BFB019F29DD9C78137A5BB00745F814604F41AC26A0E7F99444CF64

                                                                                    Non-executed Functions

                                                                                    Function 10007C00 Relevance: 124.3, APIs: 12, Strings: 58, Instructions: 1801COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(Referer: %s,?), ref: 10007E18
                                                                                    • curl_maprintf.LIBCURL(Accept-Encoding: %s,?), ref: 10007EA5
                                                                                    • curl_maprintf.LIBCURL(%s, TETE: gzip,00000000), ref: 10007F30
                                                                                    • curl_maprintf.LIBCURL(%s,?), ref: 100080FC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s, TETE: gzip$%x$0$100-continue$;type=$;type=%c$Accept-Encoding:$Accept-Encoding: %s$Accept:$Chunky upload is not supported by HTTP 1.0$Connection:$Connection: TETE: gzip$Content-Length:$Content-Length: %I64d$Content-Length: 0$Content-Range:$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type:$Content-Type: application/x-www-form-urlencoded$Cookie:$Cookie: $Could not get Content-Type header line!$Could not seek stream$Could only read %I64d bytes from the input$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host:$Host: %s%s%s$Host: %s%s%s:%hu$Internal HTTP POST error!$OPTIONS$POST$PUT$Proxy-Connection:$Range:$Range: bytes=%s$Referer:$Referer: %s$TE:$Transfer-Encoding:$User-Agent:$chunked$ftp://$ftp://%s:%s@%s$upload completely sent off: %I64d out of %I64d bytes
                                                                                    • API String ID: 3307269620-1677809358
                                                                                    • Opcode ID: 8de90a9397ca00cb00601a553fc8655f6614f4e9e95cf25c38a7e423ccfac6f4
                                                                                    • Instruction ID: 1120b88d3141dba63a36278ec3d58fa939bfaf09888bc2f6ef49cea47a83ec75
                                                                                    • Opcode Fuzzy Hash: 8de90a9397ca00cb00601a553fc8655f6614f4e9e95cf25c38a7e423ccfac6f4
                                                                                    • Instruction Fuzzy Hash: BAD2C5B59042419BE760CF24DC81BAB73E4FF843C4F054539FD899B24AEB75AA44CB62
                                                                                    Function 10016350 Relevance: 79.5, APIs: 18, Strings: 27, Instructions: 710COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strpbrk.LIBCMT ref: 100163A4
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strpbrkcurl_mvsnprintf
                                                                                    • String ID: %*15[^/:]:%[^]$%15[^/:]:%3[/]%[^/?#]%[^]$%25$%[^/?#]%[^]$%[^]$%s://%s%s$127.0.0.1/$://$<url> malformed$Bad URL$Bad URL, colon is first character$DICT.$FTP.$IMAP.$Illegal characters found in URL$Invalid IPv6 address format$Invalid file://hostname/, expected localhost or 127.0.0.1 or none$LDAP$LDAP.$POP3.$Please URL encode %% as %%25, see RFC 6874.$Rebuilt URL to: %s$SMTP.$Unwillingly accepted illegal URL using %d slash%s!$file$file:$localhost/
                                                                                    • API String ID: 3097993220-3219565643
                                                                                    • Opcode ID: f25c75835bdce3d14eb8ba72b1a5160bf2c49d9a7b8e97079a2dc6d011cd63bc
                                                                                    • Instruction ID: 5ffcca6317cef91a53769e84ac5bc605c939ec38ebbc02a76fd1f2717ee6bd91
                                                                                    • Opcode Fuzzy Hash: f25c75835bdce3d14eb8ba72b1a5160bf2c49d9a7b8e97079a2dc6d011cd63bc
                                                                                    • Instruction Fuzzy Hash: 8F32F2B5A042815FD710CF249C41BAB77E9FF89348F444529FC499F242EB35E989CBA2
                                                                                    Function 1000B1D0 Relevance: 60.2, APIs: 21, Strings: 13, Instructions: 665networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 1000B20C
                                                                                    • _strncpy.LIBCMT ref: 1000B2EC
                                                                                    • _strtoul.LIBCMT ref: 1000B311
                                                                                    • _strtoul.LIBCMT ref: 1000B33F
                                                                                    • curl_pushheader_bynum.LIBCURL(?,00000000,00000401), ref: 1000B392
                                                                                    • getsockname.WS2_32(?,?,?), ref: 1000B3CA
                                                                                    • WSAGetLastError.WS2_32 ref: 1000B3D8
                                                                                    • WSAGetLastError.WS2_32 ref: 1000B58A
                                                                                    • htons.WS2_32(00000000), ref: 1000B605
                                                                                    • bind.WS2_32(?,?,?), ref: 1000B61F
                                                                                    • WSAGetLastError.WS2_32 ref: 1000B62D
                                                                                    • getsockname.WS2_32 ref: 1000B675
                                                                                    • WSAGetLastError.WS2_32 ref: 1000B6A7
                                                                                    • getsockname.WS2_32 ref: 1000B789
                                                                                    • WSAGetLastError.WS2_32 ref: 1000B793
                                                                                    • listen.WS2_32(?,00000001), ref: 1000B7E2
                                                                                    • WSAGetLastError.WS2_32 ref: 1000B7EC
                                                                                      • Part of subcall function 100273B0: GetLastError.KERNEL32(?,00000000,00000000,?,1000ADE0,00000004,00000000), ref: 100273B4
                                                                                      • Part of subcall function 100273B0: _strerror.LIBCMT ref: 100273E8
                                                                                      • Part of subcall function 100273B0: _strncpy.LIBCMT ref: 100273F2
                                                                                      • Part of subcall function 100273B0: _strrchr.LIBCMT ref: 1002744A
                                                                                      • Part of subcall function 100273B0: _strrchr.LIBCMT ref: 10027465
                                                                                      • Part of subcall function 100273B0: GetLastError.KERNEL32 ref: 1002748D
                                                                                      • Part of subcall function 100273B0: SetLastError.KERNEL32(?), ref: 1002749C
                                                                                    • htons.WS2_32(?), ref: 1000B881
                                                                                    • curl_easy_strerror.LIBCURL(00000000), ref: 1000B940
                                                                                    • curl_msnprintf.LIBCURL(?,00000014,,%d,%d,00000000,00000000), ref: 1000B9BB
                                                                                    • curl_easy_strerror.LIBCURL(00000000), ref: 1000B9EC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$getsockname$_strncpy_strrchr_strtoulcurl_easy_strerrorhtons$_memset_strerrorbindcurl_msnprintfcurl_pushheader_bynumlisten
                                                                                    • String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
                                                                                    • API String ID: 452464172-2383553807
                                                                                    • Opcode ID: 08617f4ccec8b27f0fb2301977213cedc48184edd6184c565b5ba7b56a348180
                                                                                    • Instruction ID: d86b0a42e720e722f6c2ed25ee7eebf1a6770b5a9687aae381ea7e223246740a
                                                                                    • Opcode Fuzzy Hash: 08617f4ccec8b27f0fb2301977213cedc48184edd6184c565b5ba7b56a348180
                                                                                    • Instruction Fuzzy Hash: 392202B5A04741AFE310DF24DC81BABB3E8FF89780F404518F98997286DB75E944C7A2
                                                                                    Function 10020E90 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 360networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • Couldn't bind to interface '%s', xrefs: 1002102E
                                                                                    • bind failed with errno %d: %s, xrefs: 10021334
                                                                                    • Bind to local port %hu failed, trying next, xrefs: 100211B9
                                                                                    • Couldn't bind to '%s', xrefs: 10021291
                                                                                    • getsockname() failed with errno %d: %s, xrefs: 1002123D
                                                                                    • Local Interface %s is ip %s using address family %i, xrefs: 10020FC7
                                                                                    • Name '%s' family %i resolved to '%s' family %i, xrefs: 100210EA
                                                                                    • Local port: %hu, xrefs: 100212F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset_strncmp$bindcurl_pushheader_bynumhtons
                                                                                    • String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
                                                                                    • API String ID: 1027263330-2769131373
                                                                                    • Opcode ID: 7a131ce5953c926300aa669a36b834d9a677167ab81b0a4c8d95c709c09d29e9
                                                                                    • Instruction ID: a2143a33417367cca810f859a53e7c28272d93cef8906816095ca86324472111
                                                                                    • Opcode Fuzzy Hash: 7a131ce5953c926300aa669a36b834d9a677167ab81b0a4c8d95c709c09d29e9
                                                                                    • Instruction Fuzzy Hash: 29C1C3B9504381AFE320CF64EC84BDB77E9EF99344F554918F988D7202E771A948C7A2
                                                                                    Function 10049C9F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 278COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ./\
                                                                                    • API String ID: 0-3176372042
                                                                                    • Opcode ID: b7f0832f9ec78db0b285b6c980f976540aab9fdc459164966d6d5616ff9982a7
                                                                                    • Instruction ID: 330f79ff5bc08178eb15fc9bc4418c875a9534e3cd292bb980f05c17ad18eadd
                                                                                    • Opcode Fuzzy Hash: b7f0832f9ec78db0b285b6c980f976540aab9fdc459164966d6d5616ff9982a7
                                                                                    • Instruction Fuzzy Hash: D0A14FB1C00659AEDB20DFE5CC85AAEB7F8FF08351B21013AF515D7181EB35A944CBA8
                                                                                    Function 1002DAA0 Relevance: 16.6, Strings: 13, Instructions: 383COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_mvsnprintf
                                                                                    • String ID: Bad tagged response$CAPABILITY$EXAMINE$EXPUNGE$FETCH$LIST$LSUB$NOOP$SEARCH$SELECT$STORE$UID$Unexpected continuation response
                                                                                    • API String ID: 3418963191-2330916320
                                                                                    • Opcode ID: dbdbded38e05b5e02c5137bb51011ab6e228d7206681b13fd06242baea68946d
                                                                                    • Instruction ID: 76cdda30bd144b98f20401d0d43eafc154a701f211ca3a58ed91a2c47627cd7e
                                                                                    • Opcode Fuzzy Hash: dbdbded38e05b5e02c5137bb51011ab6e228d7206681b13fd06242baea68946d
                                                                                    • Instruction Fuzzy Hash: B1C12972B042824BDB18F93DBC6436677D2EB81361FEB427BEC568B281DB25DD05C251
                                                                                    Function 010267A0 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 329COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FCD0C0: LoadLibraryW.KERNEL32(ntdll.dll), ref: 00FCD103
                                                                                      • Part of subcall function 00FCD0C0: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00FCD11D
                                                                                      • Part of subcall function 00FCD0C0: lstrcpynW.KERNEL32(?,Windows2000,?), ref: 00FCD184
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,DownloadedUpdateVersion,00000000,?,00000208), ref: 0102691E
                                                                                      • Part of subcall function 00FC5150: FindResourceExW.KERNEL32(00000000,00000006,00FC5E74,00000000,00000000,00000000,00000000,?,00FC5E74,-00000010), ref: 00FC518E
                                                                                      • Part of subcall function 00FC5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00FC51D7
                                                                                    • GetPrivateProfileStringW.KERNEL32(Config,GoogleUserAgent,Default,?,00000104,?), ref: 01026AD7
                                                                                      • Part of subcall function 00FC4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC4167
                                                                                    Strings
                                                                                    • Config, xrefs: 01026AD2
                                                                                    • Default, xrefs: 01026AC8, 01026B40
                                                                                    • DownloadedUpdateVersion, xrefs: 0102690F
                                                                                    • GoogleUserAgent, xrefs: 01026ACD
                                                                                    • Software\EasePaintWatermarkRemover, xrefs: 01026914
                                                                                    • cd.dat, xrefs: 01026A82
                                                                                    • Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.4.154.18 Safari/525.19, xrefs: 01026B76
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindResource$AddressException@8LibraryLoadPrivateProcProfileStringThrowValuelstrcpyn
                                                                                    • String ID: Config$Default$DownloadedUpdateVersion$GoogleUserAgent$Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.4.154.18 Safari/525.19$Software\EasePaintWatermarkRemover$cd.dat
                                                                                    • API String ID: 4267482599-4171112345
                                                                                    • Opcode ID: f1de38249c51c3ad3345423df27cbf4ff01c71ef990216afb73e5a9b695ee361
                                                                                    • Instruction ID: afacf27cd48401e20a3f45510cce0312d954b717196345ef8621ced0e00e7915
                                                                                    • Opcode Fuzzy Hash: f1de38249c51c3ad3345423df27cbf4ff01c71ef990216afb73e5a9b695ee361
                                                                                    • Instruction Fuzzy Hash: E8C1D6719402199FDB64DF68CC49BEEB7F8EF14714F0042ADE859AB281DB75AA44CF80
                                                                                    Function 00FF6440 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 223fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00FF666A
                                                                                    • DeleteFileW.KERNEL32(?), ref: 00FF66B6
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00FF66C0
                                                                                    • FindClose.KERNEL32(00000000), ref: 00FF66CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$CloseDeleteFirstNext
                                                                                    • String ID: %s/%s$%s//%s//$%s\%s$*.*$data
                                                                                    • API String ID: 3592162902-2701475228
                                                                                    • Opcode ID: f616e0e8a5f7e32263d91ef011084f5b3239a6acf3378b5a0b0905af7cce83aa
                                                                                    • Instruction ID: f5aaa9ec6902b37b78e5d7f878bf236f796d3ae3bd1f5310688369b6d2d1b210
                                                                                    • Opcode Fuzzy Hash: f616e0e8a5f7e32263d91ef011084f5b3239a6acf3378b5a0b0905af7cce83aa
                                                                                    • Instruction Fuzzy Hash: C481D1719006099FDB20DF28CD88B6AB7B8FF44724F084658E959EB391EB75E944CF90
                                                                                    Function 1001EE60 Relevance: 15.2, Strings: 12, Instructions: 235COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: :$]$alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
                                                                                    • API String ID: 0-1671854345
                                                                                    • Opcode ID: d3cbb7ac80d3f1ac21285b6ecd2f4cf7e04ad956b818be8b8b753c950faa185b
                                                                                    • Instruction ID: d9003ccff365a079e05c259ff951a7458d41429bcea6b75770d75845f8617a34
                                                                                    • Opcode Fuzzy Hash: d3cbb7ac80d3f1ac21285b6ecd2f4cf7e04ad956b818be8b8b753c950faa185b
                                                                                    • Instruction Fuzzy Hash: 5B71E6766083844BE704CB29D4513ABF7D1FBD8314F85053DE5898B2C2DA7AEDCA8792
                                                                                    Function 10028230 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 431COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • %02d:%02d:%02d%n, xrefs: 10028421
                                                                                    • %31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 10028301
                                                                                    • %02d:%02d%n, xrefs: 10028452
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _sscanf$_strtolstrtoxl
                                                                                    • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]
                                                                                    • API String ID: 2027155390-1523987602
                                                                                    • Opcode ID: 1b5919dea66df52cda1120a023feea180a47ddc782582a35559810c99a98960e
                                                                                    • Instruction ID: e7d4d8859946d3b1e41ed818578c0bd4cc81f917605538e1a3b9ea7abff7e2cb
                                                                                    • Opcode Fuzzy Hash: 1b5919dea66df52cda1120a023feea180a47ddc782582a35559810c99a98960e
                                                                                    • Instruction Fuzzy Hash: CDE1D5B9A097418FC714CF28E84065EF7E1EFC5360FA54A2EF9A5C7291E774DA048B42
                                                                                    Function 00FAE020 Relevance: 11.4, APIs: 9, Instructions: 110memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(?,?,00F998F2,00000000,?,00000000), ref: 00FAE034
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,80000000,00000000,00000000,?,00000000,?,?,00F998F2,00000000,?,00000000), ref: 00FAE097
                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00F998F2,00000000,?,00000000), ref: 00FAE0AF
                                                                                    • SetLastError.KERNEL32(00000008,?,00000000,?,?,00F998F2,00000000,?,00000000), ref: 00FAE0C2
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,?,?,00F998F2,00000000,?,00000000), ref: 00FAE0DE
                                                                                    • GetLastError.KERNEL32(?,00000000,?,?,00F998F2,00000000,?,00000000), ref: 00FAE0E8
                                                                                    • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00F998F2,00000000,?,00000000), ref: 00FAE0F8
                                                                                    • SetLastError.KERNEL32(00000000,?,00000000,?,?,00F998F2,00000000,?,00000000), ref: 00FAE0FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHeapLast$ByteCharMultiWide$AllocFreeProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1914750029-0
                                                                                    • Opcode ID: 0d56bc63ad52bbb565004819ff9087e45fad4295eb8de8df5df6ad1383b07273
                                                                                    • Instruction ID: 3d83901111e32ba2b4275ebb06810b48c0f000fbac395798ace1f6eb3fae27fe
                                                                                    • Opcode Fuzzy Hash: 0d56bc63ad52bbb565004819ff9087e45fad4295eb8de8df5df6ad1383b07273
                                                                                    • Instruction Fuzzy Hash: C331D476740205AFE7304B5CEC48BAA77A9EBC6732F148139FA19CB284CB76DC015B60
                                                                                    Function 01094634 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 010946B6
                                                                                    • _free.LIBCMT ref: 010946DA
                                                                                    • _free.LIBCMT ref: 01094861
                                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,010E4C64), ref: 01094873
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,01122C6C,000000FF,00000000,0000003F,00000000,?,?), ref: 010948EB
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,01122CC0,000000FF,?,0000003F,00000000,?), ref: 01094918
                                                                                    • _free.LIBCMT ref: 01094A2D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                    • String ID:
                                                                                    • API String ID: 314583886-0
                                                                                    • Opcode ID: 9e743bfba4cea3f801f7cf217b10973bf6b68af6d0df90511c354a94e155a35f
                                                                                    • Instruction ID: b5650d2ac4e9c316d1ec02462cf468e607aa458a772e2bb171ea085a5397bda6
                                                                                    • Opcode Fuzzy Hash: 9e743bfba4cea3f801f7cf217b10973bf6b68af6d0df90511c354a94e155a35f
                                                                                    • Instruction Fuzzy Hash: C0C13571A0024AAFDF25DF7C8A60AEEBBF9AF56210F1441E9D5D0D7241E7318A43EB50
                                                                                    Function 10035430 Relevance: 9.1, APIs: 6, Instructions: 92encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 10035493
                                                                                    • CryptCreateHash.ADVAPI32(?,00008002,00000000,00000000,?), ref: 100354B4
                                                                                    • CryptHashData.ADVAPI32 ref: 100354CF
                                                                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 100354E4
                                                                                    • CryptDestroyHash.ADVAPI32(?), ref: 100354EF
                                                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 100354FC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
                                                                                    • String ID:
                                                                                    • API String ID: 3186506766-0
                                                                                    • Opcode ID: f7d2c2c2f6663fabdf01e45bb1bd375cbfd55aab2c97adb6d2ff1dc1fb28f32f
                                                                                    • Instruction ID: 56e6c98a7f4f5775ccb08920282fc827694f4a3cab49bccdfde81f391c5bbecf
                                                                                    • Opcode Fuzzy Hash: f7d2c2c2f6663fabdf01e45bb1bd375cbfd55aab2c97adb6d2ff1dc1fb28f32f
                                                                                    • Instruction Fuzzy Hash: 0E31E371204351AFE320CF24DC89F9777E8EB88756F144918F985DA290E772E908C7A2
                                                                                    Function 10035220 Relevance: 9.1, APIs: 6, Instructions: 89encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptAcquireContextA.ADVAPI32 ref: 1003524B
                                                                                    • CryptImportKey.ADVAPI32(00000000,?,00000014,00000000,00000000,?,F0000000), ref: 100352B3
                                                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 100352C4
                                                                                    • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,?,?), ref: 10035300
                                                                                    • CryptDestroyKey.ADVAPI32(?,?,?,?), ref: 1003530B
                                                                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?), ref: 10035318
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
                                                                                    • String ID:
                                                                                    • API String ID: 3016261861-0
                                                                                    • Opcode ID: 72a818552fc61e464c9b2d202f576ff38bac9f6e5c2dec32ceff3d7218ec0b39
                                                                                    • Instruction ID: 114a39f39a08f53369960ab488b583c417c9a69515ceec4e71c5526acf601dfb
                                                                                    • Opcode Fuzzy Hash: 72a818552fc61e464c9b2d202f576ff38bac9f6e5c2dec32ceff3d7218ec0b39
                                                                                    • Instruction Fuzzy Hash: 793108B5218340AFE314CF64CC95B5BBBE4FB88B05F40491DF5899B290DB75E908CBA6
                                                                                    Function 10015EC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 217COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset_strncpy
                                                                                    • String ID: NO_PROXY$memory shortage$no_proxy
                                                                                    • API String ID: 3140232205-2769599289
                                                                                    • Opcode ID: 1c99cd80b7e63ca29010e5313f72f09cb737765d216534488d0ee010bb3aae23
                                                                                    • Instruction ID: 0d4e2fb2b26beb31690f769b8f910a88050c416b0413ab3d839fb822260dc49f
                                                                                    • Opcode Fuzzy Hash: 1c99cd80b7e63ca29010e5313f72f09cb737765d216534488d0ee010bb3aae23
                                                                                    • Instruction Fuzzy Hash: 4081B0B0A05743EFE718CF608C80B5AB7E4FF48245F05853DE9198A201E776E9948B92
                                                                                    Function 00FDA580 Relevance: 8.5, APIs: 5, Instructions: 979COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SystemParametersInfoW.USER32(00000068,00000000,?,00000000), ref: 00FDAEDA
                                                                                    • SystemParametersInfoW.USER32(0000006C,00000000,?,00000000), ref: 00FDAEE6
                                                                                    • SetScrollInfo.USER32(0000001C,00000000,0000001C,00000001), ref: 00FDAF72
                                                                                    • SetScrollInfo.USER32(?,00000001,00000010,00000001), ref: 00FDAFC5
                                                                                    • ScrollWindowEx.USER32(?,?,?,00000000,00000000,00000000,00000000,?), ref: 00FDB00B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Info$Scroll$ParametersSystem$Window
                                                                                    • String ID:
                                                                                    • API String ID: 128421252-0
                                                                                    • Opcode ID: dc339a80e859ad906f753889c2a3bf4d3d6bd3d0999b14bea892e7ed950566cc
                                                                                    • Instruction ID: fe89794576e5fcf893fbd4b121a831ca151546ed400810b42c2d61622817285d
                                                                                    • Opcode Fuzzy Hash: dc339a80e859ad906f753889c2a3bf4d3d6bd3d0999b14bea892e7ed950566cc
                                                                                    • Instruction Fuzzy Hash: 16828E71E00219AFDF15CF98C981BAEBBF6FF48710F14821AE805AB694D771AD51DB80
                                                                                    Function 1003EF38 Relevance: 6.1, APIs: 4, Instructions: 55COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,00000000), ref: 1003F002
                                                                                    • UnhandledExceptionFilter.KERNEL32(1005FDA4), ref: 1003F00D
                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 1003F01E
                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 1003F025
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 3231755760-0
                                                                                    • Opcode ID: fda73f10bd4b1fc3628ea554b573c7b98b3567eb45d2dd13ce408bfc9e8cdc84
                                                                                    • Instruction ID: 18a9a2c04545a385b5325778b07af1efe2b649976c9022696c660d35f3406595
                                                                                    • Opcode Fuzzy Hash: fda73f10bd4b1fc3628ea554b573c7b98b3567eb45d2dd13ce408bfc9e8cdc84
                                                                                    • Instruction Fuzzy Hash: 0021FBB4818220EFEB05CF6ADDD46697BB2FB48315B50526AE61D87360F3F05A01DF49
                                                                                    Function 10026590 Relevance: 6.0, APIs: 4, Instructions: 40encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 100265B4
                                                                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 100265CF
                                                                                    • CryptDestroyHash.ADVAPI32(?), ref: 100265D9
                                                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 100265E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Crypt$Hash$Param$ContextDestroyRelease
                                                                                    • String ID:
                                                                                    • API String ID: 2110207923-0
                                                                                    • Opcode ID: c27a7652056d661742fe4ffd747be8b10752fe5be9cd8346face37c28ddfbaf1
                                                                                    • Instruction ID: bbd42d6929f75d99331ad565b5afab48ecf6d29619dc15ad424d301766756b4d
                                                                                    • Opcode Fuzzy Hash: c27a7652056d661742fe4ffd747be8b10752fe5be9cd8346face37c28ddfbaf1
                                                                                    • Instruction Fuzzy Hash: 6EF01975214720ABE220CB44CC45F6BB3E8EF88B11F41880CF655D71C0CBB0E9048BA1
                                                                                    Function 1003E9D0 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040,?,1003D26F,?,00000000,100361CE,00000000,?,00000004,00000000,10036286,10036313), ref: 1003E9E9
                                                                                    • CryptGenRandom.ADVAPI32(00000000,00000000,?), ref: 1003EA01
                                                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 1003EA12
                                                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 1003EA24
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Crypt$Context$Release$AcquireRandom
                                                                                    • String ID:
                                                                                    • API String ID: 2916321625-0
                                                                                    • Opcode ID: 62c9138460363489add2709f0fdb0ee016e79d6cd223147fac08e13ddc5fb2d5
                                                                                    • Instruction ID: aafb9eabe7f7486b3806deababb72be395756eb06c0677afa903b8d5d7203be7
                                                                                    • Opcode Fuzzy Hash: 62c9138460363489add2709f0fdb0ee016e79d6cd223147fac08e13ddc5fb2d5
                                                                                    • Instruction Fuzzy Hash: 95F0B7B4214240AFF714DB60CC99F2B77E9EB88B12F10890CF646DA1D0D675E8009B62
                                                                                    Function 10029A90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: bind() failed; %s
                                                                                    • API String ID: 0-1141498939
                                                                                    • Opcode ID: 9dd3934789a8e9c9ab5f64475fad64af8bcd09215d32c802e11d05f6f6d72710
                                                                                    • Instruction ID: e024ee6d9ba81dfb9c90a009f915b98b55787a109053b40568ee054e7c09c184
                                                                                    • Opcode Fuzzy Hash: 9dd3934789a8e9c9ab5f64475fad64af8bcd09215d32c802e11d05f6f6d72710
                                                                                    • Instruction Fuzzy Hash: 583181756007019FE720CF29ECC4B96B7E4FF88395F004529E9098B281D7B5E899CBE1
                                                                                    Function 00FC6040 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadResource.KERNEL32(00FC51A2,?,00000000,?,00FC51A2,00000000,00000000,?), ref: 00FC604A
                                                                                    • LockResource.KERNEL32(00000000,?,00FC51A2,00000000,00000000,?), ref: 00FC6055
                                                                                    • SizeofResource.KERNEL32(00FC51A2,?,?,00FC51A2,00000000,00000000,?), ref: 00FC6067
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$LoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 2853612939-0
                                                                                    • Opcode ID: a29ef3e6a38049e95681a8b0fd537b2ffa1b4d815937f2bbe67bc8d4f29755b8
                                                                                    • Instruction ID: 14a41bf828618f326b76aa8048f5b1dc3bacc4bd0fb0172f16a875afd89d404e
                                                                                    • Opcode Fuzzy Hash: a29ef3e6a38049e95681a8b0fd537b2ffa1b4d815937f2bbe67bc8d4f29755b8
                                                                                    • Instruction Fuzzy Hash: A7F0C832944A279BCF315FA4D9059B9776AEF00361704492DFD5DE6114D673EC50EBC0
                                                                                    Function 10038F80 Relevance: 3.0, APIs: 2, Instructions: 33networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentProcesshtons
                                                                                    • String ID:
                                                                                    • API String ID: 2530476045-0
                                                                                    • Opcode ID: 644a0d3da377f57fcd2be015dcb0e8b023df447295c96a7c8d6b1c923662e1cf
                                                                                    • Instruction ID: 22beaf96d4341e692b4291efd4bd18399295990754d77bdae9c9049ab2216ea9
                                                                                    • Opcode Fuzzy Hash: 644a0d3da377f57fcd2be015dcb0e8b023df447295c96a7c8d6b1c923662e1cf
                                                                                    • Instruction Fuzzy Hash: 9A015AB4414B819ED360CF79C084656BBF0FF59200714DA6ED8EEC7A21E3B5A188CB95
                                                                                    Function 10026530 Relevance: 3.0, APIs: 2, Instructions: 20encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 10026541
                                                                                    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 1002655B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Crypt$AcquireContextCreateHash
                                                                                    • String ID:
                                                                                    • API String ID: 1914063823-0
                                                                                    • Opcode ID: 181459302b64325949ed94a324d7b60267c2ce72231589ca86e7999971b94c54
                                                                                    • Instruction ID: 597818277bfa77ee8a2f724aeb3801e472527de5f25d586585ee472665f43f2e
                                                                                    • Opcode Fuzzy Hash: 181459302b64325949ed94a324d7b60267c2ce72231589ca86e7999971b94c54
                                                                                    • Instruction Fuzzy Hash: 5DE01731390720BAFA708B10EC46F96329CAB08B01F210409B741AA0D4CAA1B8008BA9
                                                                                    Function 10026570 Relevance: 1.5, APIs: 1, Instructions: 10encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 10026584
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataHash
                                                                                    • String ID:
                                                                                    • API String ID: 4245837645-0
                                                                                    • Opcode ID: 65edebc8b6dbc57c3d5d40d94494170d5841778ac7f841de54677229f3f4923d
                                                                                    • Instruction ID: ea5c21488ab2203632e2f8aad9fda5b0f910b33b50d1db1a4ebb5c7617404411
                                                                                    • Opcode Fuzzy Hash: 65edebc8b6dbc57c3d5d40d94494170d5841778ac7f841de54677229f3f4923d
                                                                                    • Instruction Fuzzy Hash: 70C002B9604301BFDA04CB54C999F1BF7A9FB8C711F10CA48B589C7290C670F840CB51
                                                                                    Function 010680C4 Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0
                                                                                    • API String ID: 0-4108050209
                                                                                    • Opcode ID: d713f5b8f8ef851fe19af728ebab7b15270f75e36a15916d0212b2ecc52453b2
                                                                                    • Instruction ID: dc16dab2110b0c199946cd90afa2944421783643120d756f78b3cdd71f98aafe
                                                                                    • Opcode Fuzzy Hash: d713f5b8f8ef851fe19af728ebab7b15270f75e36a15916d0212b2ecc52453b2
                                                                                    • Instruction Fuzzy Hash: 90519B70700B0AD7EBB586AC88697FE2BDD9B26204F08C58BDBC3CF282D615D5418315
                                                                                    Function 1003FDB6 Relevance: .8, Instructions: 805COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 87d8050d07cbb3d7cf9bc29d879f1d0a6de747b828c479cbba3004f7ae8c8fba
                                                                                    • Instruction ID: d5342998b87f4a8d9c9c255a5b90dc980c2fb3ebbd02b92e209b9c5d68897b94
                                                                                    • Opcode Fuzzy Hash: 87d8050d07cbb3d7cf9bc29d879f1d0a6de747b828c479cbba3004f7ae8c8fba
                                                                                    • Instruction Fuzzy Hash: 546258B1E00A158FCB18CF69C9906AAB7F2FF84305F24C56DD496A7B84D774AA44CF80
                                                                                    Function 1003F400 Relevance: .7, Instructions: 711COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9da31c64d36a1ee3f5cfc7d3aa4135228acc21c416d4ed5ef05bf244958ebcf0
                                                                                    • Instruction ID: baf3f18f857f903928b6429c4e94c063763f2a6cf8936317388ca6a5e4992d32
                                                                                    • Opcode Fuzzy Hash: 9da31c64d36a1ee3f5cfc7d3aa4135228acc21c416d4ed5ef05bf244958ebcf0
                                                                                    • Instruction Fuzzy Hash: 47529A70E007069FDB25CF69C5807AABBF1FF84305F20866DD99A9B681C775AA45CB80
                                                                                    Function 00FC83E0 Relevance: .7, Instructions: 691COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8cda982692b5f2995a5e8c5fec16b71e68ee03bed6cffcd2b40f398e3c19bf27
                                                                                    • Instruction ID: 13242f0306f19222269a92de66f456fa9475b768ec6f88acbc298ad8114b93ce
                                                                                    • Opcode Fuzzy Hash: 8cda982692b5f2995a5e8c5fec16b71e68ee03bed6cffcd2b40f398e3c19bf27
                                                                                    • Instruction Fuzzy Hash: 4822B2B3F505244BDB1CCA19CCA27ECB2E3ABD4214F0E80BD954EE3745EA789D958A44
                                                                                    Function 10040B40 Relevance: .4, Instructions: 390COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9faf05183564942ca1be5ed4762e7824dadd657354c3d421dc15c80fb6e4a301
                                                                                    • Instruction ID: f2a70be528fea8ee267961a14cb46807dd81d43769b3e3c8167318f4f1a33f6b
                                                                                    • Opcode Fuzzy Hash: 9faf05183564942ca1be5ed4762e7824dadd657354c3d421dc15c80fb6e4a301
                                                                                    • Instruction Fuzzy Hash: 19E1E171E001568FCB08CF69C8906ACBBF2FF85314F29C5ADE849EB745D636AA45CB50
                                                                                    Function 1003F4C6 Relevance: .4, Instructions: 366COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bebc79c7d24642989315ce6367b0318c7be00f3df53d92d4b1554e7d432bb1ed
                                                                                    • Instruction ID: bda92df5418e61d5786d0e18b12dd0a1a65c6b2508bc6c0208c925c375921d1a
                                                                                    • Opcode Fuzzy Hash: bebc79c7d24642989315ce6367b0318c7be00f3df53d92d4b1554e7d432bb1ed
                                                                                    • Instruction Fuzzy Hash: A2E18970E00745AFDB25CF98C5847AEBBF2EF84305F24856DD996AB681C734AA45CF80
                                                                                    Function 1003F4C4 Relevance: .4, Instructions: 365COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7aa8bee5b20dbce3b6f273c38f0e252ef6b6f09ab290b5ebbdce9fea218ccbb0
                                                                                    • Instruction ID: ecca32308fc5b4e57758254376e89b3afa351006bd296aa0f564aff9e57ec34a
                                                                                    • Opcode Fuzzy Hash: 7aa8bee5b20dbce3b6f273c38f0e252ef6b6f09ab290b5ebbdce9fea218ccbb0
                                                                                    • Instruction Fuzzy Hash: 94E18970E00745AFDB25CF98C5847AEBBF2EF84305F24856DD996AB681C734AA45CF80
                                                                                    Function 00FEA220 Relevance: .3, Instructions: 309COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c525f4dd11077508225ce18888ea730f49904b6cee89d76aaf192da3cea90ff0
                                                                                    • Instruction ID: 01bd819b463aba5b3eb72e91e70d2ba6fdaf7d345cc92e5ed58ba1b3b7caf10a
                                                                                    • Opcode Fuzzy Hash: c525f4dd11077508225ce18888ea730f49904b6cee89d76aaf192da3cea90ff0
                                                                                    • Instruction Fuzzy Hash: DDE12C71D1125A9FC706CB3B8580169FBB1BF9E204B2CD796E854BA192F331A5C1EF90
                                                                                    Function 010687BC Relevance: .2, Instructions: 237COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee7420e43abd23d046e1b4c22e8787d3d21452ca7d6373df9aa922974dfebaee
                                                                                    • Instruction ID: 841d5bffe8220b20499f101e7e253ed2c72bac1b030daaf1de2902f7d59549f8
                                                                                    • Opcode Fuzzy Hash: ee7420e43abd23d046e1b4c22e8787d3d21452ca7d6373df9aa922974dfebaee
                                                                                    • Instruction Fuzzy Hash: B3617D7160070AAFFEB8996C68547FE37DCEF51744F08C49BEAC2EB281D611D5428366
                                                                                    Function 10041670 Relevance: .2, Instructions: 166COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5cf61210200991ecd15db649d6ed8645340cb980a101878ab7191e44f9adef5e
                                                                                    • Instruction ID: 15877a605ae41b76202ba9d0365b197cd3900b71358998a780e53f4211ea6673
                                                                                    • Opcode Fuzzy Hash: 5cf61210200991ecd15db649d6ed8645340cb980a101878ab7191e44f9adef5e
                                                                                    • Instruction Fuzzy Hash: D361A332A915B76BF390CF6DDCC576633A3EB8A301F1D8670E70087665C6B9E52296C0
                                                                                    Function 10043E90 Relevance: .1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                    • Instruction ID: 2ea6b475f70c89cc2f19e99b07720bbf27c9cbdff760b5fa7eb05e5d2c555c81
                                                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                    • Instruction Fuzzy Hash: CC11317760618343D680C53FC8B45BBD7DAEBC5160739E375D042CB6D4D223D945D604
                                                                                    Function 00FAE620 Relevance: .1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d97c594d377a0570f57103e45dbd2701f4b7b3031bd298fa4e382fe716efe8a9
                                                                                    • Instruction ID: 4656e7f67e65cd1b72e2a648a14918bfef12ecca0c53fa52ea1fea0862ad1d19
                                                                                    • Opcode Fuzzy Hash: d97c594d377a0570f57103e45dbd2701f4b7b3031bd298fa4e382fe716efe8a9
                                                                                    • Instruction Fuzzy Hash: 58119074E2021D9BCB04DFA8D8416EEB7F4FF6A310F5489AEDC99A7300E6319981D790
                                                                                    Function 10039FF0 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f6ba0287235aa62ae5379ff4bc574f5e8d0ec2c63d4a9d2487e40166b5eb4fed
                                                                                    • Instruction ID: 88eafc113f6d6778e13756f5268ebf612d57d4b43445835f744fbaa396f7b8ad
                                                                                    • Opcode Fuzzy Hash: f6ba0287235aa62ae5379ff4bc574f5e8d0ec2c63d4a9d2487e40166b5eb4fed
                                                                                    • Instruction Fuzzy Hash: D0E092294059012C8F1F953C90CD6DB5353CBE7658FA424AE84494BAE3CA6FB88FE305
                                                                                    Function 10027020 Relevance: 94.7, APIs: 4, Strings: 50, Instructions: 152COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,00000000,?,1002740A,?,00000004,?,1000ADE0,00000004,00000000), ref: 1002702A
                                                                                    • _strncpy.LIBCMT ref: 1002724B
                                                                                    • GetLastError.KERNEL32(00000004,00000000), ref: 10027268
                                                                                    • SetLastError.KERNEL32(?), ref: 10027277
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpy
                                                                                    • String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
                                                                                    • API String ID: 3397631897-3442644082
                                                                                    • Opcode ID: 47837208ccf16c5cb5dcc90f3678588f83631fb6ffad0e10a4291c1b78fd2a17
                                                                                    • Instruction ID: 2a9c92a40c89938a397888b44de6ba64a4f2cb8b701dca39881cbaf822759c1d
                                                                                    • Opcode Fuzzy Hash: 47837208ccf16c5cb5dcc90f3678588f83631fb6ffad0e10a4291c1b78fd2a17
                                                                                    • Instruction Fuzzy Hash: 6F419A35A283D4CBD322C698662612D2A54F7431117E1A3A3FD8DEB241DF1D9CCDA793
                                                                                    Function 01006410 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 431COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CStdString@DuiLib@@QAE@PB_WH@Z.YCOMUIU(01004A64,000000FF,B69A1A1E,?,769523D0,?), ref: 0100645A
                                                                                    • ??0CStdString@DuiLib@@QAE@PB_WH@Z.YCOMUIU(01004C64,000000FF,?,769523D0,?), ref: 01006472
                                                                                    • ??0CStdString@DuiLib@@QAE@PB_WH@Z.YCOMUIU(01005464,000000FF,?,769523D0,?), ref: 01006487
                                                                                    • ?DeletePtr@CPaintManagerUI@DuiLib@@QAEXPAX@Z.YCOMUIU(01004A64,?,769523D0,?), ref: 01006491
                                                                                    • ?CompareNoCase@CStdString@DuiLib@@QBEHPB_W@Z.YCOMUIU(menuLang,?,769523D0,?), ref: 010064A8
                                                                                    • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU(?,769523D0,?), ref: 010064B4
                                                                                      • Part of subcall function 01023510: ??0CStdString@DuiLib@@QAE@PB_WH@Z.YCOMUIU(769523D0,000000FF,B69A1A1E,?,6C414B50), ref: 0102354B
                                                                                      • Part of subcall function 01023510: ?CompareNoCase@CStdString@DuiLib@@QBEHPB_W@Z.YCOMUIU(menuEn,?,6C414B50), ref: 01023569
                                                                                      • Part of subcall function 01023510: ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(6C414B50), ref: 01023774
                                                                                    • ?CompareNoCase@CStdString@DuiLib@@QBEHPB_W@Z.YCOMUIU(menuLogout,?,769523D0,?), ref: 010064D0
                                                                                    • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(?,769523D0,?), ref: 010069F1
                                                                                    • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(?,769523D0,?), ref: 010069FD
                                                                                    • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(?,769523D0,?), ref: 01006A0C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$String@$Case@Compare$DeleteManagerPaintPtr@
                                                                                    • String ID: %s//LOG_%lld.dat$Explorer.exe$LogFile$OnResetPass$menuAbout$menuExportLog$menuLang$menuLicenseCode$menuLogout$menuQQ$menuResetPass$menuSetting$menuShare$menuTrial$menuUpdate$menuUpdateUser$menuUserCenter$open
                                                                                    • API String ID: 175989753-4156296262
                                                                                    • Opcode ID: e7573c9161def7e275005ef80d1b42170c1504585f7a3df73a3c33c6db92135f
                                                                                    • Instruction ID: faf8a5d9eb15cbc269ade7243678692ef18af6852ef94821fe53875089addbaf
                                                                                    • Opcode Fuzzy Hash: e7573c9161def7e275005ef80d1b42170c1504585f7a3df73a3c33c6db92135f
                                                                                    • Instruction Fuzzy Hash: ACE11770A04319AFEB22DB64CD45FEDBAB9AF15700F0041A8E489A72C1DF769E14CF91
                                                                                    Function 01004120 Relevance: 84.4, APIs: 29, Strings: 19, Instructions: 433COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(?,B69A1A1E,?,?,010022D8), ref: 0100415A
                                                                                    • ?SelectItem@CTabLayoutUI@DuiLib@@QAE_NH@Z.YCOMUIU(?,?,010022D8), ref: 01004174
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRPicFile,?,?,010022D8), ref: 010041D3
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAPicFile,00000000,?,010022D8), ref: 010041DE
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRVideoFile,00000000,?,010022D8), ref: 010041E9
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAVideoFile,00000000,?,010022D8), ref: 010041F4
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRPicFile,00000001,?,010022D8), ref: 0100420B
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listRVideoFile,00000001,?,010022D8), ref: 0100423D
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAPicFile,?,?,010022D8), ref: 01004254
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(listAVideoFile,00000001,?,010022D8), ref: 01004285
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(tabConver,?,010022D8), ref: 010042C0
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(btnAddFile,00000000,?,?,010022D8), ref: 010043A0
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(btnAddFileList,00000000,?,?,?,?,?,010022D8), ref: 010043D7
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(btnAddFile,00000000,?,?,010022D8), ref: 01004419
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(btnAddFileList,00000000,?,?,?,?,?,010022D8), ref: 01004467
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayFileList,?,?,?,?,?,?,010022D8), ref: 010044A0
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000000), ref: 010044B4
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayPic_RWatermark,?), ref: 010044BE
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayPic_AWatermark,00000000), ref: 010044C9
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000001), ref: 010044E9
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayPic_RWatermark,00000000), ref: 010044F4
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayPic_AWatermark,00000001), ref: 010044FF
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayFileList,00000001,?,?,?,?,?,010022D8), ref: 0100452C
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000000,?,?,?,?,?,010022D8), ref: 0100453F
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_RVideo,00000001,?,?,?,?,?,010022D8), ref: 0100454A
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000001,?,?,?,?,?,010022D8), ref: 0100456A
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_RVideo,00000000,?,?,?,?,?,010022D8), ref: 01004575
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayToolbar_WatermarkType,00000000,?,?,?,?,?,010022D8), ref: 0100459D
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(LayFileList,00000000,?,?,?,?,?,010022D8), ref: 010045A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Base@ImplWindow$ShowWindow@$ItemText$ControlControl@FindI@2@ManagerPaint$Item@LayoutSelect
                                                                                    • String ID: AddPicFile$AddPicFile2$AddVideoFile$AddVideoFile2$LayFileList$LayPic_AWatermark$LayPic_RWatermark$LayToolbar_RVideo$LayToolbar_WatermarkType$btnAddFile$btnAddFileList$listAPicFile$listAVideoFile$listRPicFile$listRVideoFile$tabConver$tabConverBottom$tabMain$tabWatermarkType
                                                                                    • API String ID: 4050989271-3367122727
                                                                                    • Opcode ID: 583804a61d08de88a29e2a4d46b29e6fde01694a43be89dfc3c6f16c2656458b
                                                                                    • Instruction ID: 300949061057bfde5349a81c2f0e25bbb7e0d274f8e5ef6a97b4d62fa9addd62
                                                                                    • Opcode Fuzzy Hash: 583804a61d08de88a29e2a4d46b29e6fde01694a43be89dfc3c6f16c2656458b
                                                                                    • Instruction Fuzzy Hash: 5FF1C130B00705EBEB22EB69CC45BAEB7B1EF54710F11416CE692DB2D1EB75A940CB45
                                                                                    Function 100274B0 Relevance: 77.2, APIs: 10, Strings: 34, Instructions: 190windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,?), ref: 100274CE
                                                                                    • curl_msnprintf.LIBCURL(?,00000050,%s (0x%08X),Unknown error,?), ref: 100277E6
                                                                                    • FormatMessageA.KERNEL32 ref: 10027809
                                                                                    • _strrchr.LIBCMT ref: 10027826
                                                                                    • _strrchr.LIBCMT ref: 10027849
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,%s - %s,?,?,?,?,000000FF,00000000), ref: 1002787A
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastcurl_msnprintf$_strrchr$FormatMessage_strncpy
                                                                                    • String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_TOKEN$SEC_E_LOGON_DENIED$SEC_E_MESSAGE_ALTERED$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_OUT_OF_SEQUENCE$SEC_E_QOP_NOT_SUPPORTED$SEC_E_SECPKG_NOT_FOUND$SEC_E_TARGET_UNKNOWN$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
                                                                                    • API String ID: 3046096619-2069991237
                                                                                    • Opcode ID: 7c1960aed99d8831c763743c47b080f704630e71cb6f3184647cd6966ba7519a
                                                                                    • Instruction ID: b4e17ca7444bfd0e08e78fede1b5f698a34aa70b24a1431e89f29f941e443fd4
                                                                                    • Opcode Fuzzy Hash: 7c1960aed99d8831c763743c47b080f704630e71cb6f3184647cd6966ba7519a
                                                                                    • Instruction Fuzzy Hash: EC512970658399DBD332CA296C01B6F7694FB42341FD10425F9DDDB281DF28A9C89763
                                                                                    Function 1001B6B0 Relevance: 73.9, APIs: 25, Strings: 17, Instructions: 402libraryloadernetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1001A750: _memset.LIBCMT ref: 1001A778
                                                                                      • Part of subcall function 1001A750: _memset.LIBCMT ref: 1001A792
                                                                                      • Part of subcall function 1001A750: curl_msnprintf.LIBCURL(?,00000100,USER,%s,?), ref: 1001A7CE
                                                                                      • Part of subcall function 1001A750: curl_slist_append.LIBCURL(?,?,?,00000100,USER,%s,?), ref: 1001A7E2
                                                                                      • Part of subcall function 1001A750: curl_slist_free_all.LIBCURL(?), ref: 1001A7F5
                                                                                    • GetLastError.KERNEL32 ref: 1001B732
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    • GetProcAddress.KERNEL32(00000000,WSACreateEvent), ref: 1001B75E
                                                                                    • GetLastError.KERNEL32 ref: 1001B768
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1001B77E
                                                                                    • WSAGetLastError.WS2_32 ref: 1001BB38
                                                                                    • FreeLibrary.KERNEL32(?), ref: 1001BB52
                                                                                    • GetLastError.KERNEL32 ref: 1001BB5C
                                                                                      • Part of subcall function 10019FE0: WSAStartup.WS2_32(00000002,0000CA1E), ref: 10019FFA
                                                                                      • Part of subcall function 1003A190: GetModuleHandleA.KERNEL32(kernel32,?,?,?,1002D69E,secur32.dll,?,?,?,1001E4B8), ref: 1003A19A
                                                                                    Strings
                                                                                    • WSAEnumNetworkEvents failed (%d), xrefs: 1001BA42
                                                                                    • WSAEventSelect, xrefs: 1001B7CA
                                                                                    • failed to find WSACreateEvent function (%u), xrefs: 1001B76F
                                                                                    • failed to find WSAEnumNetworkEvents function (%u), xrefs: 1001B801
                                                                                    • WSACreateEvent, xrefs: 1001B758
                                                                                    • WS2_32.DLL, xrefs: 1001B71B
                                                                                    • failed to load WS2_32.DLL (%u), xrefs: 1001B739
                                                                                    • WSACloseEvent, xrefs: 1001B791
                                                                                    • failed to find WSAEventSelect function (%u), xrefs: 1001B7DF
                                                                                    • WSAEnumNetworkEvents, xrefs: 1001B7EA
                                                                                    • , xrefs: 1001BAD8
                                                                                    • WSACreateEvent failed (%d), xrefs: 1001B83C
                                                                                    • failed to find WSACloseEvent function (%u), xrefs: 1001B7A8
                                                                                    • d, xrefs: 1001B8CE
                                                                                    • Time-out, xrefs: 1001BB18
                                                                                    • WSACloseEvent failed (%d), xrefs: 1001BB3F
                                                                                    • FreeLibrary(wsock2) failed (%u), xrefs: 1001BB63
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FreeLibrary_memset$AddressHandleModuleProcStartupcurl_msnprintfcurl_mvsnprintfcurl_slist_appendcurl_slist_free_all
                                                                                    • String ID: $FreeLibrary(wsock2) failed (%u)$Time-out$WS2_32.DLL$WSACloseEvent$WSACloseEvent failed (%d)$WSACreateEvent$WSACreateEvent failed (%d)$WSAEnumNetworkEvents$WSAEnumNetworkEvents failed (%d)$WSAEventSelect$d$failed to find WSACloseEvent function (%u)$failed to find WSACreateEvent function (%u)$failed to find WSAEnumNetworkEvents function (%u)$failed to find WSAEventSelect function (%u)$failed to load WS2_32.DLL (%u)
                                                                                    • API String ID: 3367410453-3724274948
                                                                                    • Opcode ID: 02e8e907020c7297eccfe2c45b49ea3e4a971fb91da060570709e7b343c55002
                                                                                    • Instruction ID: 7289bc70f361e878782742c31d528d8397d799ade8e8af715e13c439d8f73a0d
                                                                                    • Opcode Fuzzy Hash: 02e8e907020c7297eccfe2c45b49ea3e4a971fb91da060570709e7b343c55002
                                                                                    • Instruction Fuzzy Hash: 6DD1D0B5508701AFE310DF64CC84AAFB7ECEF84394F504A2DFA5586251EB35E9848B62
                                                                                    Function 0100A7A0 Relevance: 58.2, APIs: 20, Strings: 13, Instructions: 467COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PathFindFileNameW.SHLWAPI(010B8698,9DE8FFFF,?), ref: 0100A8A2
                                                                                    • ?GetMarkup@CDialogBuilder@DuiLib@@QAEPAVCMarkup@2@XZ.YCOMUIU ref: 0100A8B7
                                                                                    • ?IsValid@CMarkup@DuiLib@@QBE_NXZ.YCOMUIU ref: 0100A8BF
                                                                                    • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,C0000005,00000000), ref: 0100A8E2
                                                                                    • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(00000000,C0000005,00000000), ref: 0100A8F0
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picThumbnail), ref: 0100A908
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtFileName), ref: 0100A934
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picThumbnail), ref: 0100A964
                                                                                    • ?SelectItem@CTileLayoutUI@DuiLib@@QAE_NH_N@Z.YCOMUIU(00000000,00000000,00000001,tabConver,?), ref: 0100AAC8
                                                                                    • ?CheckDlgButton@WindowImplBase@DuiLib@@QAEHPB_W_N@Z.YCOMUIU(optPicPos1,?,?,00000002,tabWatermarkType,B69A1A1E,?,?,010022D8,?,00000000,010B8708,000000FF,?,C000008C,00000001), ref: 0100ABB6
                                                                                    • ?CheckDlgButton@WindowImplBase@DuiLib@@QAEHPB_W_N@Z.YCOMUIU(optPicPos2,00000000,?,010022D8,?,00000000,010B8708,000000FF,?,C000008C,00000001,?), ref: 0100ABCB
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(sliderPicRotate,?,010022D8,?,00000000,010B8708,000000FF,?,C000008C,00000001,?), ref: 0100ABD8
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtPicRotate,?,?), ref: 0100AC2C
                                                                                    • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?), ref: 0100AC3B
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(sliderPicAlpha,?,010022D8,?,00000000,010B8708,000000FF,?,C000008C,00000001,?), ref: 0100AC6B
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtPicAlpha,?,?), ref: 0100ACBE
                                                                                    • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?), ref: 0100ACCC
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(sliderPicSize,?,010022D8,?,00000000,010B8708,000000FF,?,C000008C,00000001,?), ref: 0100ACFC
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtPicSize,?,?), ref: 0100AD4F
                                                                                    • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?), ref: 0100AD5D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Control$I@2@$ManagerPaint$Find$Base@DialogImplWindow$Builder@Control@ItemName@ProgressTextV32@Value@$BuilderButton@Callback@2@CheckCreate@Markup@V32@@$D@2@FileItem@LayoutMarkup@2@NamePathSelectTileValid@
                                                                                    • String ID: %d%%$optPicPos1$optPicPos2$picThumbnail$sliderPicAlpha$sliderPicRotate$sliderPicSize$tabConver$tabWatermarkType$txtFileName$txtPicAlpha$txtPicRotate$txtPicSize
                                                                                    • API String ID: 2176707297-2040010724
                                                                                    • Opcode ID: 8755454d65ee7de5794294c70e6a7c6cd73874fee02d211ca642243b582d8b8b
                                                                                    • Instruction ID: d46ffe85c20dba6f577e26cd16ffab5510e97040560b0cb3ebb177018dbbc165
                                                                                    • Opcode Fuzzy Hash: 8755454d65ee7de5794294c70e6a7c6cd73874fee02d211ca642243b582d8b8b
                                                                                    • Instruction Fuzzy Hash: 6602DE30A0030ADFEB15DFA8C994BAEBBB4FF05310F14426DE596A72D1DB35A944CB91
                                                                                    Function 10015A20 Relevance: 47.7, APIs: 11, Strings: 16, Instructions: 402COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strncmp
                                                                                    • String ID: %25$/$://$Invalid IPv6 address format$No valid port number in proxy string (%s)$Please URL encode %% as %%25, see RFC 6874.$Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$[$http:$https$socks$socks4$socks4a$socks5$socks5h
                                                                                    • API String ID: 909875538-672486822
                                                                                    • Opcode ID: 1c83ad3c746644f0e9ca91789a4e3a5cb439ba3c1785311dd636dcd87d958a39
                                                                                    • Instruction ID: 1f46ef381980f0bc1b4903daa4da2f74ecb0dadc11ab8791aa0a04fdd101f38e
                                                                                    • Opcode Fuzzy Hash: 1c83ad3c746644f0e9ca91789a4e3a5cb439ba3c1785311dd636dcd87d958a39
                                                                                    • Instruction Fuzzy Hash: D9C11675904341DBE320CF149C85B9B7BE5EF45286F5C0829F9899E242E337E9C987E2
                                                                                    Function 100027A0 Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,00000006,%5I64d,?,?,00000010,?,1000333B,?,?,00000000,?,?,00000001,00000000,00000000), ref: 100027C6
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100027EE
                                                                                    • curl_msnprintf.LIBCURL(?,00000006,%4I64dk,00000000,?,?,?,00000400,00000000,00000010,?,1000333B,?,?,00000000,?), ref: 100027FD
                                                                                    • __allrem.LIBCMT ref: 10002821
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000282F
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000283F
                                                                                    • curl_msnprintf.LIBCURL(?,00000006,%2I64d.%0I64dM,00000000,?,?,?,00100000,00000000,00000000,?,00000000,?,00019999,00000000,?), ref: 1000284E
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10002873
                                                                                    • curl_msnprintf.LIBCURL(?,00000006,%4I64dM,00000000,?,?,?,00100000,00000000,00000010,?,1000333B,?,?,00000000,?), ref: 10002882
                                                                                    • __allrem.LIBCMT ref: 100028A3
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100028B1
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100028C1
                                                                                    • curl_msnprintf.LIBCURL(?,00000006,%2I64d.%0I64dG,00000000,?,?,?,40000000,00000000,00000000,?,00000000,?,06666666,00000000,?), ref: 100028D0
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100028F4
                                                                                    • curl_msnprintf.LIBCURL(?,00000006,%4I64dG,00000000,?,?,?,40000000,00000000,00000010,?,1000333B,?,?,00000000,?), ref: 10002903
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10002927
                                                                                    • curl_msnprintf.LIBCURL(?,00000006,%4I64dT,00000000,?,?,?,00000000,00000100,00000010,?,1000333B,?,?,00000000,?), ref: 10002936
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000294C
                                                                                    • curl_msnprintf.LIBCURL(?,00000006,%4I64dP,00000000,?,?,?,00000000,00040000,00000010,?,1000333B,?,?,00000000,?), ref: 1000295B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf$__allrem
                                                                                    • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
                                                                                    • API String ID: 3299120379-2102732564
                                                                                    • Opcode ID: 4936d69c977143a4cc1255b898a4146f343377c9205b2bed9366c57d7271ac4b
                                                                                    • Instruction ID: cf8b39b63080a8b676406e9e70663bc713e94786fbff2707ca7c5dd328c9a319
                                                                                    • Opcode Fuzzy Hash: 4936d69c977143a4cc1255b898a4146f343377c9205b2bed9366c57d7271ac4b
                                                                                    • Instruction Fuzzy Hash: FD41A3EAB8174035F420E55A1C93F3B811CDBE0F95FB14429F702FA0D7AAA2BA91417D
                                                                                    Function 01004700 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 285COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(?), ref: 01004777
                                                                                    • ?GetHeight@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000001), ref: 01004795
                                                                                    • ?GetWidth@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000000), ref: 010047A2
                                                                                    • MoveWindow.USER32(?,?,?,00000000), ref: 010047B1
                                                                                    • IsWindow.USER32(?), ref: 010047BD
                                                                                    • ?GetHeight@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000001), ref: 010047E2
                                                                                    • ?GetWidth@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(00000000), ref: 010047EF
                                                                                    • MoveWindow.USER32(?,?,?,00000000), ref: 010047FE
                                                                                      • Part of subcall function 01006F00: ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(tabMain,B69A1A1E,?,?), ref: 01006F47
                                                                                      • Part of subcall function 01006F00: ?GetCurSel@CTabLayoutUI@DuiLib@@QBEHXZ.YCOMUIU(?,?), ref: 01006F57
                                                                                      • Part of subcall function 01006F00: DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 01006F6C
                                                                                      • Part of subcall function 01006F00: DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 01006FE9
                                                                                      • Part of subcall function 01006F00: PathFindExtensionW.SHLWAPI(?,?,?), ref: 01006FF6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Rect@Window$DragFileFindHeight@MoveQueryWidth@$ControlControl@ExtensionI@2@LayoutManagerPaintPathSel@
                                                                                    • String ID: [Error]:%d
                                                                                    • API String ID: 146719164-423514254
                                                                                    • Opcode ID: 90a91e141e09c0c498dbb8e8fbff8e23231c3f11ac03d4178a0a467f872d4bd0
                                                                                    • Instruction ID: c129d8063b7d8159dec70d256ca2b017f4cb856e8bffa1312e19770ff73b7b4d
                                                                                    • Opcode Fuzzy Hash: 90a91e141e09c0c498dbb8e8fbff8e23231c3f11ac03d4178a0a467f872d4bd0
                                                                                    • Instruction Fuzzy Hash: 72B1BF71600A05AFEB369F68CC55FAEBBA5FF08700F400619F796D66E0DB36A410CB95
                                                                                    Function 010027B0 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 255COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?GetMarkup@CDialogBuilder@DuiLib@@QAEPAVCMarkup@2@XZ.YCOMUIU ref: 01002814
                                                                                    • ?IsValid@CMarkup@DuiLib@@QBE_NXZ.YCOMUIU ref: 0100281C
                                                                                    • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,?,00000000), ref: 01002841
                                                                                    • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@PAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(00000000,?,00000000), ref: 0100284B
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem1,?,?,?,?,?,?,B69A1A1E), ref: 010028C6
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemTitle,?,?,?,?,?,?,B69A1A1E), ref: 010028E5
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem2,?,?,?,?,?,?,B69A1A1E), ref: 01002934
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemPos,?,?,?,?,?,?,B69A1A1E), ref: 01002953
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,ControlTimeListItem3,?,?,?,?,?,?,B69A1A1E), ref: 010029C4
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,txtTimeItemTime,?,?,?,?,?,?,B69A1A1E), ref: 010029E3
                                                                                    • _strftime.LIBCMT ref: 01002A54
                                                                                    • _strftime.LIBCMT ref: 01002A94
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Control$I@2@Lib@@$ManagerPaint$FindName@V32@$Dialog$Builder@$BuilderCallback@2@Create@Markup@V32@@_strftime$D@2@Markup@2@Valid@
                                                                                    • String ID: %s - %s$(%d,%d), (%d,%d)$ControlTimeListItem1$ControlTimeListItem2$ControlTimeListItem3$TimeListItem1$TimeListItem2$TimeListItem3$txtTimeItemPos$txtTimeItemTime$txtTimeItemTitle
                                                                                    • API String ID: 880538387-3810458828
                                                                                    • Opcode ID: acf28aeeb410bc07a47bcae7fbb4692015a9fc859584f9ddf1fc72e92f5e4fcc
                                                                                    • Instruction ID: 1f6df460cf10248dd8b860a1ede2455512212824f2fb79ab3236971bf0e7e706
                                                                                    • Opcode Fuzzy Hash: acf28aeeb410bc07a47bcae7fbb4692015a9fc859584f9ddf1fc72e92f5e4fcc
                                                                                    • Instruction Fuzzy Hash: 21A1C5B0A002199FDB21EF65CC49FEEB7B8EF45700F004199F549A7291DB749A84CF95
                                                                                    Function 1001A750 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 1001A778
                                                                                    • _memset.LIBCMT ref: 1001A792
                                                                                    • curl_msnprintf.LIBCURL(?,00000100,USER,%s,?), ref: 1001A7CE
                                                                                      • Part of subcall function 10019330: curl_mvsnprintf.LIBCURL(?,?,?,?,1000A784,?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 10019344
                                                                                    • curl_slist_append.LIBCURL(?,?,?,00000100,USER,%s,?), ref: 1001A7E2
                                                                                    • curl_slist_free_all.LIBCURL(?), ref: 1001A7F5
                                                                                    • _sscanf.LIBCMT ref: 1001A845
                                                                                    • _strncpy.LIBCMT ref: 1001A87D
                                                                                    • _strncpy.LIBCMT ref: 1001A8BD
                                                                                    • curl_slist_free_all.LIBCURL(?,?,Syntax error in telnet option: %s), ref: 1001A9FB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset_strncpycurl_slist_free_all$_sscanfcurl_msnprintfcurl_mvsnprintfcurl_slist_append
                                                                                    • String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$1$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
                                                                                    • API String ID: 2031809267-1116758244
                                                                                    • Opcode ID: cee2ed9a650c785acb4ab43ea16c6c42d345ad3edb28cbc2c22178652d58e390
                                                                                    • Instruction ID: 50f65a0e9848d8038ce4fb512a08744d1284b73d9070200136fd5b0c97576b62
                                                                                    • Opcode Fuzzy Hash: cee2ed9a650c785acb4ab43ea16c6c42d345ad3edb28cbc2c22178652d58e390
                                                                                    • Instruction Fuzzy Hash: C77161B59043459FD720CF649881EEB73E8EB95344F54482DF5998B241EB30FA88CBA2
                                                                                    Function 100290A0 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 183COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strtol
                                                                                    • String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
                                                                                    • API String ID: 4256861632-895336422
                                                                                    • Opcode ID: f513524741d849de7905f03ec55048d31def56c054abd224a2b910e269668855
                                                                                    • Instruction ID: 2f9dda22e8486dc8d1f48936b6ffbdc376ad3b8aafd596825a6015776246026d
                                                                                    • Opcode Fuzzy Hash: f513524741d849de7905f03ec55048d31def56c054abd224a2b910e269668855
                                                                                    • Instruction Fuzzy Hash: 0C415B76A04205BBE200DA14BC81FFB7798DB816D4F844535FE08D6206EB69B94D86A2
                                                                                    Function 0100A400 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 147windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??1CMenuWnd@DuiLib@@QAE@XZ.YCOMUIU(B69A1A1E,6C414A20,?,?,?,?,?,?,00000000,010B85E2,000000FF,?,01005C19,?), ref: 0100A445
                                                                                    • ??0CMenuWnd@DuiLib@@QAE@XZ.YCOMUIU(?,?,?,?,?,?,00000000,010B85E2,000000FF,?,01005C19,?), ref: 0100A480
                                                                                    • ?GetGlobalContextMenuObserver@CMenuWnd@DuiLib@@SAAAVMenuObserverImpl@2@XZ.YCOMUIU(?,?,?,?,?,?,00000000,010B85E2,000000FF,?,01005C19,?), ref: 0100A49F
                                                                                    • ?GetControlRect@WindowImplBase@DuiLib@@QAE?AUtagRECT@@PB_W@Z.YCOMUIU(010B85E2,LayoutNickname,?,?,?,?,?,?,00000000,010B85E2,000000FF,?,01005C19,?), ref: 0100A4BE
                                                                                    • ClientToScreen.USER32(00000001,?), ref: 0100A4D7
                                                                                    • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU(?,?,?,?,?,?,00000000,010B85E2,000000FF,?,01005C19,?), ref: 0100A4E0
                                                                                    • ??0CDuiPoint@DuiLib@@QAE@ABUtagPOINT@@@Z.YCOMUIU(?,?,?,?,?,?,?,00000000,010B85E2,000000FF,?,01005C19,?), ref: 0100A4ED
                                                                                    • ??4CDuiPoint@DuiLib@@QAEAAV01@$$QAV01@@Z.YCOMUIU(?,?,?,?,?,?,?,00000000,010B85E2,000000FF,?,01005C19,?), ref: 0100A4FA
                                                                                    • ?Init@CMenuWnd@DuiLib@@QAEXPAVCMenuElementUI@2@VSTRINGorID@2@UtagPOINT@@PAVCPaintManagerUI@2@PAVCStdStringPtrMap@2@K@Z.YCOMUIU(00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000,010B85E2,000000FF), ref: 0100A51F
                                                                                    • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuUpdateUser,00000001,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 0100A540
                                                                                    • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuUserCenter,00000001,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 0100A557
                                                                                    • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuLogout,00000000,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 0100A56E
                                                                                    • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuResetPass,00000000,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 0100A594
                                                                                    • ?SetMenuItemState@CMenuWnd@DuiLib@@QAEXPB_WH_N@Z.YCOMUIU(menuTrial,00000001,00000000,?,?,?,?,00000000,00000006,?,?,?,?,?,?,00000000), ref: 0100A5CA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Lib@@$Wnd@$ItemState@$Point@Utag$I@2@$Base@ClientContextControlD@2@ElementGlobalImplImpl@2@Init@ManagerMap@2@ObserverObserver@PaintRect@ScreenStringT@@@V01@$$V01@@Window
                                                                                    • String ID: LayoutNickname$menuLogout$menuResetPass$menuTrial$menuUpdateUser$menuUserCenter
                                                                                    • API String ID: 3900149944-531684954
                                                                                    • Opcode ID: 01290bc2227f4c66864624af22092b355462c906d908076181650829242a3d13
                                                                                    • Instruction ID: cef45cdda2886a1ac6dd6499b45b387a506d9c15bf756f6019f4de92c2228560
                                                                                    • Opcode Fuzzy Hash: 01290bc2227f4c66864624af22092b355462c906d908076181650829242a3d13
                                                                                    • Instruction Fuzzy Hash: 59519171A00348AFEB259BA4DC55BBEBBF5FB48711F000569F592972C0DBB6A800CB20
                                                                                    Function 1004D299 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strcpy_s.LIBCMT ref: 1004D305
                                                                                    • __invoke_watson.LIBCMT ref: 1004D316
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,10067B89,00000104,?,?,00000000,00000000,00000000,100463B9,00000001,00000214,?,?,?,00000000), ref: 1004D332
                                                                                    • _strcpy_s.LIBCMT ref: 1004D347
                                                                                    • __invoke_watson.LIBCMT ref: 1004D35A
                                                                                    • _strlen.LIBCMT ref: 1004D363
                                                                                    • _strlen.LIBCMT ref: 1004D370
                                                                                    • __invoke_watson.LIBCMT ref: 1004D39D
                                                                                    • _strcat_s.LIBCMT ref: 1004D3B0
                                                                                    • __invoke_watson.LIBCMT ref: 1004D3C1
                                                                                    • _strcat_s.LIBCMT ref: 1004D3D2
                                                                                    • __invoke_watson.LIBCMT ref: 1004D3E3
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77355E70,00000003,1004D465,000000FC,10044EFC,00000001,00000000,00000000,?,1004B04C,?,00000001), ref: 1004D402
                                                                                    • _strlen.LIBCMT ref: 1004D423
                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,0000000C,00000000,?,1004B04C,?,00000001,?,10048FB3,00000018,10064388,0000000C,10049042,?), ref: 1004D42D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                    • API String ID: 1879448924-4022980321
                                                                                    • Opcode ID: 0ca730eb69284396b249f4e0fa567777a7063993e254450afb9a09d7635be525
                                                                                    • Instruction ID: f253512d818bc5311b5a9569e53f3bca474b9c65c5ac5eecbb1ce239fb84f587
                                                                                    • Opcode Fuzzy Hash: 0ca730eb69284396b249f4e0fa567777a7063993e254450afb9a09d7635be525
                                                                                    • Instruction Fuzzy Hash: C83126B6A042217BF601FA348C86F6B368DEB55295F314176FD09D1183FA62EE0181FB
                                                                                    Function 00FB0260 Relevance: 30.2, APIs: 20, Instructions: 245windowmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalAlloc.KERNEL32(00000042,?,B69A1A1E), ref: 00FB029F
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FB02BB
                                                                                    • GdipAlloc.GDIPLUS(00000010), ref: 00FB02E3
                                                                                    • GdipCreateBitmapFromStream.GDIPLUS(00000000,?,00000010), ref: 00FB0314
                                                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,00000000,000000FF,00000010), ref: 00FB033E
                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00FB037F
                                                                                    • GetDC.USER32(00000000), ref: 00FB0428
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00FB0444
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 00FB044E
                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FB045C
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00FB0470
                                                                                    • SelectObject.GDI32(?,?), ref: 00FB047A
                                                                                    • SetStretchBltMode.GDI32(?,00000004), ref: 00FB0483
                                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00FB04A8
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FB04B8
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FB04BE
                                                                                    • DeleteDC.GDI32(?), ref: 00FB04C9
                                                                                    • DeleteDC.GDI32(?), ref: 00FB04CE
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00FB04D5
                                                                                    • DeleteObject.GDI32(?), ref: 00FB0502
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateObject$Select$BitmapCompatibleDeleteGdip$AllocFromGlobalStreamStretch$ModeRelease
                                                                                    • String ID:
                                                                                    • API String ID: 3130437922-0
                                                                                    • Opcode ID: 3328c62ef222ebdcb88d28b750f92c34b7b491b3f51680859d39bfe70afa32f3
                                                                                    • Instruction ID: 43acb6ade6e6797b66c0c03e669a4ba915c6c267aeebd71bf75a9f4d3ed8780f
                                                                                    • Opcode Fuzzy Hash: 3328c62ef222ebdcb88d28b750f92c34b7b491b3f51680859d39bfe70afa32f3
                                                                                    • Instruction Fuzzy Hash: 33913771D0021A9FDB21DFA6D844BEEBBB5FF48710F14421AE915B7250EB36A850DF60
                                                                                    Function 1001AA30 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 197networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 1001AA62
                                                                                    • _memset.LIBCMT ref: 1001AA75
                                                                                    • _sscanf.LIBCMT ref: 1001AB41
                                                                                    • curl_msnprintf.LIBCURL(?,00000800,%c%s%c%s,00000000,?,00000001,?), ref: 1001AB73
                                                                                    • curl_msnprintf.LIBCURL(?,00000800,%c%c,000000FF,000000F0,?,?,?,?,?,?,?,?,?,00000000,0000007F), ref: 1001ABA7
                                                                                    • send.WS2_32(?,?,00000002,00000000), ref: 1001ABC4
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000007F), ref: 1001ABCE
                                                                                    • curl_msnprintf.LIBCURL(?,00000800,%c%c%c%c,000000FF,000000FA,?,00000000,?,?,00000000,0000007F), ref: 1001AAF4
                                                                                      • Part of subcall function 10019330: curl_mvsnprintf.LIBCURL(?,?,?,?,1000A784,?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 10019344
                                                                                    • curl_msnprintf.LIBCURL(?,00000800,%c%c%c%c%s%c%c,000000FF,000000FA,00000018,00000000,?,000000FF,000000F0,?,?,00000000,0000007F), ref: 1001AC5E
                                                                                    • send.WS2_32(?,?,?,00000000), ref: 1001AC78
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000007F), ref: 1001AC82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_msnprintf$ErrorLast_memsetsend$_sscanfcurl_mvsnprintf
                                                                                    • String ID: %127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s%c%s$Sending data failed (%d)
                                                                                    • API String ID: 3418685436-3318542072
                                                                                    • Opcode ID: 805cdd0f6941717e0ced24c14967c5fcdd1da01b53a32573701b2822ffb58608
                                                                                    • Instruction ID: 8a2d06c5e4fc382e62e345713af3697227be739feb846e068a268c3153bb9c5f
                                                                                    • Opcode Fuzzy Hash: 805cdd0f6941717e0ced24c14967c5fcdd1da01b53a32573701b2822ffb58608
                                                                                    • Instruction Fuzzy Hash: 8E61E6756443456FE320CB24CC82FEB77D9EB85744F054628FA495B2C2DB71B6888792
                                                                                    Function 100465A9 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100454B4,?,?,00000001,?,?,10045624,00000001,?,?,100641F8,0000000C,100456DE,?), ref: 100465AF
                                                                                    • __mtterm.LIBCMT ref: 100465BB
                                                                                      • Part of subcall function 10046294: TlsFree.KERNEL32(0000001F,10045550,?,?,00000001,?,?,10045624,00000001,?,?,100641F8,0000000C,100456DE,?), ref: 100462BF
                                                                                      • Part of subcall function 10046294: DeleteCriticalSection.KERNEL32(00000000,00000000,?,00000001,10045550,?,?,00000001,?,?,10045624,00000001,?,?,100641F8,0000000C), ref: 10048F17
                                                                                      • Part of subcall function 10046294: DeleteCriticalSection.KERNEL32(0000001F,?,00000001,10045550,?,?,00000001,?,?,10045624,00000001,?,?,100641F8,0000000C,100456DE), ref: 10048F41
                                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 100465D1
                                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 100465DE
                                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 100465EB
                                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 100465F8
                                                                                    • TlsAlloc.KERNEL32(?,?,00000001,?,?,10045624,00000001,?,?,100641F8,0000000C,100456DE,?), ref: 10046648
                                                                                    • TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10045624,00000001,?,?,100641F8,0000000C,100456DE,?), ref: 10046663
                                                                                    • __init_pointers.LIBCMT ref: 1004666D
                                                                                    • __calloc_crt.LIBCMT ref: 100466E2
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 10046712
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                    • API String ID: 2125014093-3819984048
                                                                                    • Opcode ID: 40789363bee8df7459f2afc056b69b4354b06e0cc19e9545de6c5864d7d3cf9f
                                                                                    • Instruction ID: 43bdac0568be2775a87495ab74a9d630f9bd7924c71d41d5b351c1d093073689
                                                                                    • Opcode Fuzzy Hash: 40789363bee8df7459f2afc056b69b4354b06e0cc19e9545de6c5864d7d3cf9f
                                                                                    • Instruction Fuzzy Hash: AD316F35812621EEE701EF799C956063FE2FB483A1B250579E508D61B1FBB19440CF2A
                                                                                    Function 10004330 Relevance: 28.5, APIs: 2, Strings: 14, Instructions: 452COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $%s$--%sContent-Disposition: attachment$--%s--$--%s--$Content-Type: %s$Content-Type: multipart/mixed; boundary=%s$%s; boundary=%s$--%s$----$----$Content-Disposition: form-data; name="$Content-Type: multipart/form-data$couldn't open file "%s"
                                                                                    • API String ID: 0-2025657882
                                                                                    • Opcode ID: c49e743b7191431f1720d161ed95541fd671728916e2954ccf967c4af2fa23fd
                                                                                    • Instruction ID: e3f61caa00af792c886e60caa48ccc509ca842978727938a08dc300d9cd4951e
                                                                                    • Opcode Fuzzy Hash: c49e743b7191431f1720d161ed95541fd671728916e2954ccf967c4af2fa23fd
                                                                                    • Instruction Fuzzy Hash: 35E196F55043429FE300DF54C881EAFB3E8EF98684F42892DFA4497245EF75E9098B96
                                                                                    Function 10029DB0 Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 325COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: %I64d$%s%c%s%c$0$TFTP file name too long$blksize$netascii$octet$tftp_send_first: internal error$timeout$tsize
                                                                                    • API String ID: 0-3126950936
                                                                                    • Opcode ID: ca073ea60295f557bda697da5c349ca443d14747e8fa4c5d5847c82b9038d54b
                                                                                    • Instruction ID: 555966991c69f8eed9990e043bc6b0403828d900c51d9d3a11b417c52362fb5e
                                                                                    • Opcode Fuzzy Hash: ca073ea60295f557bda697da5c349ca443d14747e8fa4c5d5847c82b9038d54b
                                                                                    • Instruction Fuzzy Hash: 78B1D7B5600241AFD704CF68DC91BAAB3E5FF88354F844628F9098B381EB75BD54CB92
                                                                                    Function 00FFA060 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 265fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FD3870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00FD38B2
                                                                                      • Part of subcall function 00FC4FD0: GetProcessHeap.KERNEL32 ref: 00FC504E
                                                                                      • Part of subcall function 00FC4FD0: __Init_thread_footer.LIBCMT ref: 00FC5080
                                                                                      • Part of subcall function 00FC4FD0: __Init_thread_footer.LIBCMT ref: 00FC5104
                                                                                    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00FFA163
                                                                                    • GdipSaveImageToFile.GDIPLUS(8B0C428D,000000FF,00000000,?), ref: 00FFA2EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Init_thread_footer$CreateDirectoryFileFindGdipHeapImageProcessResourceSave
                                                                                    • String ID: %s%lld.bmp$%s%lld.jpg$%s%lld.png$%s%lld.tif$%s\%s\$.bmp$.jpg$.tif$d$data$image/bmp$image/jpeg$image/png$image/tiff
                                                                                    • API String ID: 33071416-4086781063
                                                                                    • Opcode ID: be9123980db5a4e90bc4c9e99e9a2a15085d058c063778f0307185b483616217
                                                                                    • Instruction ID: 4b34c18c29687be0c4fea0dec05c64a131d38a1eceb02411dc825b4dfe0a8886
                                                                                    • Opcode Fuzzy Hash: be9123980db5a4e90bc4c9e99e9a2a15085d058c063778f0307185b483616217
                                                                                    • Instruction Fuzzy Hash: DA91D0B2A002099FDB10DFA9CD11BBEBBB4EF44B24F14401DEA45AB261EB759D40DB52
                                                                                    Function 10038150 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 192COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%lu,?), ref: 10038204
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: RSA Public Key (%lu bits)$%lu$RSA Public Key$dh(g)$dh(p)$dh(pub_key)$dhpublicnumber$dsa$dsa(g)$dsa(p)$dsa(pub_key)$dsa(q)$rsa(e)$rsa(n)$rsaEncryption
                                                                                    • API String ID: 3307269620-1220118048
                                                                                    • Opcode ID: b3da2da4dd228679d986b9b5c667f0f7bdc885f7063f58db7c4bfbf0f1649eb2
                                                                                    • Instruction ID: 85aa616e0dc36fb0656426fd62c13d2dd677d8c15304ff262a9fb7bed9cfa309
                                                                                    • Opcode Fuzzy Hash: b3da2da4dd228679d986b9b5c667f0f7bdc885f7063f58db7c4bfbf0f1649eb2
                                                                                    • Instruction Fuzzy Hash: 5951A8BA4043046FD216D765DC81DAB73ECEF84645F04896CF9895B206EA35FE08C7A2
                                                                                    Function 00FD85D0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 363COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdipSetSmoothingMode.GDIPLUS(?,00000002,B69A1A1E,?,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00FD860A
                                                                                    • GdipFillEllipse.GDIPLUS(?,?,?,?,?,00000000,00000000,00000001), ref: 00FD8757
                                                                                    • GdipDeleteBrush.GDIPLUS(?,?,?,?,?,?,00000000,00000000,00000001), ref: 00FD8774
                                                                                    • GdipCreatePen1.GDIPLUS(010CFC10,00000007,00000000,00000000,?,00000002,B69A1A1E,?,00000000,00000000,00000001), ref: 00FD882F
                                                                                    • GdipSetPenStartCap.GDIPLUS(00000000,00000002,010CFC10,00000007,00000000,00000000,?,00000002,B69A1A1E,?,00000000,00000000,00000001), ref: 00FD8843
                                                                                    • GdipSetPenEndCap.GDIPLUS(00000000,00000002,00000000,00000002,010CFC10,00000007,00000000,00000000,?,00000002,B69A1A1E,?,00000000,00000000,00000001), ref: 00FD8858
                                                                                    • GdipDrawLine.GDIPLUS(?,00000000,00000002,B69A1A1E,?,00000000,00000000,00000001), ref: 00FD889B
                                                                                    • GdipDeletePen.GDIPLUS(00000000,?,00000000,00000002,B69A1A1E,?,00000000,00000000,00000001), ref: 00FD88B1
                                                                                    • GdipCreateSolidFill.GDIPLUS(010CFC10,00000000,?,00000002,B69A1A1E,?,00000000,00000000,00000001,?,00000000), ref: 00FD89A7
                                                                                    • GdipFillRectangle.GDIPLUS(?,00000000,?,B69A1A1E,?,00000000,00000000,00000001,?,00000000), ref: 00FD89F3
                                                                                    • GdipDeleteBrush.GDIPLUS(00000000,?,00000000,?,B69A1A1E,?,00000000,00000000,00000001,?,00000000), ref: 00FD8A15
                                                                                    • GdipCreateSolidFill.GDIPLUS(96FF0000,?), ref: 00FD8ADC
                                                                                    • GdipFillEllipse.GDIPLUS(?,00000000), ref: 00FD8B20
                                                                                    • GdipDeleteBrush.GDIPLUS(00000000,?,00000000), ref: 00FD8B3B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Gdip$Fill$Delete$BrushCreate$EllipseSolid$DrawLineModePen1RectangleSmoothingStart
                                                                                    • String ID: &
                                                                                    • API String ID: 2944087214-3042966939
                                                                                    • Opcode ID: 7b7bfc5fd8c505441a1d8cff73c6e6b28887fca9cd3901cf84722d4292d80b32
                                                                                    • Instruction ID: 7d9b2585ecea2ddd97eab9f98effc00a11bdbb95ee3090378742b5af8c5a08dd
                                                                                    • Opcode Fuzzy Hash: 7b7bfc5fd8c505441a1d8cff73c6e6b28887fca9cd3901cf84722d4292d80b32
                                                                                    • Instruction Fuzzy Hash: 77F15971D1074AABCB11CFB6C9806EEF7B0BF59350F18C71AE854762A0EB30A585AF50
                                                                                    Function 00FE0550 Relevance: 25.8, APIs: 17, Instructions: 259COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU(B69A1A1E), ref: 00FE059A
                                                                                    • GetClientRect.USER32(?,?), ref: 00FE05A7
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00FE05B9
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FE05CA
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FE0634
                                                                                    • SetCursor.USER32(00000000), ref: 00FE063B
                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00FE0648
                                                                                      • Part of subcall function 00FDFAD0: ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FDFB12
                                                                                      • Part of subcall function 00FDFAD0: ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FDFB1F
                                                                                      • Part of subcall function 00FDFAD0: ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FDFB2B
                                                                                      • Part of subcall function 00FDFAD0: ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FDFB38
                                                                                      • Part of subcall function 00FDFAD0: ??0CDuiPoint@DuiLib@@QAE@HH@Z.YCOMUIU ref: 00FDFB65
                                                                                      • Part of subcall function 00FDFAD0: ??4CDuiPoint@DuiLib@@QAEAAV01@$$QAV01@@Z.YCOMUIU(00000000), ref: 00FDFB72
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Rect@$CursorHeight@LongPoint@RectWidth@Window$ClientInvalidateLoadV01@$$V01@@
                                                                                    • String ID:
                                                                                    • API String ID: 3514533644-0
                                                                                    • Opcode ID: 7e118c1814de682456e4da4cdbfaa6a54de3d53d9c321a3e13a072fb82bcf2e9
                                                                                    • Instruction ID: df255c3fa635b0d664417f579671efc2392238abc5160ceddcc666146ed7dc2f
                                                                                    • Opcode Fuzzy Hash: 7e118c1814de682456e4da4cdbfaa6a54de3d53d9c321a3e13a072fb82bcf2e9
                                                                                    • Instruction Fuzzy Hash: CFA1B170A00646EFEB24DF65C884BADBBB5FF04310F144129E456E7291DFB6A890EF91
                                                                                    Function 01014060 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 250processsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHBrowseForFolderW.SHELL32(B69A1A1E), ref: 010140E1
                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 010140F7
                                                                                    • PathAddBackslashW.SHLWAPI(?,?,6C414B50), ref: 01014108
                                                                                    • GetPrivateProfileIntW.KERNEL32(Config,UtilFlag,00000000,?), ref: 0101421E
                                                                                    • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000004,?), ref: 0101424E
                                                                                    • WritePrivateProfileStringW.KERNEL32(Config,UtilFlag,?,00000004), ref: 01014297
                                                                                    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,769523D0), ref: 01014353
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01014360
                                                                                    • CloseHandle.KERNEL32(?), ref: 01014369
                                                                                    • CloseHandle.KERNEL32(?), ref: 01014372
                                                                                      • Part of subcall function 00FC5150: FindResourceExW.KERNEL32(00000000,00000006,00FC5E74,00000000,00000000,00000000,00000000,?,00FC5E74,-00000010), ref: 00FC518E
                                                                                      • Part of subcall function 00FC5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00FC51D7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFindHandlePathPrivateProfileResource$BackslashBrowseCreateFolderFromListObjectProcessSingleStringValueWaitWrite
                                                                                    • String ID: Config$Config.ini$Software\EasePaintWatermarkRemover$UtilFlag
                                                                                    • API String ID: 82620523-495804700
                                                                                    • Opcode ID: 9d68b92689678f5d548b3f439b882fab2684438770c81f00c573b1c5bfd01a0c
                                                                                    • Instruction ID: 1fc6bda5c89b74d8ffcbe28a8b20f2e0c33bf33c48534c675af50445d796eeec
                                                                                    • Opcode Fuzzy Hash: 9d68b92689678f5d548b3f439b882fab2684438770c81f00c573b1c5bfd01a0c
                                                                                    • Instruction Fuzzy Hash: 8491CE71A00209AFCB20DFA8CC49BEEBBB8FF54314F144259F955A7295DB79A940CF90
                                                                                    Function 00FFE210 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(picFile,?,B69A1A1E,?,?,?,?,010B6240,000000FF,?,00FFEA3D,?), ref: 00FFE2D1
                                                                                    • ?SetBkImage@CControlUI@DuiLib@@QAE_NPB_W@Z.YCOMUIU(?,?,?,?,?,?,010B6240,000000FF,?,00FFEA3D,?), ref: 00FFE30B
                                                                                      • Part of subcall function 00FFD9D0: ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(?,B69A1A1E), ref: 00FFDA06
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(wndMedia,?,B69A1A1E,?,?,?,?,010B6240,000000FF,?,00FFEA3D,?), ref: 00FFE36F
                                                                                    • ?GetHWND@CWndUI@DuiLib@@QAEPAUHWND__@@XZ.YCOMUIU(?,?,?,?,010B6240,000000FF,?,00FFEA3D,?), ref: 00FFE37E
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(picMedia,?,?,?,?,010B6240,000000FF,?,00FFEA3D,?), ref: 00FFE3A8
                                                                                    • ?SetBkImage@CControlUI@DuiLib@@QAE_NPB_W@Z.YCOMUIU(?,?,?,?,?,?,010B6240,000000FF,?,00FFEA3D,?), ref: 00FFE3DE
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(wndMedia,?,?,?,?,?,010B6240,000000FF,?,00FFEA3D,?), ref: 00FFE420
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(picMedia,?), ref: 00FFE43C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Control$Control@FindI@2@ManagerPaint$Base@Image@ImplShowWindowWindow@$D__@@
                                                                                    • String ID: LayPic_AWatermark$LayView_VideoWatermark$file='%s' restype='fullpath'$picFile$picMedia$wndMedia
                                                                                    • API String ID: 1129891798-2326193580
                                                                                    • Opcode ID: 1a6318e949b9a5f549c00dbf011ab0e3ba79d0ca7ae3addad411fcbe425529af
                                                                                    • Instruction ID: 84b82c194ba04686f7c03d021a66b13d0b8262ba0aa0236c6bb5619323b7b513
                                                                                    • Opcode Fuzzy Hash: 1a6318e949b9a5f549c00dbf011ab0e3ba79d0ca7ae3addad411fcbe425529af
                                                                                    • Instruction Fuzzy Hash: 12718C31E002099FDB14DFA8C955ABEBBB1FF48710F14425DE981A72A1EB36AD50DB90
                                                                                    Function 00FC44B0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 162COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,B69A1A1E), ref: 00FC44F6
                                                                                    • curl_easy_init.LIBCURL ref: 00FC4506
                                                                                    • curl_easy_setopt.LIBCURL(00000000,00002712,00000000,?,?,?,00000003), ref: 00FC45B5
                                                                                    • curl_easy_setopt.LIBCURL(00000000,00004E2B,Function_00034470,?,?,?,00000003), ref: 00FC45C2
                                                                                    • curl_easy_setopt.LIBCURL(00000000,00002711,00000000,?,?,?,00000003), ref: 00FC45CD
                                                                                    • curl_easy_setopt.LIBCURL(00000000,00000044,00000005,?,?,?,00000003), ref: 00FC45D4
                                                                                    • curl_easy_setopt.LIBCURL(00000000,00000034,00000001,?,?,?,00000003), ref: 00FC45DB
                                                                                    • curl_easy_setopt.LIBCURL(00000000,0000002B,00000000,?,?,?,00000003), ref: 00FC45E2
                                                                                    • curl_easy_setopt.LIBCURL(00000000,00000040,00000000), ref: 00FC45EC
                                                                                    • curl_easy_setopt.LIBCURL(00000000,00000051,00000000), ref: 00FC45F3
                                                                                    • curl_easy_perform.LIBCURL(00000000), ref: 00FC45F6
                                                                                    • curl_easy_strerror.LIBCURL(00000000), ref: 00FC4606
                                                                                    • curl_easy_cleanup.LIBCURL(00000000), ref: 00FC4653
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_easy_setopt$CreateGlobalStreamcurl_easy_cleanupcurl_easy_initcurl_easy_performcurl_easy_strerror
                                                                                    • String ID: CURL Error CODE:
                                                                                    • API String ID: 171543683-4205966572
                                                                                    • Opcode ID: 68cc5b1e9c7dfdd299756ad4efb498d5306d449ac1741d17005226b90a4b2cfe
                                                                                    • Instruction ID: a3bef1a453300c4e56700912f83aa927aed38f37a768017c8ded69f5ae66e78f
                                                                                    • Opcode Fuzzy Hash: 68cc5b1e9c7dfdd299756ad4efb498d5306d449ac1741d17005226b90a4b2cfe
                                                                                    • Instruction Fuzzy Hash: 3451C671E00205ABDB20DB64CD56FAFBB7CEF44720F144519F916AB2C1DB76AA00DBA1
                                                                                    Function 1000CD30 Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 341COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _sscanf.LIBCMT ref: 1000CDB5
                                                                                      • Part of subcall function 100424E0: _vscan_fn.LIBCMT ref: 100424F5
                                                                                    • _sscanf.LIBCMT ref: 1000CEAA
                                                                                    • curl_maprintf.LIBCURL(%d.%d.%d.%d,?,?,?,?), ref: 1000CF3B
                                                                                    Strings
                                                                                    • Weirdly formatted EPSV reply, xrefs: 1000CE51
                                                                                    • Skip %d.%d.%d.%d for data connection, re-use %s instead, xrefs: 1000CF04
                                                                                    • %d,%d,%d,%d,%d,%d, xrefs: 1000CEA4
                                                                                    • Can't resolve proxy host %s:%hu, xrefs: 1000CFC2
                                                                                    • Illegal port number in EPSV reply, xrefs: 1000CDED
                                                                                    • Can't resolve new host %s:%hu, xrefs: 1000D027
                                                                                    • %c%c%c%u%c, xrefs: 1000CDAF
                                                                                    • %d.%d.%d.%d, xrefs: 1000CF36
                                                                                    • Couldn't interpret the 227-response, xrefs: 1000CEC6
                                                                                    • Bad PASV/EPSV response: %03d, xrefs: 1000D123
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _sscanf$_vscan_fncurl_maprintf
                                                                                    • String ID: %c%c%c%u%c$%d,%d,%d,%d,%d,%d$%d.%d.%d.%d$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %d.%d.%d.%d for data connection, re-use %s instead$Weirdly formatted EPSV reply
                                                                                    • API String ID: 1533239271-2577756270
                                                                                    • Opcode ID: bd8c8db8231559545fd110671391ecf9a38542855e5db7573ca3fd59b2c067aa
                                                                                    • Instruction ID: fc0ab97651e39ad84a6488c48f64f5df544f6c7f0d629624cb4d00c22d8d86bf
                                                                                    • Opcode Fuzzy Hash: bd8c8db8231559545fd110671391ecf9a38542855e5db7573ca3fd59b2c067aa
                                                                                    • Instruction Fuzzy Hash: D7B1DA76904345ABF310DF64DC81EBBB3E8EB84295F440D2EF95983205E635B949CBB2
                                                                                    Function 00FC60A0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 288COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,B69A1A1E), ref: 00FC611F
                                                                                    • curl_easy_init.LIBCURL(B69A1A1E), ref: 00FC613D
                                                                                    • curl_easy_setopt.LIBCURL(?,00002712,00000000,?,?,?,00000003), ref: 00FC61F0
                                                                                    • curl_easy_setopt.LIBCURL(?,00002715,?,?,?,?,00000003), ref: 00FC61FB
                                                                                    • curl_easy_setopt.LIBCURL(?,00004E2B,Function_00035F10,?,?,?,00000003), ref: 00FC6208
                                                                                    • curl_easy_setopt.LIBCURL(?,00002711,?,?,?,?,00000003), ref: 00FC6213
                                                                                    • curl_easy_setopt.LIBCURL(?,0000000D,00000014,?,?,?,00000003), ref: 00FC621A
                                                                                    • curl_easy_setopt.LIBCURL(?,00000040,00000000,?,?,?,00000003), ref: 00FC6221
                                                                                    • curl_easy_setopt.LIBCURL(?,00000051,00000000), ref: 00FC622B
                                                                                    • curl_easy_perform.LIBCURL(?), ref: 00FC622E
                                                                                    • curl_easy_cleanup.LIBCURL(?), ref: 00FC62A8
                                                                                      • Part of subcall function 00FC4170: WideCharToMultiByte.KERNEL32(80004005,00000000,?,000000FF,?,B69A1A1E,00000000,00000000,?,?,?,010FAD98,?,?,00FD56AD,80004005), ref: 00FC4195
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_easy_setopt$ByteCharMultiWide$curl_easy_cleanupcurl_easy_initcurl_easy_perform
                                                                                    • String ID: %s:%s$CURL Error CODE:
                                                                                    • API String ID: 3350456867-2876294989
                                                                                    • Opcode ID: b4f309e15e6d6ee56b63e6ac1beabfa890fa2ae9d7d1529098ebe9bc97e138e2
                                                                                    • Instruction ID: 10d9e54e65296819d7e2597a71c1a796d099f6df7adbae119fdaca416f51ef29
                                                                                    • Opcode Fuzzy Hash: b4f309e15e6d6ee56b63e6ac1beabfa890fa2ae9d7d1529098ebe9bc97e138e2
                                                                                    • Instruction Fuzzy Hash: 75A13271A043469BDB10DF68CD46FAEBBB4EF85324F18825CE815AB2D2DB75D901CB90
                                                                                    Function 10029300 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 230networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 100293AB
                                                                                    • WSAGetLastError.WS2_32 ref: 100293B5
                                                                                    • sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 1002946D
                                                                                    • WSAGetLastError.WS2_32 ref: 10029477
                                                                                    • sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 1002958A
                                                                                    Strings
                                                                                    • Received last DATA packet block %d again., xrefs: 10029353
                                                                                    • Received unexpected DATA packet block %d, expecting block %d, xrefs: 1002940C
                                                                                    • tftp_rx: internal error, xrefs: 1002959C
                                                                                    • Timeout waiting for block %d ACK. Retries = %d, xrefs: 100294CC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: sendto$ErrorLast
                                                                                    • String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
                                                                                    • API String ID: 4042023021-1785996722
                                                                                    • Opcode ID: a24116a0ddf9dcf3915f39bf070c3d6fa310cdc327fecd35fe4e814570536660
                                                                                    • Instruction ID: ce9f392ca505ffeeef3ac9863c76dc0a39a2c634d13b67dc79780034789583c7
                                                                                    • Opcode Fuzzy Hash: a24116a0ddf9dcf3915f39bf070c3d6fa310cdc327fecd35fe4e814570536660
                                                                                    • Instruction Fuzzy Hash: 89817E75200B409FE321CB68EC44BA7B7E8FB89315F048A5DF99E87742D635B849CB60
                                                                                    Function 1000D140 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _sscanf.LIBCMT ref: 1000D1D1
                                                                                    • __time32.LIBCMT ref: 1000D1E0
                                                                                    • curl_msnprintf.LIBCURL(?,00000018,%04d%02d%02d %02d:%02d:%02d GMT,?,?,?,?,?,?,00000000), ref: 1000D213
                                                                                    • curl_getdate.LIBCURL(?,?,?,00000018,%04d%02d%02d %02d:%02d:%02d GMT,?,?,?,?,?,?,00000000), ref: 1000D222
                                                                                    • curl_msnprintf.LIBCURL(?,00000080,Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT,00000006,?,?,?,?,?,?), ref: 1000D2CC
                                                                                      • Part of subcall function 1000A830: curl_mvsnprintf.LIBCURL(?,00000801,?,?,00000000), ref: 1000A873
                                                                                    Strings
                                                                                    • Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 1000D2BD
                                                                                    • The requested document is not new enough, xrefs: 1000D324
                                                                                    • %04d%02d%02d%02d%02d%02d, xrefs: 1000D1CB
                                                                                    • unsupported MDTM reply format, xrefs: 1000D179
                                                                                    • %04d%02d%02d %02d:%02d:%02d GMT, xrefs: 1000D207
                                                                                    • Given file does not exist, xrefs: 1000D18C
                                                                                    • The requested document is not old enough, xrefs: 1000D36E
                                                                                    • Skipping time comparison, xrefs: 1000D3B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_msnprintf$__time32_sscanfcurl_getdatecurl_mvsnprintf
                                                                                    • String ID: %04d%02d%02d %02d:%02d:%02d GMT$%04d%02d%02d%02d%02d%02d$Given file does not exist$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$Skipping time comparison$The requested document is not new enough$The requested document is not old enough$unsupported MDTM reply format
                                                                                    • API String ID: 3422211390-226030088
                                                                                    • Opcode ID: 3782f4a6e1239cd18548d699dcb270bd71c08517d180be3b39965d882fffb8b0
                                                                                    • Instruction ID: 8c67fcb9b4e98c08a713b7dedef295a2864bc012902110f60a969bc41d26daf3
                                                                                    • Opcode Fuzzy Hash: 3782f4a6e1239cd18548d699dcb270bd71c08517d180be3b39965d882fffb8b0
                                                                                    • Instruction Fuzzy Hash: AD6190B56143009BE314DB64DC81FAFB3E5EB88344F408A1EF65997285DB74FA048B66
                                                                                    Function 00FA0650 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 180networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 00FA0661
                                                                                    • GetLastError.KERNEL32(00000000,CHttpToolW::EndRequest: hRequest can not be NULL.,00000000,00000000,?,00000199,00000000), ref: 00FA0679
                                                                                    Strings
                                                                                    • CHttpClientMapT::Exists: szName can not be NULL., xrefs: 00FA06B2
                                                                                    • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00FA071C
                                                                                    • CHttpClientMapT::Exists: szName can not be NULL., xrefs: 00FA06E2
                                                                                    • CHttpToolW::EndRequest: hRequest can not be NULL., xrefs: 00FA066D
                                                                                    • CHttpToolA::FileExists: szFilePath can not be NULL., xrefs: 00FA0767
                                                                                    • CHttpToolW::FileExists: szFilePath can not be NULL., xrefs: 00FA07B9
                                                                                    • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00FA06FC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHttpLastRequest
                                                                                    • String ID: CHttpClientMapT::Exists: szName can not be NULL.$CHttpClientMapT::Exists: szName can not be NULL.$CHttpPostStatT::FileCount: The post context is not active.$CHttpPostStatT::FileCount: The post context is not active.$CHttpToolA::FileExists: szFilePath can not be NULL.$CHttpToolW::EndRequest: hRequest can not be NULL.$CHttpToolW::FileExists: szFilePath can not be NULL.
                                                                                    • API String ID: 4268994570-2375225463
                                                                                    • Opcode ID: 221b1a38c349fde5dce181520983ef459414380d43b5e1a65f2aaba96345983c
                                                                                    • Instruction ID: 3a2f85fe1d22de3751eed4589a6e18ab34b21240d4aacf9cda164ff54945d127
                                                                                    • Opcode Fuzzy Hash: 221b1a38c349fde5dce181520983ef459414380d43b5e1a65f2aaba96345983c
                                                                                    • Instruction Fuzzy Hash: 7431E5B06803087AEB346BE8EC4AF99339C9B05F19F248414BB18DE5C1DBBAF440DA55
                                                                                    Function 00FD2020 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 123COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 01011EB0: SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000000,00000000,?), ref: 01011EDD
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(ProductName,?), ref: 00FD20CD
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(LabelVersion,?), ref: 00FD20DA
                                                                                    • ?SetControlBkImage@WindowImplBase@DuiLib@@QAEXPB_W0@Z.YCOMUIU(AboutLogo,0111E7C0), ref: 00FD20EF
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(buttonSite,0111E7C0), ref: 00FD2108
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(CompanyName,0111E7C0), ref: 00FD211D
                                                                                    • ?SetControlBkImage@WindowImplBase@DuiLib@@QAEXPB_W0@Z.YCOMUIU(DlgFrame,0111E7C0), ref: 00FD2132
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Base@ImplLib@@Window$ItemText$ControlImage@$Value
                                                                                    • String ID: %s.%d$AboutLogo$CompanyName$DlgFrame$LabelVersion$ProductName$buttonSite
                                                                                    • API String ID: 828941793-949621626
                                                                                    • Opcode ID: 255f2b1c186ef77dd6a01406141f5e5c6dc298bfe68c9b05648c7f30a2f01df4
                                                                                    • Instruction ID: c0ec5bacafee53497fdc1b0e063c5b09c94885f0e98ed40caeca48d0e9f844f9
                                                                                    • Opcode Fuzzy Hash: 255f2b1c186ef77dd6a01406141f5e5c6dc298bfe68c9b05648c7f30a2f01df4
                                                                                    • Instruction Fuzzy Hash: E841B130A00605AFC725DB69CC49F6EB7FAEB48321F08826EE4659B391DB759C40CB91
                                                                                    Function 00FC4330 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: %d.%d.%d.%d
                                                                                    • API String ID: 0-3491811756
                                                                                    • Opcode ID: bc880dfc19d73eb4d15f7772051bb79f713f54ce065d1c84e733f8082314450f
                                                                                    • Instruction ID: d42d968907478e532bfbecb7f21be56ec8a3f2fdccfadd355422fa9706eff036
                                                                                    • Opcode Fuzzy Hash: bc880dfc19d73eb4d15f7772051bb79f713f54ce065d1c84e733f8082314450f
                                                                                    • Instruction Fuzzy Hash: 36311632940119ABC730EB95EC85FFEB768EF58372F00416BED44D2201D7375914ABA1
                                                                                    Function 100295D0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 277networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • sendto.WS2_32(?,?,?,00000000,?,?), ref: 10029683
                                                                                    • WSAGetLastError.WS2_32 ref: 1002968D
                                                                                    • sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 10029913
                                                                                    Strings
                                                                                    • tftp_tx: internal error, event: %i, xrefs: 10029926
                                                                                    • tftp_tx: giving up waiting for block %d ack, xrefs: 10029646
                                                                                    • Received ACK for block %d, expecting %d, xrefs: 10029627
                                                                                    • Timeout waiting for block %d ACK. Retries = %d, xrefs: 1002982D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: sendto$ErrorLast
                                                                                    • String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
                                                                                    • API String ID: 4042023021-4197595102
                                                                                    • Opcode ID: 0e10570011fa2907e05a8fe2cb8c38ce776828025deff98db62c97c3bab16b57
                                                                                    • Instruction ID: 362c6c2c398b899d9ea8cea2288e2041f11b00ae6a523dc5d3d9da9da8398548
                                                                                    • Opcode Fuzzy Hash: 0e10570011fa2907e05a8fe2cb8c38ce776828025deff98db62c97c3bab16b57
                                                                                    • Instruction Fuzzy Hash: 91A16AB5204B019FE325CF68DC84AA7B3F8FB88315F544A2DF99A87651D731B845CB60
                                                                                    Function 0100A090 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 191timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(edtTextWatermark), ref: 0100A0ED
                                                                                    • ?GetDlgItemTextW@WindowImplBase@DuiLib@@QAE?AVCStdString@2@PB_W_N@Z.YCOMUIU(?,edtTextWatermark,00000000), ref: 0100A10D
                                                                                    • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 0100A119
                                                                                    • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 0100A135
                                                                                    • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(edtFontSize), ref: 0100A200
                                                                                    • ?GetDlgItemTextW@WindowImplBase@DuiLib@@QAE?AVCStdString@2@PB_W_N@Z.YCOMUIU(?,edtFontSize,00000000), ref: 0100A21A
                                                                                    • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 0100A226
                                                                                    • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 0100A242
                                                                                    • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 0100A2B1
                                                                                    • ?OnTimer@WindowImplBase@DuiLib@@UAEJIIJAAH@Z.YCOMUIU(?,?,?,?,?,?,80004005), ref: 0100A2F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$String@$Base@ImplWindow$ItemString@2@Text$Timer@
                                                                                    • String ID: edtFontSize$edtTextWatermark
                                                                                    • API String ID: 465539673-2727772412
                                                                                    • Opcode ID: c19210177b632904d9c8f54a9a8f3c94f4394e6cb3e169e7d5e8610612435074
                                                                                    • Instruction ID: 50face343053d14f7282422fd46b7c35d03c94b470b3ed85bb4f33792eae11bb
                                                                                    • Opcode Fuzzy Hash: c19210177b632904d9c8f54a9a8f3c94f4394e6cb3e169e7d5e8610612435074
                                                                                    • Instruction Fuzzy Hash: 8461C131A00209DFEB65DB28CC45BEAB7F5EF58310F0441A8E99997291DF76AE84CF50
                                                                                    Function 1005117C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,10067B70,1004D3FB,10067B70,Microsoft Visual C++ Runtime Library,00012010), ref: 100511A9
                                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 100511C5
                                                                                      • Part of subcall function 10046140: TlsGetValue.KERNEL32(00000000,100461B5,00000000,1005118A,00000000,00000000,00000314,?,?,?,10067B70,1004D3FB,10067B70,Microsoft Visual C++ Runtime Library,00012010), ref: 1004614D
                                                                                      • Part of subcall function 10046140: TlsGetValue.KERNEL32(00000009,?,?,?,10067B70,1004D3FB,10067B70,Microsoft Visual C++ Runtime Library,00012010), ref: 10046164
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 100511E2
                                                                                      • Part of subcall function 10046140: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,10067B70,1004D3FB,10067B70,Microsoft Visual C++ Runtime Library,00012010), ref: 10046179
                                                                                      • Part of subcall function 10046140: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10046194
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 100511F7
                                                                                    • __invoke_watson.LIBCMT ref: 10051218
                                                                                      • Part of subcall function 100467ED: _memset.LIBCMT ref: 10046879
                                                                                      • Part of subcall function 100467ED: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 10046897
                                                                                      • Part of subcall function 100467ED: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 100468A1
                                                                                      • Part of subcall function 100467ED: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 100468AB
                                                                                      • Part of subcall function 100467ED: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 100468C6
                                                                                      • Part of subcall function 100467ED: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 100468CD
                                                                                      • Part of subcall function 100461B7: TlsGetValue.KERNEL32(00000000,10046267,?,?,?,00000000), ref: 100461C4
                                                                                      • Part of subcall function 100461B7: TlsGetValue.KERNEL32(00000009,?,?,?,00000000), ref: 100461DB
                                                                                      • Part of subcall function 100461B7: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00000000), ref: 100461F0
                                                                                      • Part of subcall function 100461B7: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 1004620B
                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 1005122C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 10051244
                                                                                    • __invoke_watson.LIBCMT ref: 100512B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                                                                    • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                    • API String ID: 2940365033-1046234306
                                                                                    • Opcode ID: c94a9ae44ea95125981ecfeade7f11be1df33cb81c76d0593e06c8ff55355cd0
                                                                                    • Instruction ID: 18c5adb033099e1444384a9c582b015aaf56d9027de182c8a3fbbc88629f4ed2
                                                                                    • Opcode Fuzzy Hash: c94a9ae44ea95125981ecfeade7f11be1df33cb81c76d0593e06c8ff55355cd0
                                                                                    • Instruction Fuzzy Hash: BB419075900215AAEF00EFA5CCC5CEE7BE9FF08240F21443EE504E21A1EB75AA48CB65
                                                                                    Function 00FD62B0 Relevance: 19.6, APIs: 13, Instructions: 101windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?GetDPIObj@CPaintManagerUI@DuiLib@@QAEPAVCDPI@2@XZ.YCOMUIU ref: 00FD62C8
                                                                                    • ?GetScale@CDPI@DuiLib@@QAEIXZ.YCOMUIU(00000064), ref: 00FD62DF
                                                                                    • MulDiv.KERNEL32(?,00000000), ref: 00FD62EB
                                                                                    • ?GetScale@CDPI@DuiLib@@QAEIXZ.YCOMUIU(00000064), ref: 00FD62F5
                                                                                    • MulDiv.KERNEL32(?,00000000), ref: 00FD62FB
                                                                                    • GetClientRect.USER32(?,?), ref: 00FD6318
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD6349
                                                                                    • GetMenu.USER32(?), ref: 00FD6355
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00FD636D
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD6376
                                                                                    • AdjustWindowRectEx.USER32(?,00000000), ref: 00FD637D
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00FD63A1
                                                                                    • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 00FD63A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Lib@@$Long$RectScale@$AdjustCenterClientI@2@ManagerMenuObj@PaintWindow@Wnd@
                                                                                    • String ID:
                                                                                    • API String ID: 3482706143-0
                                                                                    • Opcode ID: 6f47a1a5b1d7cd60e914e4e0a7b3b8dcaf6167d8c236c62023f8dfec60c7db86
                                                                                    • Instruction ID: 1b6686b6883a4d6f421259252bdc00d7e91afe7fc5f3b8151cda3537bffead81
                                                                                    • Opcode Fuzzy Hash: 6f47a1a5b1d7cd60e914e4e0a7b3b8dcaf6167d8c236c62023f8dfec60c7db86
                                                                                    • Instruction Fuzzy Hash: 62312C31A00219AFDF209FA5CD44AAEBBBAEF44720F148265E815E7394DB36DD509B60
                                                                                    Function 00FB06D0 Relevance: 19.6, APIs: 13, Instructions: 77windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 00FB06D9
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00FB06F6
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00FB06FE
                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FB070D
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00FB0720
                                                                                    • SelectObject.GDI32(?,?), ref: 00FB072A
                                                                                    • SetStretchBltMode.GDI32(?,00000004), ref: 00FB0733
                                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00FB0756
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FB0767
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FB076D
                                                                                    • DeleteDC.GDI32(?), ref: 00FB0776
                                                                                    • DeleteDC.GDI32(?), ref: 00FB077B
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00FB0782
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectSelect$CompatibleCreate$DeleteStretch$BitmapModeRelease
                                                                                    • String ID:
                                                                                    • API String ID: 1499107227-0
                                                                                    • Opcode ID: 247a3696b68ff4a963858948490bb57813716cee1c2e6a1ea22edb344373568c
                                                                                    • Instruction ID: 060fe88deba464c12c98be491432ce9afa5345311da278a3aa1bd234f916faf7
                                                                                    • Opcode Fuzzy Hash: 247a3696b68ff4a963858948490bb57813716cee1c2e6a1ea22edb344373568c
                                                                                    • Instruction Fuzzy Hash: A921D576900218FFDF219FE59C45F9EBF79EF48660F214095FA04A2251CA775920AFA0
                                                                                    Function 1001BBA0 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 221COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%s%s%s,00000000,10058C7C,_netrc), ref: 1001BC39
                                                                                      • Part of subcall function 100431B6: __fsopen.LIBCMT ref: 100431C0
                                                                                    • _fgets.LIBCMT ref: 1001BC94
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fsopen_fgetscurl_maprintf
                                                                                    • String ID: $%s%s%s$HOME$_netrc$default$login$machine$password
                                                                                    • API String ID: 4239879870-828792305
                                                                                    • Opcode ID: 961e2bc897a4774fd5e9d9542b0041566b790246c60ed4edae779937429e0127
                                                                                    • Instruction ID: 78eb5c5f2bc31cc2a6b37e2d1fe57ce5510197f361868b3e76f08949584f8d62
                                                                                    • Opcode Fuzzy Hash: 961e2bc897a4774fd5e9d9542b0041566b790246c60ed4edae779937429e0127
                                                                                    • Instruction Fuzzy Hash: 1371F1759097419BD760CB259D41B9F7BE4EF84380F04092DFE849B251EB35EA88CBA3
                                                                                    Function 10011240 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 217COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _sscanf.LIBCMT ref: 10011266
                                                                                      • Part of subcall function 100424E0: _vscan_fn.LIBCMT ref: 100424F5
                                                                                    • curl_msnprintf.LIBCURL(?,0000000C,;type=%c,?), ref: 10011388
                                                                                    • curl_maprintf.LIBCURL(%s://%s%s%s:%hu%s%s%s,100562B4,100562B4,?,100562C8,?,10055974,?,00000000), ref: 100113E4
                                                                                    • _strtol.LIBCMT ref: 1001147D
                                                                                    Strings
                                                                                    • Port number out of range, xrefs: 100114E1
                                                                                    • [%*45[0123456789abcdefABCDEF:.]%c, xrefs: 10011260
                                                                                    • Port number ended with '%c', xrefs: 1001149A
                                                                                    • %s://%s%s%s:%hu%s%s%s, xrefs: 100113DF
                                                                                    • ], xrefs: 10011277
                                                                                    • IPv6 numerical address used in URL without brackets, xrefs: 100112C9
                                                                                    • ;type=%c, xrefs: 1001137C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _sscanf_strtol_vscan_fncurl_maprintfcurl_msnprintf
                                                                                    • String ID: %s://%s%s%s:%hu%s%s%s$;type=%c$IPv6 numerical address used in URL without brackets$Port number ended with '%c'$Port number out of range$[%*45[0123456789abcdefABCDEF:.]%c$]
                                                                                    • API String ID: 977521783-3024769075
                                                                                    • Opcode ID: aa2246c8b4a2dbbd49478c7fe1fc5b0ca15035f7046706733a6b1be1eb4d2508
                                                                                    • Instruction ID: 3b8d77fabc931326797e475a89a076ed9ebfb1ad82110c19df61ee32b0a2c6af
                                                                                    • Opcode Fuzzy Hash: aa2246c8b4a2dbbd49478c7fe1fc5b0ca15035f7046706733a6b1be1eb4d2508
                                                                                    • Instruction Fuzzy Hash: AF71D2B56047418FD764CF249C41BEB73E5EB88741F40052EE999CB281E779EA88C752
                                                                                    Function 1003DD90 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 203encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1000A830: curl_mvsnprintf.LIBCURL(?,00000801,?,?,00000000), ref: 1000A873
                                                                                    • CertFreeCertificateContext.CRYPT32(?), ref: 1003DFB3
                                                                                    Strings
                                                                                    • schannel: failed to setup sequence detection, xrefs: 1003DE09
                                                                                    • schannel: SSL/TLS connection with %s port %hu (step 3/3), xrefs: 1003DDE9
                                                                                    • schannel: failed to store credential handle, xrefs: 1003DF17
                                                                                    • schannel: old credential handle is stale, removing, xrefs: 1003DEE2
                                                                                    • schannel: stored credential handle in session cache, xrefs: 1003DF35
                                                                                    • schannel: failed to setup replay detection, xrefs: 1003DE1D
                                                                                    • schannel: failed to retrieve remote cert context, xrefs: 1003DFC6
                                                                                    • schannel: failed to setup memory allocation, xrefs: 1003DE48
                                                                                    • schannel: failed to setup confidentiality, xrefs: 1003DE31
                                                                                    • schannel: failed to setup stream orientation, xrefs: 1003DE5F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CertCertificateContextFreecurl_mvsnprintf
                                                                                    • String ID: schannel: SSL/TLS connection with %s port %hu (step 3/3)$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle$schannel: old credential handle is stale, removing$schannel: stored credential handle in session cache
                                                                                    • API String ID: 4234272566-474070536
                                                                                    • Opcode ID: e91adc3a5efbb13a5165563ad51d964d80606eb400bb4b7e2efd6869c368ce50
                                                                                    • Instruction ID: c478f98e0a159ad2f057683c34f71606fd09738ef0a0ee99c450f723ab48b3ca
                                                                                    • Opcode Fuzzy Hash: e91adc3a5efbb13a5165563ad51d964d80606eb400bb4b7e2efd6869c368ce50
                                                                                    • Instruction Fuzzy Hash: A6510C355002055FD712FA24EC85FAB73E8EF81796F01452EF9158E242E739EA49CBA1
                                                                                    Function 00FD4580 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 203COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStringW.KERNEL32(762212C0,BtnName,010C8660,?,00000104,?), ref: 00FD463A
                                                                                    • GetPrivateProfileStringW.KERNEL32(Payssion950,BtnIcon,010C8660,?,00000104,?), ref: 00FD46B3
                                                                                    • GetPrivateProfileStringW.KERNEL32(762212C0,pmid,010C8660,?,00000104,?), ref: 00FD471F
                                                                                    • GetPrivateProfileStringW.KERNEL32(762212C0,currency,010C8660,?,00000104,?), ref: 00FD478F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileString
                                                                                    • String ID: BtnIcon$BtnName$Config.ini$Payssion%d$Payssion950$currency$pmid
                                                                                    • API String ID: 1096422788-3233091370
                                                                                    • Opcode ID: 0956f6384a327c77aabf9055604fcfd19f42a524616c8125a891f7b146bdc9b2
                                                                                    • Instruction ID: 98441ab3e49c3947e88c02c988dbd750cd96fc1616035e61d4fd3b4ff62ac39c
                                                                                    • Opcode Fuzzy Hash: 0956f6384a327c77aabf9055604fcfd19f42a524616c8125a891f7b146bdc9b2
                                                                                    • Instruction Fuzzy Hash: 0971C67494021DAFCB24DF54DC89FEAB7B8EF18714F0442D9A806A7241EB30AE85CF90
                                                                                    Function 100079B0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: %s$Connection$Content-Length$Content-Type:$Host:$Transfer-Encoding:
                                                                                    • API String ID: 0-3301244629
                                                                                    • Opcode ID: 56d42204707c5fceab9f85c785188a8554941a91b434044b4e4855ee8b083e7f
                                                                                    • Instruction ID: aa736c68c841c66c9633f1ab343fd965593ca043f30b4ab553cafe23af9d46a2
                                                                                    • Opcode Fuzzy Hash: 56d42204707c5fceab9f85c785188a8554941a91b434044b4e4855ee8b083e7f
                                                                                    • Instruction Fuzzy Hash: D4518374E043429BF711CE20884576A77D5FF813C8F154969EC8C9A24AE37ADA85CB92
                                                                                    Function 0102E420 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(labelPlayTime,?,?,6C414480), ref: 0102E4DD
                                                                                    • ??0CStdString@DuiLib@@QAE@XZ.YCOMUIU(?,?,6C414480), ref: 0102E4F3
                                                                                    • _strftime.LIBCMT ref: 0102E53E
                                                                                    • _strftime.LIBCMT ref: 0102E55B
                                                                                    • ?Format@CStdString@DuiLib@@QAAHPB_WZZ.YCOMUIU(?,%s/%s,?,?,?,00000104,010D5EDC,?,?,00000104,010D5EDC,?,?,?,?,6C414480), ref: 0102E57A
                                                                                    • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 0102E58B
                                                                                    • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU ref: 0102E5A4
                                                                                    • ?GetMaxValue@CProgressUI@DuiLib@@QBEHXZ.YCOMUIU(?,?,6C414480), ref: 0102E5B6
                                                                                    • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000,?,?,6C414480), ref: 0102E60D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$String@$ProgressValue@_strftime$ControlControl@FindFormat@I@2@ManagerPaint
                                                                                    • String ID: %s/%s$labelPlayTime
                                                                                    • API String ID: 3878013293-3311479159
                                                                                    • Opcode ID: 3811270ad9c7c2e21f5d6a180648a0fcfc10cdb3d384144341b3ee1feb5f6181
                                                                                    • Instruction ID: 76e818b780868a40214c52d8084e6aea49ed00be731603ff61e807bd17764f89
                                                                                    • Opcode Fuzzy Hash: 3811270ad9c7c2e21f5d6a180648a0fcfc10cdb3d384144341b3ee1feb5f6181
                                                                                    • Instruction Fuzzy Hash: F75141B5A5061A9FCB25DB64CC84BE9B7B8FF48301F1042BAE559A7244EF316A80CF54
                                                                                    Function 10002660 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 134COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100026A0
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100026D0
                                                                                    • curl_msnprintf.LIBCURL(00000000,00000009,%2I64d:%02I64d:%02I64d,00000000,?,00000001,?,00000000,00000000,00000001,?,0000003C,00000000,00000000,?,0000003C), ref: 10002719
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000272F
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10002761
                                                                                    • curl_msnprintf.LIBCURL(00000000,00000009,%3I64dd %02I64dh,00000000,?,00000000,?,00000000,00000000,00000E10,00000000,00000000,?,00015180,00000000,00000000), ref: 10002776
                                                                                    • curl_msnprintf.LIBCURL(00000000,00000009,%7I64dd,00000000,?,00000000,00000000,00015180,00000000,00000000,00000000,00000E10,00000000,?,?,00000010), ref: 10002791
                                                                                      • Part of subcall function 10019330: curl_mvsnprintf.LIBCURL(?,?,?,?,1000A784,?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 10019344
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf$curl_mvsnprintf
                                                                                    • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd$--:--:--
                                                                                    • API String ID: 3182149714-1858174321
                                                                                    • Opcode ID: 83abc8dc7a353510a2782d8e25140cd2a070d259435307e5077e84e292cde1f3
                                                                                    • Instruction ID: 4b9792f734004b9aa030720cc838fb61c6af88dcb9ee60db0b6a1e5317b7b69b
                                                                                    • Opcode Fuzzy Hash: 83abc8dc7a353510a2782d8e25140cd2a070d259435307e5077e84e292cde1f3
                                                                                    • Instruction Fuzzy Hash: 373157763447047FF210DA28AC92F7BBB9DEBC0BD4F114529F604EB192E972BD4082A5
                                                                                    Function 01008660 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?GetCurSel@CTileLayoutUI@DuiLib@@QBEHXZ.YCOMUIU(B69A1A1E,?,6C414A20), ref: 010086D5
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picSelectIcon), ref: 01008706
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picSelectBg), ref: 01008725
                                                                                    • ?FindSubControlByName@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PAV32@PB_W@Z.YCOMUIU(00000000,picThumbnail), ref: 01008744
                                                                                    • ??BCStdString@DuiLib@@QBEPB_WXZ.YCOMUIU ref: 01008769
                                                                                    • ??1CStdString@DuiLib@@QAE@XZ.YCOMUIU(00000000), ref: 01008785
                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 01008791
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ControlLib@@$FindI@2@ManagerName@PaintV32@$String@$ExistsFileLayoutPathSel@Tile
                                                                                    • String ID: JAl$picSelectBg$picSelectIcon$picThumbnail
                                                                                    • API String ID: 1695393328-906364417
                                                                                    • Opcode ID: f6491fd73fd7d3bc0052d0b940f5324617f5cf827ada1f77cfbfbaeb531ab361
                                                                                    • Instruction ID: 2fd53610ea16608a1aaf9ff4b38710a35ab81408d5170b35e0be40f9f638a5e3
                                                                                    • Opcode Fuzzy Hash: f6491fd73fd7d3bc0052d0b940f5324617f5cf827ada1f77cfbfbaeb531ab361
                                                                                    • Instruction Fuzzy Hash: 5D41DF30A006059FEB75DB28C984BAAB7F5FF45710F1046AEE59AD72D5EF30A940CB41
                                                                                    Function 1002C230 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 124libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1002C2AF
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 1002C30A
                                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 1002C324
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1002C32B
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 1002C370
                                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 1002C37E
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 1002C38C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryProc$Load$DirectoryFreeSystem
                                                                                    • String ID: \ws2_32$\wship6$getaddrinfo
                                                                                    • API String ID: 4000602377-3078833738
                                                                                    • Opcode ID: 9fb50f5fd0972e101935d3ab7aa1acb853663b898af80853700aa03c9c13e341
                                                                                    • Instruction ID: 459fa2847a778fce6d749613da9a081defae1f41c063e49a4bc0e59ebfb93761
                                                                                    • Opcode Fuzzy Hash: 9fb50f5fd0972e101935d3ab7aa1acb853663b898af80853700aa03c9c13e341
                                                                                    • Instruction Fuzzy Hash: C841F1705093598FD310CF68ECA4E9BB7E4EF88354F508A2DE88983390E775D904CBA6
                                                                                    Function 1000E1B0 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 369COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 1000E5A9
                                                                                    • partial download completed, closing connection, xrefs: 1000E4B0
                                                                                    • Received only partial file: %I64d bytes, xrefs: 1000E5F4
                                                                                    • Remembering we are in dir "%s", xrefs: 1000E320
                                                                                    • No data was received!, xrefs: 1000E638
                                                                                    • server did not report OK, got %d, xrefs: 1000E4EB
                                                                                    • ABOR, xrefs: 1000E37A
                                                                                    • Failure sending ABOR command: %s, xrefs: 1000E39E
                                                                                    • control connection looks dead, xrefs: 1000E468
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ABOR$Failure sending ABOR command: %s$No data was received!$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
                                                                                    • API String ID: 0-2312071747
                                                                                    • Opcode ID: 05ef0a38e0622495bea9a990da6a66ee78949d37f4bceddac9ad7a6f7afa3b61
                                                                                    • Instruction ID: aca7340813ad92488b821300174ae016ef1dcb02efbcd54ccf77abc8f92f533e
                                                                                    • Opcode Fuzzy Hash: 05ef0a38e0622495bea9a990da6a66ee78949d37f4bceddac9ad7a6f7afa3b61
                                                                                    • Instruction Fuzzy Hash: CCD1BE70A047829FE310DF24DC84B5AB7E4FB443D9F004A2DF949A6286E775ED48CB62
                                                                                    Function 100013C0 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 327COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • Can't get the size of file., xrefs: 100015E2
                                                                                    • Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 1000157A
                                                                                    • *, xrefs: 100017AE
                                                                                    • failed to resume file:// transfer, xrefs: 100017BC
                                                                                    • Accept-ranges: bytes, xrefs: 10001503
                                                                                    • Content-Length: %I64d, xrefs: 100014CD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fstat64i32
                                                                                    • String ID: *$Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$failed to resume file:// transfer
                                                                                    • API String ID: 1951518964-516572687
                                                                                    • Opcode ID: 8f858dcb0e5637aab790f2f62b66f6fe2bdd64ded9b0d571140f3574da62c72d
                                                                                    • Instruction ID: 2f53a4b3f9c87363955eaad61e5a3c5e14a43d6ff62ef3b9d5da5a7e39f08dd2
                                                                                    • Opcode Fuzzy Hash: 8f858dcb0e5637aab790f2f62b66f6fe2bdd64ded9b0d571140f3574da62c72d
                                                                                    • Instruction Fuzzy Hash: 5CB1AEB56087419FF320DF64DD81BABB3E9EF88384F14092CF99987245E771E9058B92
                                                                                    Function 100069B0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_mvsnprintf
                                                                                    • String ID: Authentication problem. Ignoring this.$Basic$Digest$Ignoring duplicate digest auth header.$NTLM$Negotiate
                                                                                    • API String ID: 3418963191-3881471014
                                                                                    • Opcode ID: 5e90300ba547c85aad1f1f68800a5d71423bc394799c843bb1bb5a77baddef45
                                                                                    • Instruction ID: 7503d0f2af45fadbe5815118dceabe21e6b2446d6400abe59a3639a43937bd48
                                                                                    • Opcode Fuzzy Hash: 5e90300ba547c85aad1f1f68800a5d71423bc394799c843bb1bb5a77baddef45
                                                                                    • Instruction Fuzzy Hash: 4051E6B59043855BF720CE21DC45B9A7BE5EF493C9F208829ED89CA146E731E988C7B1
                                                                                    Function 100331A0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 162COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _sscanf.LIBCMT ref: 100331D8
                                                                                      • Part of subcall function 100424E0: _vscan_fn.LIBCMT ref: 100424F5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _sscanf_vscan_fn
                                                                                    • String ID: : %ld$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Unable to read the CSeq header: [%s]
                                                                                    • API String ID: 3764390770-1168109407
                                                                                    • Opcode ID: c7486d6bdbc1b73df0a7d8e2bcb01913ba6f8f934ebead07d498f8dc362717af
                                                                                    • Instruction ID: 64c24eb1369af7011c97db07ff18f75eca338dc5f3f487bb79cd1dde6b4c1bfd
                                                                                    • Opcode Fuzzy Hash: c7486d6bdbc1b73df0a7d8e2bcb01913ba6f8f934ebead07d498f8dc362717af
                                                                                    • Instruction Fuzzy Hash: 084129B6A042451BD720DA69BC80BE777D8CFC12A7F048036FD48CB302EB21E9198761
                                                                                    Function 100273B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 91windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,?,1000ADE0,00000004,00000000), ref: 100273B4
                                                                                    • _strerror.LIBCMT ref: 100273E8
                                                                                    • _strncpy.LIBCMT ref: 100273F2
                                                                                    • FormatMessageA.KERNEL32(00001000,00000000,?,00000000,?,000000FF,00000000), ref: 10027421
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,Unknown error %d (%#x),?,?), ref: 10027438
                                                                                    • _strrchr.LIBCMT ref: 1002744A
                                                                                    • _strrchr.LIBCMT ref: 10027465
                                                                                    • GetLastError.KERNEL32 ref: 1002748D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002749C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strrchr$FormatMessage_strerror_strncpycurl_msnprintf
                                                                                    • String ID: Unknown error %d (%#x)
                                                                                    • API String ID: 262350537-2414550090
                                                                                    • Opcode ID: fb2888d657cad5e2cf9634fbafbcb52a0cf3f691951a86786ff81bc5eba2c00d
                                                                                    • Instruction ID: 5d9560b687ed2218febe965f84a627a0d9dde9bfd3921f1fea089843d06067d1
                                                                                    • Opcode Fuzzy Hash: fb2888d657cad5e2cf9634fbafbcb52a0cf3f691951a86786ff81bc5eba2c00d
                                                                                    • Instruction Fuzzy Hash: 1F213AB4A00211ABE311AB317C05B3B7E9CEF52746F510078FC49D6693EB21B81096B7
                                                                                    Function 00FF0330 Relevance: 16.8, APIs: 11, Instructions: 332stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FF1700: CharNextW.USER32(?,?,?,?), ref: 00FF173E
                                                                                      • Part of subcall function 00FF1700: CharNextW.USER32(00000000,?,?), ref: 00FF176B
                                                                                      • Part of subcall function 00FF1700: CharNextW.USER32(7693A7D0,?,?), ref: 00FF1784
                                                                                      • Part of subcall function 00FF1700: CharNextW.USER32(7693A7D0,?,?), ref: 00FF178F
                                                                                      • Part of subcall function 00FF1700: CharNextW.USER32(?,?,?), ref: 00FF17FE
                                                                                    • lstrcmpiW.KERNEL32(?,010CE5E0,?,B69A1A1E,?,?,?,?,?,010B46C1,000000FF), ref: 00FF03B3
                                                                                    • lstrcmpiW.KERNEL32(?,010CE600,?,?,?,?,?,010B46C1,000000FF), ref: 00FF03CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharNext$lstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 3586774192-0
                                                                                    • Opcode ID: ef33dbe42ca234aee191453ae8d2bba5bc4d14673879815f698a0d9f0ec7fb59
                                                                                    • Instruction ID: 99cc84a1d459825c0fdfeb6deec878baca60da72cfb17a033482be9ffc8bde24
                                                                                    • Opcode Fuzzy Hash: ef33dbe42ca234aee191453ae8d2bba5bc4d14673879815f698a0d9f0ec7fb59
                                                                                    • Instruction Fuzzy Hash: DDD1C032D00219DBDB24DB14CC49BF9B7B4AF14310F1541E9EB49A72A2EB346E94EF90
                                                                                    Function 00FD8330 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU(B69A1A1E,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00FD836D
                                                                                    • GetCursorPos.USER32(00000000), ref: 00FD8377
                                                                                    • ScreenToClient.USER32(00000007,00000000), ref: 00FD8384
                                                                                    • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FD838D
                                                                                    • GetClientRect.USER32(00000007,00000000), ref: 00FD839A
                                                                                    • ?PtInRect@CDuiRect@DuiLib@@QBEHUtagPOINT@@@Z.YCOMUIU(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00FD83A9
                                                                                    • GdipCreateSolidFill.GDIPLUS(96FF0000,?,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000), ref: 00FD849C
                                                                                    • GdipFillEllipse.GDIPLUS(?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,00000000,00000000), ref: 00FD84DD
                                                                                    • ??9CDuiPoint@DuiLib@@QBEHUtagPOINT@@@Z.YCOMUIU(?,00000000,B69A1A1E,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00FD851F
                                                                                    • GdipFillRectangle.GDIPLUS(?,00000000,?,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00FD8586
                                                                                    • GdipDeleteBrush.GDIPLUS(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?), ref: 00FD85A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: GdipLib@@$FillRect@$ClientPoint@T@@@Utag$BrushCreateCursorDeleteEllipseRectRectangleScreenSolid
                                                                                    • String ID:
                                                                                    • API String ID: 3572262594-0
                                                                                    • Opcode ID: 9e723dfa4e8e2e09a0ec69a955fc2ea2e158772f647f71849af78ba311b96b8b
                                                                                    • Instruction ID: 45555e7438828ea8f7d150b392852a4a5f3091910bca20a7ef5fe2ace90ae59b
                                                                                    • Opcode Fuzzy Hash: 9e723dfa4e8e2e09a0ec69a955fc2ea2e158772f647f71849af78ba311b96b8b
                                                                                    • Instruction Fuzzy Hash: AF717D71D0060AAFCB12DFA6D980BADFBB5BF49350F088316E415A2250DB31A495DF50
                                                                                    Function 00FDA410 Relevance: 16.6, APIs: 11, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00FDA430
                                                                                    • GetCursorPos.USER32(?), ref: 00FDA43A
                                                                                    • ScreenToClient.USER32(?,?), ref: 00FDA447
                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00FDA4A0
                                                                                    • SetCursor.USER32(00000000), ref: 00FDA4A7
                                                                                    • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00FDA4C0
                                                                                    • GetCursorPos.USER32(?), ref: 00FDA4CA
                                                                                    • ScreenToClient.USER32(?,?), ref: 00FDA4D7
                                                                                    • SetCursor.USER32(00000000), ref: 00FDA52B
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FDA542
                                                                                    • SetCursor.USER32(00000000), ref: 00FDA549
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$ClientLib@@LoadPoint@Screen
                                                                                    • String ID:
                                                                                    • API String ID: 702515206-0
                                                                                    • Opcode ID: 27edb5394d450a3044e4c7278fa2f458059ba26c7f0ebae0a79012c64e3fa9b7
                                                                                    • Instruction ID: a0ae3ecac0446c75c56122d88be4136367e19e989a97cb36736c46a4a09c5ec8
                                                                                    • Opcode Fuzzy Hash: 27edb5394d450a3044e4c7278fa2f458059ba26c7f0ebae0a79012c64e3fa9b7
                                                                                    • Instruction Fuzzy Hash: BC31E63281460DDFDB21EB76E845799B765AF19311F08CB02E88AF3291DB363054CB50
                                                                                    Function 00FCE0D0 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 352synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,00000000,B69A1A1E), ref: 00FCE11C
                                                                                    • CloseHandle.KERNEL32(?), ref: 00FCE133
                                                                                      • Part of subcall function 00FC5150: FindResourceExW.KERNEL32(00000000,00000006,00FC5E74,00000000,00000000,00000000,00000000,?,00FC5E74,-00000010), ref: 00FC518E
                                                                                      • Part of subcall function 00FC5150: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00FC51D7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindResource$CloseHandleObjectSingleWait
                                                                                    • String ID: AppId$ChannelCode$Content$OsBit$Version$error.ashx$http://
                                                                                    • API String ID: 327101899-1057271210
                                                                                    • Opcode ID: 810deb883943854e51d2bbaf76722f003806fb0b18965b51833912167ed1e140
                                                                                    • Instruction ID: b9ecd67eaa5967c693d7dbe6347e337f60bd866c32ac7f9609827da128abfe5c
                                                                                    • Opcode Fuzzy Hash: 810deb883943854e51d2bbaf76722f003806fb0b18965b51833912167ed1e140
                                                                                    • Instruction Fuzzy Hash: 51E1A230901249DAEB10EB64CD46FEEBBB4BF11310F1445DCE445A7291DBB8AE84EFA1
                                                                                    Function 1002BF70 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 234COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 65535$udp
                                                                                    • API String ID: 0-1267037602
                                                                                    • Opcode ID: b409bfe0d09d484da8fabb4d62549d3234352b23e85b60f004d1f8e824130235
                                                                                    • Instruction ID: 6d1f0eab1bad87890b157236b680b131713d7d773ab4ff91de917938b3b84022
                                                                                    • Opcode Fuzzy Hash: b409bfe0d09d484da8fabb4d62549d3234352b23e85b60f004d1f8e824130235
                                                                                    • Instruction Fuzzy Hash: AA71E7766043458FD340CF68E856F6BB7E0EF95380F84452EF886872A2DB75D944CBA2
                                                                                    Function 10030F30 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(<%s>,?), ref: 10030F6D
                                                                                    • curl_maprintf.LIBCURL(100568E8,?), ref: 10030F97
                                                                                    • curl_maprintf.LIBCURL(%I64d,?,00000000), ref: 10030FFC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %I64d$<%s>$MAIL FROM:%s$MAIL FROM:%s AUTH=%s$MAIL FROM:%s AUTH=%s SIZE=%s$MAIL FROM:%s SIZE=%s
                                                                                    • API String ID: 3307269620-658513215
                                                                                    • Opcode ID: 131071a37d5de2794967ce3c7dac59bd60dbae14f98ec43817c0d459c1dbe992
                                                                                    • Instruction ID: f211870449449c263ed188032e2c7b0a780304c0d9802b5f0325c5d3b1a87446
                                                                                    • Opcode Fuzzy Hash: 131071a37d5de2794967ce3c7dac59bd60dbae14f98ec43817c0d459c1dbe992
                                                                                    • Instruction Fuzzy Hash: C141E8B1505285AFE332DB54EC84ADB73FCEB49287F01053AFA05DE201E7B2D958CA61
                                                                                    Function 00FFC2E0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(labelPlayTime,?,?), ref: 00FFC358
                                                                                    • _strftime.LIBCMT ref: 00FFC3B2
                                                                                    • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00FFC3D9
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000001), ref: 00FFC3EE
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000000), ref: 00FFC3F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Base@ImplShowWindowWindow@$ControlControl@FindI@2@ManagerPaintProgressValue@_strftime
                                                                                    • String ID: 00:00:00/%X$btnPause$btnPlay$labelPlayTime
                                                                                    • API String ID: 827822990-879858253
                                                                                    • Opcode ID: 6c56965948015b249c43696d05a5ddbe547b899fb54fada222a9308d3ca28784
                                                                                    • Instruction ID: d6702caad39b3dc418fad2ac393c98a264e2890333ce1d2dcb58b3296ae8a096
                                                                                    • Opcode Fuzzy Hash: 6c56965948015b249c43696d05a5ddbe547b899fb54fada222a9308d3ca28784
                                                                                    • Instruction Fuzzy Hash: 07319271F0132D9BCB24DB54D9C5BBAB3B8EF04710F0045AAA945AB290DB74AD44CB91
                                                                                    Function 100462D1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,10064278,0000000C,100463E2,00000000,00000000,?,?,?,00000000), ref: 100462E2
                                                                                    • GetProcAddress.KERNEL32(?,EncodePointer), ref: 10046316
                                                                                    • GetProcAddress.KERNEL32(?,DecodePointer), ref: 10046326
                                                                                    • InterlockedIncrement.KERNEL32(10066540), ref: 10046348
                                                                                    • __lock.LIBCMT ref: 10046350
                                                                                    • ___addlocaleref.LIBCMT ref: 1004636F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                                                                    • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                    • API String ID: 1036688887-2843748187
                                                                                    • Opcode ID: 05662dc8276241849e6454cb8feef32ecb89a35ccd40271b98eb5a6510d10f66
                                                                                    • Instruction ID: 5ef0d2ef58c425d03030b0a0e7220f3e293c7d3a3ba738c285c4718fd3a34add
                                                                                    • Opcode Fuzzy Hash: 05662dc8276241849e6454cb8feef32ecb89a35ccd40271b98eb5a6510d10f66
                                                                                    • Instruction Fuzzy Hash: B3118F74800B41DEE710CF75CD55B9ABBE1EF08311F204429E995D3251DB75E900CB59
                                                                                    Function 01014670 Relevance: 15.2, APIs: 10, Instructions: 222windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(00000001), ref: 0101470A
                                                                                    • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(00000001,010C8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01014734
                                                                                    • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,0111E7C0,010BABB4,000000FF,?,010089C9,00000001,00000001), ref: 0101473C
                                                                                    • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,0111E7C0,010BABB4,000000FF,?,010089C9,00000001,00000001), ref: 01014744
                                                                                    • PostMessageW.USER32(00000001,00000404,00000000,00000000), ref: 0101476A
                                                                                    • IsWindow.USER32 ref: 010147E0
                                                                                    • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(00000001,010C8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0101480A
                                                                                    • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,0111E7C0,010BABB4,000000FF), ref: 01014812
                                                                                    • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,0111E7C0,010BABB4,000000FF), ref: 0101481A
                                                                                    • SendMessageW.USER32(00000001,00000403,00000000,00000000), ref: 01014832
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Lib@@Wnd@$CenterCreate@D__@@MessageModal@ShowU__@@@Window@$PostSend
                                                                                    • String ID:
                                                                                    • API String ID: 99327597-0
                                                                                    • Opcode ID: db71d51e17fbe58d67bcf4fba6e75a9c479322e2cabbfe0b6d649bdde3d29008
                                                                                    • Instruction ID: 492f2a3189555bc460f3d3ee438aa3e40aeb6af45347060784982524feda19ab
                                                                                    • Opcode Fuzzy Hash: db71d51e17fbe58d67bcf4fba6e75a9c479322e2cabbfe0b6d649bdde3d29008
                                                                                    • Instruction Fuzzy Hash: 0F811471E00208EFEB35DF68D848BAEBBF5EB48710F044269E4A2A72D5DB795944CF40
                                                                                    Function 00FAA140 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 123COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,CHttpClientT::_ProceedUploadContext: nDesired can not be zero.,00000000,CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.,00000000,00000068), ref: 00FAA597
                                                                                    Strings
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL., xrefs: 00FAA57F
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL., xrefs: 00FAA567
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL., xrefs: 00FAA573
                                                                                    • CHttpClientT::_ProceedUploadContext: nDesired can not be zero., xrefs: 00FAA10A
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL., xrefs: 00FAA0E6
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL., xrefs: 00FAA0F2
                                                                                    • CHttpPostStatT::PostedFileCount: The post context is not active., xrefs: 00FA36EC
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL., xrefs: 00FAA0FE
                                                                                    • CHttpClientT::_ProceedUploadContext: nDesired can not be zero., xrefs: 00FAA58B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.$CHttpClientT::_ProceedUploadContext: nDesired can not be zero.$CHttpClientT::_ProceedUploadContext: nDesired can not be zero.$CHttpPostStatT::PostedFileCount: The post context is not active.
                                                                                    • API String ID: 1452528299-2067851693
                                                                                    • Opcode ID: 984c2d49ea4941bd1f01ab7138c9b16204b43076758968d976daf3b5fc9bd293
                                                                                    • Instruction ID: bdd5f163c1a28eca1f25f98038133ed32a806d13014afa6994e664e18be59421
                                                                                    • Opcode Fuzzy Hash: 984c2d49ea4941bd1f01ab7138c9b16204b43076758968d976daf3b5fc9bd293
                                                                                    • Instruction Fuzzy Hash: 3D41D6F1F00200AFDB14EBA5CC46BADB2A4BF46714F08412DB91596281DF796908EBA6
                                                                                    Function 100244B0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • In state %d with no easy_conn, bail out!, xrefs: 1002559B
                                                                                    • Resolving timed out after %ld milliseconds, xrefs: 10024615
                                                                                    • Connection timed out after %ld milliseconds, xrefs: 1002464B
                                                                                    • Operation timed out after %ld milliseconds with %I64d bytes received, xrefs: 100246D7
                                                                                    • Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received, xrefs: 1002469E
                                                                                    • Pipe broke: handle %p, url = %s, xrefs: 1002450A
                                                                                    • *, xrefs: 10025509
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_mvsnprintf
                                                                                    • String ID: *$Connection timed out after %ld milliseconds$In state %d with no easy_conn, bail out!$Operation timed out after %ld milliseconds with %I64d bytes received$Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received$Pipe broke: handle %p, url = %s$Resolving timed out after %ld milliseconds
                                                                                    • API String ID: 3418963191-1841828401
                                                                                    • Opcode ID: df62d14b576ff3cf8eb16a625f49c576e2ea58dd4a662ad59aee8e93d1237b0f
                                                                                    • Instruction ID: 49755a093766c60c55fbb580713a0092e2d87b69aa5e620f8242ab401be9d386
                                                                                    • Opcode Fuzzy Hash: df62d14b576ff3cf8eb16a625f49c576e2ea58dd4a662ad59aee8e93d1237b0f
                                                                                    • Instruction Fuzzy Hash: 63B1F4B5600B009BD320DF29EC81A6BB3F9EF85744F81491DF99A87242DB35F941CB66
                                                                                    Function 1002BC80 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 255COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: tcp$udp
                                                                                    • API String ID: 0-3725065008
                                                                                    • Opcode ID: 9be5e60bd259f62cc24839d229f231fc1ff00582ac1960fb4f5645561a0dee7c
                                                                                    • Instruction ID: f59a3249091dafefc22dc87a99e8e711e8f9320bc6db2a49fe37820c28644d7d
                                                                                    • Opcode Fuzzy Hash: 9be5e60bd259f62cc24839d229f231fc1ff00582ac1960fb4f5645561a0dee7c
                                                                                    • Instruction Fuzzy Hash: 2C81D632A04B158FC750DF18E840AABB7E4EFC4750FD2892AF98487261E735ED45C7A2
                                                                                    Function 00F9E380 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 240networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HttpAddRequestHeadersA.WININET(?,?,?,20000000), ref: 00F9E4E7
                                                                                    • GetLastError.KERNEL32(00000000,?,000000FF,?,00FA302E), ref: 00F9E53D
                                                                                    Strings
                                                                                    • CHttpToolA::AddHeader: hRequest can not be NULL., xrefs: 00F9E516
                                                                                    • CHttpToolW::AddHeader: hRequest can not be NULL., xrefs: 00F9E626
                                                                                    • CHttpToolW::AddHeader: szName can not be NULL., xrefs: 00F9E634
                                                                                    • CHttpToolA::AddHeader: szName can not be NULL., xrefs: 00F9E522
                                                                                    • CHttpToolW::AddHeader: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00F9E618
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHeadersHttpLastRequest
                                                                                    • String ID: CHttpToolA::AddHeader: hRequest can not be NULL.$CHttpToolA::AddHeader: szName can not be NULL.$CHttpToolW::AddHeader: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.$CHttpToolW::AddHeader: hRequest can not be NULL.$CHttpToolW::AddHeader: szName can not be NULL.
                                                                                    • API String ID: 2189517503-3693341011
                                                                                    • Opcode ID: ddba09a01b0cf787bcb71eb261a9403ce3f11622af5444e8efa4abe9db221fae
                                                                                    • Instruction ID: 161a3b4528eee62394335888ebe16cdf4eab941a2772f388976d3085634ae7df
                                                                                    • Opcode Fuzzy Hash: ddba09a01b0cf787bcb71eb261a9403ce3f11622af5444e8efa4abe9db221fae
                                                                                    • Instruction Fuzzy Hash: 8F8139B0E002069FEF10DF64DC05BBFBBB9EF11B04F144168E855AB281E776A905DBA1
                                                                                    Function 10002340 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • Couldn't parse CURLOPT_RESOLVE removal entry '%s'!, xrefs: 100023CC
                                                                                    • Added %s:%d:%s to DNS cache, xrefs: 10002568
                                                                                    • %255[^:]:%d, xrefs: 100023B6
                                                                                    • Address in '%s' found illegal!, xrefs: 100024A6
                                                                                    • Couldn't parse CURLOPT_RESOLVE entry '%s'!, xrefs: 10002475
                                                                                    • %255[^:]:%d:%255s, xrefs: 1000245F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _sscanf
                                                                                    • String ID: %255[^:]:%d$%255[^:]:%d:%255s$Added %s:%d:%s to DNS cache$Address in '%s' found illegal!$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!
                                                                                    • API String ID: 1142741230-1569438842
                                                                                    • Opcode ID: 2fc8b8d94d5e8bb29f074860f620a8482887dbe7e1bc0cc2a434aa722161170b
                                                                                    • Instruction ID: 2ca43578d65898f2b6ae9394c8243d65f1c78535a641ac5046a9eb6a4484835c
                                                                                    • Opcode Fuzzy Hash: 2fc8b8d94d5e8bb29f074860f620a8482887dbe7e1bc0cc2a434aa722161170b
                                                                                    • Instruction Fuzzy Hash: 8A51F4B6404B419BE310DB14DC52BAB73E9EF84385F148919F84593246FB75FA09CBA2
                                                                                    Function 1001DE20 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _sscanf
                                                                                    • String ID: %15[^?&/:]://%c$Disables POST, goes with %s$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET
                                                                                    • API String ID: 1142741230-1733921125
                                                                                    • Opcode ID: af71a929f785ab323b8d78c8d0b9e551292336c49cc7bad27236d2edc7dec8ac
                                                                                    • Instruction ID: 9a41ce928ea4314cf4b49969c525a0c77b1058752023869ded316fd30e186279
                                                                                    • Opcode Fuzzy Hash: af71a929f785ab323b8d78c8d0b9e551292336c49cc7bad27236d2edc7dec8ac
                                                                                    • Instruction Fuzzy Hash: F261B3B59047418BD760EF349C8179BB7E0EB48341F40092FE55ACB242DB75E9C8CB52
                                                                                    Function 10036D20 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 193COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ../$/..$/../$/./
                                                                                    • API String ID: 0-456519384
                                                                                    • Opcode ID: afcebf11090e6fe32e70f3882eb7061e8326062afb904995c370e62d1a14d785
                                                                                    • Instruction ID: 42f165e3608ad903482e023919d8ccf070f40d1b86ab0bc6fefc86a022a7d94a
                                                                                    • Opcode Fuzzy Hash: afcebf11090e6fe32e70f3882eb7061e8326062afb904995c370e62d1a14d785
                                                                                    • Instruction Fuzzy Hash: 18512AA5A043DA5FEB12DB24EC447573BD9EB45286F19C474ED408F342F7669A0C8393
                                                                                    Function 010003A3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 010003AF
                                                                                      • Part of subcall function 01053E56: RaiseException.KERNEL32(?,?,B69A1A1E,?,?,?,?,?,?,00FD56AD,80004005,B69A1A1E), ref: 01053EB6
                                                                                    • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(B69A1A1E,?,?,00000000), ref: 01000412
                                                                                    • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 0100043C
                                                                                      • Part of subcall function 00FD3870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00FD38B2
                                                                                    • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,010D47B0,?,?,.xml,00000004,ConverCtrl), ref: 010004EE
                                                                                    • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,010D47B0,?,?,.xml,00000004,ConverCtrl), ref: 0100053D
                                                                                    • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,010D47B0,?,?,.xml,00000004,ConverCtrl), ref: 01000557
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Dialog$Builder@ContainerControlI@2@$Add@BuilderCallback@2@Create@D@2@ExceptionException@8FindI@2@@ManagerMarkup@PaintRaiseResourceThrowV32@@
                                                                                    • String ID: .xml$ConverCtrl
                                                                                    • API String ID: 1872500732-3714082515
                                                                                    • Opcode ID: 706691af0592bd9476ed7da0e3420934d01c21dadc2fa2242842767ced1eefa9
                                                                                    • Instruction ID: 133b3e7d69cb2c5c8b6fb383122f86ea4f25c4cd90dfa8ce4108e0034b950a1a
                                                                                    • Opcode Fuzzy Hash: 706691af0592bd9476ed7da0e3420934d01c21dadc2fa2242842767ced1eefa9
                                                                                    • Instruction Fuzzy Hash: A4515770A003199FDB24DF68CD45BDEBBF4FF16314F104299A899A7280DB765A84CF91
                                                                                    Function 01026460 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 120synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000000,B69A1A1E,6C414B50,0112161C,00000000,010BE838,000000FF,?,01006577,FFFFFFFF,00000000,?,769523D0,?), ref: 01026490
                                                                                    • CloseHandle.KERNEL32(00000000,?,01006577,FFFFFFFF,00000000,?,769523D0,?), ref: 010264A4
                                                                                    • PathFileExistsW.SHLWAPI(?,769523D0), ref: 010264DE
                                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 01026528
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseExecuteExistsFileHandleObjectPathShellSingleWait
                                                                                    • String ID: EasePaintSetup.exe$SGFzVXBkYXRl$VXBkYXRpbmc=$open
                                                                                    • API String ID: 544071753-1735040884
                                                                                    • Opcode ID: 1bbb836da01b5e97af0b04e26116f5c4ebc1aea705705c6b1251e394d42daadd
                                                                                    • Instruction ID: 85bea104f24e5374e58039f7df9520af2883179bc31ba80e433950963c816104
                                                                                    • Opcode Fuzzy Hash: 1bbb836da01b5e97af0b04e26116f5c4ebc1aea705705c6b1251e394d42daadd
                                                                                    • Instruction Fuzzy Hash: 8A419071A00718AFDB20DF69CC46B99BBB5FB05720F10835DF855AB2C0EB76A6048B91
                                                                                    Function 010003C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(B69A1A1E,?,?,00000000), ref: 01000412
                                                                                    • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 0100043C
                                                                                      • Part of subcall function 00FD3870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00FD38B2
                                                                                    • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,010D47B0,?,?,.xml,00000004,ConverCtrl), ref: 010004EE
                                                                                    • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,010D47B0,?,?,.xml,00000004,ConverCtrl), ref: 0100053D
                                                                                    • ?RemoveAll@CContainerUI@DuiLib@@UAEX_N@Z.YCOMUIU(00000001,?,00000000,010D47B0,?,?,.xml,00000004,ConverCtrl), ref: 01000547
                                                                                    • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,010D47B0,?,?,.xml,00000004,ConverCtrl), ref: 01000557
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$ContainerDialog$Builder@ControlI@2@$Add@All@BuilderCallback@2@Create@D@2@FindI@2@@ManagerMarkup@PaintRemoveResourceV32@@
                                                                                    • String ID: .xml$ConverCtrl
                                                                                    • API String ID: 3263322241-3714082515
                                                                                    • Opcode ID: 344a93e9f51c1b15aa939db8b8b9ab8bd0da9f1b31932698f0cb56ff4c86c76c
                                                                                    • Instruction ID: abdb3c2a598ef164c0fd9c9e66e60b87d9c5b12bd65b65988cfb55793c4cd397
                                                                                    • Opcode Fuzzy Hash: 344a93e9f51c1b15aa939db8b8b9ab8bd0da9f1b31932698f0cb56ff4c86c76c
                                                                                    • Instruction Fuzzy Hash: 62517770A007189FDB24CF68CD49BDABBB4FF05310F104299A899A7281DB765A84CF91
                                                                                    Function 01000590 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CContainerUI@DuiLib@@QAE@XZ.YCOMUIU(B69A1A1E), ref: 010005E2
                                                                                    • ??0CDialogBuilder@DuiLib@@QAE@XZ.YCOMUIU ref: 0100060C
                                                                                      • Part of subcall function 00FD3870: FindResourceW.KERNEL32(00000000,00000100,00000006,000000FF), ref: 00FD38B2
                                                                                    • ?Create@CDialogBuilder@DuiLib@@QAEPAVCControlUI@2@VSTRINGorID@2@PB_WPAVIDialogBuilderCallback@2@PAVCPaintManagerUI@2@PAV32@@Z.YCOMUIU(?,00000000,00000000,010D47B0,00000000,.xml,00000004,HomeCtrl), ref: 01000699
                                                                                    • ?Add@CContainerUI@DuiLib@@UAE_NPAVCControlUI@2@@Z.YCOMUIU(00000000,?,00000000,00000000,010D47B0,00000000,.xml,00000004,HomeCtrl), ref: 010006E8
                                                                                    • ?RemoveAll@CContainerUI@DuiLib@@UAEX_N@Z.YCOMUIU(00000001,?,00000000,00000000,010D47B0,00000000,.xml,00000004,HomeCtrl), ref: 010006F2
                                                                                    • ??1CMarkup@DuiLib@@QAE@XZ.YCOMUIU(?,00000000,00000000,010D47B0,00000000,.xml,00000004,HomeCtrl), ref: 01000702
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$ContainerDialog$Builder@ControlI@2@$Add@All@BuilderCallback@2@Create@D@2@FindI@2@@ManagerMarkup@PaintRemoveResourceV32@@
                                                                                    • String ID: .xml$HomeCtrl
                                                                                    • API String ID: 3263322241-172366358
                                                                                    • Opcode ID: fd8ed64efb35c69064b1c114f920f82f157d9afdbd75b0c7d7c2bd8b694a1662
                                                                                    • Instruction ID: 41f3c70481e73b825f89a0cc0e8368cc6f0b92e6251317024a868fd9ab13a4c9
                                                                                    • Opcode Fuzzy Hash: fd8ed64efb35c69064b1c114f920f82f157d9afdbd75b0c7d7c2bd8b694a1662
                                                                                    • Instruction Fuzzy Hash: E6417970A007199FDB24DF68CD05BDABBB4FF4A310F104299E899A7381DB765A44CF91
                                                                                    Function 10010E50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ALL_PROXY$_proxy$all_proxy$http_proxy
                                                                                    • API String ID: 0-1845912879
                                                                                    • Opcode ID: 4858457a750de762ef6e6febca9b77d9ddca4ea65d211f3f2e86765e461edbb8
                                                                                    • Instruction ID: 115902790af7d790a56c894499ce2e6d71174a6a050b84efb2a626d2bfe85bad
                                                                                    • Opcode Fuzzy Hash: 4858457a750de762ef6e6febca9b77d9ddca4ea65d211f3f2e86765e461edbb8
                                                                                    • Instruction Fuzzy Hash: 6821A5B96083815BD710DB24AC42BAA77E4EF58244F45486CFDC98B342FA30F549D762
                                                                                    Function 00FAE330 Relevance: 13.6, APIs: 9, Instructions: 111memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32 ref: 00FAE344
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,80000000,00000000,00000000,00000000,00000000), ref: 00FAE3AF
                                                                                    • HeapAlloc.KERNEL32(?,00000000,00000000), ref: 00FAE3BF
                                                                                    • SetLastError.KERNEL32(00000008), ref: 00FAE3D2
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FAE3EF
                                                                                    • GetLastError.KERNEL32 ref: 00FAE3F9
                                                                                    • HeapFree.KERNEL32(?,00000000,?), ref: 00FAE409
                                                                                    • SetLastError.KERNEL32(00000000), ref: 00FAE410
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHeapLast$ByteCharMultiWide$AllocFreeProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1914750029-0
                                                                                    • Opcode ID: ba8119f2fbd29b335e41753e32a5cb19d8f3f59abbeaba13f9d361db7b5f2e7c
                                                                                    • Instruction ID: 02a93c46b7c210e8c09fdf9966a49f77734cc2d497d7dcc119eae8e5cac18035
                                                                                    • Opcode Fuzzy Hash: ba8119f2fbd29b335e41753e32a5cb19d8f3f59abbeaba13f9d361db7b5f2e7c
                                                                                    • Instruction Fuzzy Hash: 5F31B676740305AFEB304B59AC44B697BA9EB86772F144125FA09DB3C0D766DC005B64
                                                                                    Function 00FAE470 Relevance: 13.6, APIs: 9, Instructions: 111memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32 ref: 00FAE484
                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,80000000,00000000,00000000,00000000,00000000), ref: 00FAE4F2
                                                                                    • HeapAlloc.KERNEL32(?,00000000,00000000), ref: 00FAE502
                                                                                    • SetLastError.KERNEL32(00000008), ref: 00FAE515
                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FAE535
                                                                                    • GetLastError.KERNEL32 ref: 00FAE53F
                                                                                    • HeapFree.KERNEL32(?,00000000,?), ref: 00FAE54F
                                                                                    • SetLastError.KERNEL32(00000000), ref: 00FAE556
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHeapLast$ByteCharMultiWide$AllocFreeProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1914750029-0
                                                                                    • Opcode ID: 53406b27a62c9d1f3c3d1fb59cc2173ddb9e7d7de96cd0e3e5d5504c4d3cc20a
                                                                                    • Instruction ID: e6b3060c14f69e07ec402d0298e56239e4ed173f3b877db02313332e8f3327c0
                                                                                    • Opcode Fuzzy Hash: 53406b27a62c9d1f3c3d1fb59cc2173ddb9e7d7de96cd0e3e5d5504c4d3cc20a
                                                                                    • Instruction Fuzzy Hash: E231E876740205AFE7309B5CEC04BA677AAEB8A776F184125FA09DB3C0DB66DC005B60
                                                                                    Function 00FF6020 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 313COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?SetValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?,?,00000001,B69A1A1E), ref: 00FF632B
                                                                                    • ?SetMaxValue@CProgressUI@DuiLib@@QAEXH@Z.YCOMUIU(?), ref: 00FF633D
                                                                                    • ?SetDlgItemTextW@WindowImplBase@DuiLib@@QAEHPB_W0@Z.YCOMUIU(txtMaxEraserSize,00000000), ref: 00FF63B7
                                                                                    • ?CheckDlgButton@WindowImplBase@DuiLib@@QAEHPB_W_N@Z.YCOMUIU(optSelectWhiteWatermark,?), ref: 00FF63CA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Base@ImplProgressValue@Window$Button@CheckItemText
                                                                                    • String ID: EraserSize$optSelectWhiteWatermark$txtMaxEraserSize
                                                                                    • API String ID: 1793807238-3372194902
                                                                                    • Opcode ID: a492a6b77d73865489843b2701590a20c0ddb0ba072df202b10aa635e9a339a7
                                                                                    • Instruction ID: 1e6b2937dda5778fb588725e29890c74f1446e5f1cf174053048d8aa3f189d03
                                                                                    • Opcode Fuzzy Hash: a492a6b77d73865489843b2701590a20c0ddb0ba072df202b10aa635e9a339a7
                                                                                    • Instruction Fuzzy Hash: CFD150709006099FD714CF59C884B69B7F5FF48324F1882A9E9599B3A6DB75EC40CFA0
                                                                                    Function 00FDC030 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00FDC19D
                                                                                    • CallWindowProcW.USER32(?,?,?,00000000,00000000), ref: 00FDC246
                                                                                    • GetWindowLongW.USER32(?,000000FC), ref: 00FDC25A
                                                                                    • CallWindowProcW.USER32(?,?,00000082,00000000,00000000), ref: 00FDC270
                                                                                    • GetWindowLongW.USER32(?,000000FC), ref: 00FDC289
                                                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 00FDC298
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$CallProc$InvalidateRect
                                                                                    • String ID: $
                                                                                    • API String ID: 1142338884-3993045852
                                                                                    • Opcode ID: 2211366e6b5ee5ae08ea008894babbc2770c842c849750572eac3417adb8b692
                                                                                    • Instruction ID: 3cf51862e7c950b6f1d251e9259cbcc807a6cb27552c22da01a2fe172c63fdd3
                                                                                    • Opcode Fuzzy Hash: 2211366e6b5ee5ae08ea008894babbc2770c842c849750572eac3417adb8b692
                                                                                    • Instruction Fuzzy Hash: 0A91A031A0060ADFCB20CF58C984AABB7F6FF88314F14866AE88597341D732E945DBD0
                                                                                    Function 10019B40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,00000020,%ld,?), ref: 10019C3E
                                                                                    • curl_msnprintf.LIBCURL(?,00000020,.%ld), ref: 10019C8A
                                                                                    • _sprintf.LIBCMT ref: 10019CF3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_msnprintf$_sprintf
                                                                                    • String ID: %$%ld$-$.%ld
                                                                                    • API String ID: 2394090773-3288194552
                                                                                    • Opcode ID: c44fc6321f2d7b8eab93f481d81de8b0487b0a961eec9491e8b64331340c96f4
                                                                                    • Instruction ID: 3299c2ed50ca3ece4371f56830782219ab7b1d8b59d426bb1256fe50b49d6e67
                                                                                    • Opcode Fuzzy Hash: c44fc6321f2d7b8eab93f481d81de8b0487b0a961eec9491e8b64331340c96f4
                                                                                    • Instruction Fuzzy Hash: 9151F3B19087C59BE361DF24C98579ABBD0EF85344F100D2CDECA97292E3799984C792
                                                                                    Function 00FFE490 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 149filewindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(0000040A,00000000,00000001,?), ref: 00FFE4F0
                                                                                    • SendMessageW.USER32(00000000), ref: 00FFE4F7
                                                                                    • PathFindFileNameW.SHLWAPI(?,?), ref: 00FFE53A
                                                                                    • PathFindExtensionW.SHLWAPI(?,00000000), ref: 00FFE550
                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,B69A1A1E), ref: 00FFE5FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFindPath$CopyD__@@ExtensionLib@@MessageNameSendWindowWnd@
                                                                                    • String ID: %s%s$%s_%d%s
                                                                                    • API String ID: 222731410-3529308290
                                                                                    • Opcode ID: 5c521bf6664239ff63c0c932aa7204991691d0512933281c17b88dc87eff57cd
                                                                                    • Instruction ID: f258895b0127b671b59f0a67710b9bd99e884ceb78b791a9cc7070590c065bae
                                                                                    • Opcode Fuzzy Hash: 5c521bf6664239ff63c0c932aa7204991691d0512933281c17b88dc87eff57cd
                                                                                    • Instruction Fuzzy Hash: 5151D131A00249EFDB24DBA4CD4AFEEF7B5EF14304F14406CE541A72A1DB7A6A04EB91
                                                                                    Function 1001AF60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • htons.WS2_32(?), ref: 1001AFBE
                                                                                    • htons.WS2_32(?), ref: 1001AFCF
                                                                                    • send.WS2_32(?,?,00000003,00000000), ref: 1001B05C
                                                                                    • WSAGetLastError.WS2_32 ref: 1001B068
                                                                                    • send.WS2_32(?,?,00000002,00000000), ref: 1001B0A4
                                                                                    • WSAGetLastError.WS2_32 ref: 1001B0AA
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLasthtonssend$curl_mvsnprintf
                                                                                    • String ID: Sending data failed (%d)
                                                                                    • API String ID: 466726341-2319402659
                                                                                    • Opcode ID: 6d8229b8809643e1fa72d76396bd346e77a3f70b70c034b735ccbdbf6064d6fe
                                                                                    • Instruction ID: cd003a8fc54c01b935394a5324f8d50c6e307e574bc16261718028e6caed739e
                                                                                    • Opcode Fuzzy Hash: 6d8229b8809643e1fa72d76396bd346e77a3f70b70c034b735ccbdbf6064d6fe
                                                                                    • Instruction Fuzzy Hash: 7641E6715043869FD712CF28CC81A9ABBE5EF5A324F250654F998CF281E731EC94CB61
                                                                                    Function 1001B8D8 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filenetworkpipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000064), ref: 1001B8F8
                                                                                    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 1001B977
                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 1001B99F
                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 1001B9E5
                                                                                    • WSAGetLastError.WS2_32 ref: 1001BA30
                                                                                    • WSAGetLastError.WS2_32 ref: 1001BB38
                                                                                    • FreeLibrary.KERNEL32(?), ref: 1001BB52
                                                                                    • GetLastError.KERNEL32 ref: 1001BB5C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FileRead$FreeLibraryMultipleNamedObjectsPeekPipeWait
                                                                                    • String ID: FreeLibrary(wsock2) failed (%u)$Time-out$WSACloseEvent failed (%d)
                                                                                    • API String ID: 3632577582-817688594
                                                                                    • Opcode ID: 5710323735d47ffb97b78244a69f999157399a93736346a627c9701244bd4ebe
                                                                                    • Instruction ID: c9651b7837967ec8a70c0e84a0d92cbe44b77a2470d627f905ab738688b912a8
                                                                                    • Opcode Fuzzy Hash: 5710323735d47ffb97b78244a69f999157399a93736346a627c9701244bd4ebe
                                                                                    • Instruction Fuzzy Hash: 8431C776504641AFE710DFA4CCC1EAF73E8EF84394F100A1DF66986285DB35ED858B62
                                                                                    Function 1001E840 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: V,P$easy handle already used in multi handle
                                                                                    • API String ID: 0-3542209392
                                                                                    • Opcode ID: 84a845751cf23a0e1edd0458730c40d60897a6ec9df6869d6bdd1de7116a1a5f
                                                                                    • Instruction ID: 05488a1c622cf4c0e3c41dd62988c252a7a938cfd2721e8d9f3347ece0d529b1
                                                                                    • Opcode Fuzzy Hash: 84a845751cf23a0e1edd0458730c40d60897a6ec9df6869d6bdd1de7116a1a5f
                                                                                    • Instruction Fuzzy Hash: 66113A72E016612BE601D928BC42FCF73D8EB45764F850135F9089A282EB79EE95C7E1
                                                                                    Function 0102E230 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75synchronizationthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000000,?,?,?,01007F7C,000000FF,000000FF,?,?,?,?,?,B69A1A1E), ref: 0102E240
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000001,?,?,?,01007F7C,000000FF,000000FF,?,?,?,?,?,B69A1A1E), ref: 0102E24F
                                                                                    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 0102E297
                                                                                    • CloseHandle.KERNEL32(?), ref: 0102E2A5
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0102E310,?,00000000,?), ref: 0102E2FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Base@ImplLib@@ShowWindowWindow@$CloseCreateHandleObjectSingleThreadWait
                                                                                    • String ID: btnPause$btnPlay
                                                                                    • API String ID: 2458250209-2951056387
                                                                                    • Opcode ID: 2222a6ee7791cd598553322afde37310b46a9b34d255c75683ded4565131b292
                                                                                    • Instruction ID: 8e47a76f95ca4901f0e9217f6f229e56a99046df096f7249e5b6b35ce6390a0d
                                                                                    • Opcode Fuzzy Hash: 2222a6ee7791cd598553322afde37310b46a9b34d255c75683ded4565131b292
                                                                                    • Instruction Fuzzy Hash: CD21D170740715AFE734CF69D849B25FBA4BF01320F108259F999976C0D7B6E8A4CB90
                                                                                    Function 100290D8 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1000A830: curl_mvsnprintf.LIBCURL(?,00000801,?,?,00000000), ref: 1000A873
                                                                                    • _strtol.LIBCMT ref: 10029149
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strtolcurl_mvsnprintf
                                                                                    • String ID: %s (%d) %s (%d)$blksize$blksize parsed from OACK$got option=(%s) value=(%s)$requested
                                                                                    • API String ID: 1012033900-3145650287
                                                                                    • Opcode ID: 5332abedcf891e4ae2640a6f7f51d435430a92fe3b062baa3cc1ed12a4fe6147
                                                                                    • Instruction ID: a04fd3ce2be574e384e7aa16dfe40a2ab350044499ed31348bd36be55ebae173
                                                                                    • Opcode Fuzzy Hash: 5332abedcf891e4ae2640a6f7f51d435430a92fe3b062baa3cc1ed12a4fe6147
                                                                                    • Instruction Fuzzy Hash: FC115B31A04306ABD600CA60AC85FBB77E8EF812C4F440928FD44D3202EB24FA4DC6A2
                                                                                    Function 10005B30 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%s%s%s%s%s%s%I64d%s%s,#HttpOnly_,100559C1,00006272,FALSE,223D656D,; filena,2D2D0A0D,2D2D7325,6966203B,616E656C,?,10055840), ref: 10005BC5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: #HttpOnly_$%s%s%s%s%s%s%I64d%s%s$; filena$FALSE$TRUE$unknown
                                                                                    • API String ID: 3307269620-3247368905
                                                                                    • Opcode ID: 06f5573adee4ef965d1f69e7246693f71948d972d95c1b5ac8296289837be6bc
                                                                                    • Instruction ID: ad6f57000f4fb321df04c6a066cb5c337b22d563d9f57fa06ff18932444bcdef
                                                                                    • Opcode Fuzzy Hash: 06f5573adee4ef965d1f69e7246693f71948d972d95c1b5ac8296289837be6bc
                                                                                    • Instruction Fuzzy Hash: CA11C1703043819FEB08CA0698A4E2B77E9EBC42A7F46416DE504CF216D76BEC04C350
                                                                                    Function 00FD0630 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47registrylibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(USER32.DLL), ref: 00FD0648
                                                                                    • GetProcAddress.KERNEL32(00000000,UpdateLayeredWindow), ref: 00FD0654
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FD06B9
                                                                                    • RegisterClassExW.USER32(00000030), ref: 00FD06E3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressClassCursorHandleLoadModuleProcRegister
                                                                                    • String ID: 0$USER32.DLL$UpdateLayeredWindow
                                                                                    • API String ID: 3327453341-2940827406
                                                                                    • Opcode ID: 3ba8da3f47d6023d4850837de897b15415596887914ca335b4760483c15b7b79
                                                                                    • Instruction ID: 3d3a5ec14f07b337ada7000476ae385d13d9f3a4945763317f1b508b2162e160
                                                                                    • Opcode Fuzzy Hash: 3ba8da3f47d6023d4850837de897b15415596887914ca335b4760483c15b7b79
                                                                                    • Instruction Fuzzy Hash: 331125B0D053099FEB60CFA1E9487AEFBB5FB48315F10415AE814A7344EBBA5684CF90
                                                                                    Function 00FFC770 Relevance: 12.3, APIs: 8, Instructions: 254windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(0000040A,00000000,?,?,?), ref: 00FFC7B2
                                                                                    • SendMessageW.USER32(00000000,?,?), ref: 00FFC7B9
                                                                                    • MessageBeep.USER32(00000040), ref: 00FFC82C
                                                                                    • MessageBeep.USER32(00000040), ref: 00FFC9E0
                                                                                    • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(0000040A,00000001,?), ref: 00FFCA20
                                                                                    • SendMessageW.USER32(00000000), ref: 00FFCA27
                                                                                    • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(0000040A,00000000,?,?,?,?), ref: 00FFCA46
                                                                                    • SendMessageW.USER32(00000000,?,?,?), ref: 00FFCA4D
                                                                                      • Part of subcall function 00FB07C0: RaiseException.KERNEL32(00000000,00000000,00000000,00000000,?,01034D65,C000008C,00000001,?,01034E4B,00000000,?,00FC5167,00000000,00000000,00000000), ref: 00FB07CD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$D__@@Lib@@SendWindowWnd@$Beep$ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3087868877-0
                                                                                    • Opcode ID: 14cf7a47f87dfd19af867eca649626bf4fa22b3ded03154958acdefac00ca175
                                                                                    • Instruction ID: 89ed6824ec43e581dc549046460012bad6b50ce1e7faa492e9526bf1090f808a
                                                                                    • Opcode Fuzzy Hash: 14cf7a47f87dfd19af867eca649626bf4fa22b3ded03154958acdefac00ca175
                                                                                    • Instruction Fuzzy Hash: 43A15970E0061E9FDB24CF69C690A7AFBF0BF08310F148659EA4AA7651D775F881DB90
                                                                                    Function 00FD8110 Relevance: 12.1, APIs: 8, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CDuiRect@DuiLib@@QAE@HHHH@Z.YCOMUIU(00000000,00000000,?,?), ref: 00FD8143
                                                                                    • GdipGetImageWidth.GDIPLUS(?,?), ref: 00FD815A
                                                                                    • GdipGetImageHeight.GDIPLUS(?,00000000,?,?), ref: 00FD819F
                                                                                    • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU(?,00000000,?,?), ref: 00FD81D5
                                                                                    • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FD81FE
                                                                                    • GdipGetImageHeight.GDIPLUS(?,?), ref: 00FD8278
                                                                                    • GdipGetImageWidth.GDIPLUS(?,00000000,?,?), ref: 00FD8295
                                                                                    • GdipDrawImageRectRect.GDIPLUS(?,?), ref: 00FD830E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: GdipImage$Lib@@Rect@$HeightRectWidth$DrawHeight@Width@
                                                                                    • String ID:
                                                                                    • API String ID: 422700835-0
                                                                                    • Opcode ID: 705f526d4d47eefa9284890ec30c3d786cd2dcad569ad28a3be761d3f42e72a3
                                                                                    • Instruction ID: 079d85a5d42839f730792c28d4ac7e8def25e260ee423e7d4be10fbf92d9bb5c
                                                                                    • Opcode Fuzzy Hash: 705f526d4d47eefa9284890ec30c3d786cd2dcad569ad28a3be761d3f42e72a3
                                                                                    • Instruction Fuzzy Hash: 97515C31D10B0A9EDB12CFB6C8807AAF7B4AF5D340F14871AE859B6291FB35A491DF50
                                                                                    Function 10018C50 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 377COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strncmp
                                                                                    • String ID: I32$I64
                                                                                    • API String ID: 909875538-3980630743
                                                                                    • Opcode ID: 97cb8df7b9145ee205d6f48d82183cc7f95b55386eec4f8497085314b84da21f
                                                                                    • Instruction ID: 3820c96ac22c08ea451a339aaeb525285e6840ae5ba50b9b0ef3a044aadff364
                                                                                    • Opcode Fuzzy Hash: 97cb8df7b9145ee205d6f48d82183cc7f95b55386eec4f8497085314b84da21f
                                                                                    • Instruction Fuzzy Hash: 3CE188B59053028FD711CF54C88078ABBE1FF84358F26896DD9498F252E376EB96CB81
                                                                                    Function 10021FB0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • After %ldms connect time, move on!, xrefs: 10022115
                                                                                    • Connection failed, xrefs: 100221BE
                                                                                    • Connection time-out, xrefs: 10022081
                                                                                    • Failed to connect to %s port %ld: %s, xrefs: 10022393
                                                                                    • connect to %s port %ld failed: %s, xrefs: 10022212
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: After %ldms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
                                                                                    • API String ID: 0-885759404
                                                                                    • Opcode ID: 64ab9c361a7a4f3eb4f62dbb922babf3a62643a46aab62bc8fa6dd9f0a594c33
                                                                                    • Instruction ID: 55706b30957750f0c55d8963d72aa5d3c660273dd45b1b94f9c4c3781346899f
                                                                                    • Opcode Fuzzy Hash: 64ab9c361a7a4f3eb4f62dbb922babf3a62643a46aab62bc8fa6dd9f0a594c33
                                                                                    • Instruction Fuzzy Hash: 4BB1B2B5A04301AFD704CF64E881BABB3E5FF89348F804A1DFA5993281D735B955CB92
                                                                                    Function 00FE0000 Relevance: 10.8, APIs: 7, Instructions: 285COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FE002C
                                                                                    • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FE0039
                                                                                    • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FE0045
                                                                                    • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FE0052
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FE03EA
                                                                                    • SetCursor.USER32(00000000,?,C000008C,00000001), ref: 00FE03F1
                                                                                    • InvalidateRect.USER32(?,00000000,00000000,?,C000008C,00000001), ref: 00FE03FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@Rect@$CursorHeight@Width@$InvalidateLoadRect
                                                                                    • String ID:
                                                                                    • API String ID: 2894228844-0
                                                                                    • Opcode ID: 8909bc489e6f967ea87bdb75637f7e24674691cac4b17434a47eb32a91f0426a
                                                                                    • Instruction ID: 7a8032643f7a2a6cdd2df61816e04f80dc8ca34940aabc815d42b120c7cd1406
                                                                                    • Opcode Fuzzy Hash: 8909bc489e6f967ea87bdb75637f7e24674691cac4b17434a47eb32a91f0426a
                                                                                    • Instruction Fuzzy Hash: EDC15431D20B898FD316CB378485A65F7A0AFA9350B19D75AE445BB1B3EB60E4C5EF00
                                                                                    Function 10001180 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • Can't get the size of %s, xrefs: 10001278
                                                                                    • Can't open %s for writing, xrefs: 10001206
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: __open
                                                                                    • String ID: Can't get the size of %s$Can't open %s for writing
                                                                                    • API String ID: 1936531235-3544860555
                                                                                    • Opcode ID: df9bb851dbf27da45f9c7832da7aeb49c3289626094a0a361c42f9acb1a4a6d9
                                                                                    • Instruction ID: 3ee412fdcf80e8cde2d4f4991b47d93063cbb78c7672250e622aac984760e13d
                                                                                    • Opcode Fuzzy Hash: df9bb851dbf27da45f9c7832da7aeb49c3289626094a0a361c42f9acb1a4a6d9
                                                                                    • Instruction Fuzzy Hash: 2C51A1B5A047009BE314CB24EC81AABB3E9EFC4290F15493DF959C7306E735F9458B96
                                                                                    Function 1000DF80 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 181COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strtol
                                                                                    • String ID: bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$RETR response: %03d
                                                                                    • API String ID: 4256861632-3434952757
                                                                                    • Opcode ID: 0dde4525adead16c751336f4b1856e70482fff443d0ecca3f96669bc6eda267e
                                                                                    • Instruction ID: cf173b9a9c8c6cf6ef834a1128a5f6517b540f9076bb7de661dddda9c78c5192
                                                                                    • Opcode Fuzzy Hash: 0dde4525adead16c751336f4b1856e70482fff443d0ecca3f96669bc6eda267e
                                                                                    • Instruction Fuzzy Hash: F551FB719043824BF714DF28EC40799B7E4FF843D1F01453AEC59A7246E7B5AE8987A2
                                                                                    Function 100116C0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 167COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • %25, xrefs: 1001174A
                                                                                    • Invalid IPv6 address format, xrefs: 100117C4
                                                                                    • No valid port number in connect to host string (%s), xrefs: 1001184A
                                                                                    • Please URL encode %% as %%25, see RFC 6874., xrefs: 1001175F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strncmp_strtol
                                                                                    • String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
                                                                                    • API String ID: 1881676863-2404041592
                                                                                    • Opcode ID: 320a987e450b908df1e69688f59c4f03c7722df0f19f03d994674323741a446e
                                                                                    • Instruction ID: 00ea514e83c0471763eacd352b5e708d98e935cf34376c3da4b2f5f00a7f6269
                                                                                    • Opcode Fuzzy Hash: 320a987e450b908df1e69688f59c4f03c7722df0f19f03d994674323741a446e
                                                                                    • Instruction Fuzzy Hash: F75137B6D0C2821AE315CE20AC007E77BE5DF42295F180529ECC58A3C2EB36D9D6C792
                                                                                    Function 1001386E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ALL$FLUSH$RELOAD$SESS$Set-Cookie:
                                                                                    • API String ID: 0-1147549499
                                                                                    • Opcode ID: 18585b7c82a33d68bd8506d0f8b5314ed499d6f344ffa06ef39f4f50e5e3b498
                                                                                    • Instruction ID: ab826049ccee9824245a4e78ec73449ad54ec7ccb1b9a794cb8f5263a49b550e
                                                                                    • Opcode Fuzzy Hash: 18585b7c82a33d68bd8506d0f8b5314ed499d6f344ffa06ef39f4f50e5e3b498
                                                                                    • Instruction Fuzzy Hash: 2841396AB4065063E500D618BC43FBF739CDB85726F84017AFD0896242EA6BFE4D41B3
                                                                                    Function 00FD2460 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32 ref: 00FD25D9
                                                                                    • __Init_thread_footer.LIBCMT ref: 00FD2608
                                                                                      • Part of subcall function 01033D26: EnterCriticalSection.KERNEL32(011219F4,?,?,?,00FD405B,0111E7A4,B69A1A1E,?,?,010B26D8,000000FF,?,00FD53DC,B69A1A1E), ref: 01033D31
                                                                                      • Part of subcall function 01033D26: LeaveCriticalSection.KERNEL32(011219F4,?,?,00FD405B,0111E7A4,B69A1A1E,?,?,010B26D8,000000FF,?,00FD53DC,B69A1A1E), ref: 01033D6E
                                                                                    • __Init_thread_footer.LIBCMT ref: 00FD268C
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(optNoShowAgain,80070057,80070057,?,?), ref: 00FD26B8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalInit_thread_footerSection$ControlControl@EnterFindHeapI@2@LeaveLib@@ManagerPaintProcess
                                                                                    • String ID: .xml$optNoShowAgain
                                                                                    • API String ID: 2721581611-522237678
                                                                                    • Opcode ID: 9289d15544288ebd5715c495872da28f694ef83c788d7bc5de7fa55a36d21993
                                                                                    • Instruction ID: dfc7fb8859bd605db117f49e838907582dd3f4ce898cd0991df2f53a8d86a6f5
                                                                                    • Opcode Fuzzy Hash: 9289d15544288ebd5715c495872da28f694ef83c788d7bc5de7fa55a36d21993
                                                                                    • Instruction Fuzzy Hash: D3516570A01601DFE729DFE8DA49B5EF7E5FB90310F18412DE8559B384EB356900ABD1
                                                                                    Function 10045A3D Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getSystemCP.LIBCMT ref: 10045A56
                                                                                      • Part of subcall function 100459C3: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100459D0
                                                                                      • Part of subcall function 100459C3: GetOEMCP.KERNEL32(00000000,?,1004DBFF,?,00000000,7622F380), ref: 100459EA
                                                                                    • setSBCS.LIBCMT ref: 10045A68
                                                                                      • Part of subcall function 10045740: _memset.LIBCMT ref: 10045753
                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,10064238), ref: 10045AAE
                                                                                    • GetCPInfo.KERNEL32(00000000,10045DC0), ref: 10045AC1
                                                                                    • _memset.LIBCMT ref: 10045AD9
                                                                                    • setSBUpLow.LIBCMT ref: 10045BAC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                                                                                    • String ID:
                                                                                    • API String ID: 2658552758-0
                                                                                    • Opcode ID: f75140ca6c81da247f9df7633ba0f9dc650d894d742ba86de11f8ce4b1abf628
                                                                                    • Instruction ID: 0507ec34745a7c1fdf06d724d525845bea45a37992b0d8beeda3e9e5164cd593
                                                                                    • Opcode Fuzzy Hash: f75140ca6c81da247f9df7633ba0f9dc650d894d742ba86de11f8ce4b1abf628
                                                                                    • Instruction Fuzzy Hash: C451D0709042559FDB15CF64C8806AEBBF4EF05346F24817AD881DF683D7769942CBE8
                                                                                    Function 10001BB0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(00000000,00000005,%c%c%c%c,00000000,-00000002,-00000002,-00000002), ref: 10001CDE
                                                                                    • curl_msnprintf.LIBCURL(00000000,00000005,%c%c%c=,?,?,?), ref: 10001D0A
                                                                                      • Part of subcall function 10019330: curl_mvsnprintf.LIBCURL(?,?,?,?,1000A784,?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 10019344
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_msnprintf$curl_mvsnprintf
                                                                                    • String ID: %c%c%c%c$%c%c%c=$%c%c==
                                                                                    • API String ID: 405648482-3943651191
                                                                                    • Opcode ID: dc53872432fc82bb3787ac8d1989132d2ff882bf8367a3caa61ea4d84582a01c
                                                                                    • Instruction ID: 8da7553a30a3ba393ef08fa779d06b7b0818046d6007275a24b24b73751ffd6b
                                                                                    • Opcode Fuzzy Hash: dc53872432fc82bb3787ac8d1989132d2ff882bf8367a3caa61ea4d84582a01c
                                                                                    • Instruction Fuzzy Hash: C751F7755083914FF301CF2888A17FB7BE4DB9A255F58449EE9848B353D23AD609CB61
                                                                                    Function 10026380 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%.*s,00000000,?), ref: 10026450
                                                                                    • curl_maprintf.LIBCURL(%sAuthorization: Digest %s,Proxy-,?), ref: 100264CA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %.*s$%sAuthorization: Digest %s$Digest$Proxy-
                                                                                    • API String ID: 3307269620-3976116069
                                                                                    • Opcode ID: f651a4e671b527a1973befcf74905376a4017e519c5ad62bd5d0c9ee475e847d
                                                                                    • Instruction ID: 768cbe099fa4acb9339ab37a90e7d6ec02e30195d0455dd6889ee2dff872c084
                                                                                    • Opcode Fuzzy Hash: f651a4e671b527a1973befcf74905376a4017e519c5ad62bd5d0c9ee475e847d
                                                                                    • Instruction Fuzzy Hash: 26419E715043029FD300DF19E844AABB7E8EFC8759F848869E98897211E775A949CBA2
                                                                                    Function 10028EE0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __time32.LIBCMT ref: 10028EF0
                                                                                      • Part of subcall function 100478FA: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,10001F04,?), ref: 10047903
                                                                                      • Part of subcall function 100478FA: __aulldiv.LIBCMT ref: 10047923
                                                                                    • __time32.LIBCMT ref: 10029008
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time__time32$FileSystem__aulldivcurl_mvsnprintf
                                                                                    • String ID: Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
                                                                                    • API String ID: 837565686-870032562
                                                                                    • Opcode ID: 69956fa29ecc52974dbb155abf869e8d301214357357da9e486a4ed3ab4fd528
                                                                                    • Instruction ID: 84997e418f1620306211fbb6ea7003666ee4aba0c54b724bcfd0b2f91413091b
                                                                                    • Opcode Fuzzy Hash: 69956fa29ecc52974dbb155abf869e8d301214357357da9e486a4ed3ab4fd528
                                                                                    • Instruction Fuzzy Hash: 0B318075601B058FC328CF29E940A56B7E6FB88344B444A3DF986CB792F731F9058B50
                                                                                    Function 0100C220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(?,010C8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,B69A1A1E), ref: 0100C351
                                                                                    • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 0100C369
                                                                                    • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 0100C371
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@WindowWnd@$CenterCreate@D__@@Modal@ShowU__@@@Window@
                                                                                    • String ID: Message$NoSelectedArea$Title
                                                                                    • API String ID: 4232685419-1162752447
                                                                                    • Opcode ID: 5a8f096ce44ebfb2a39dafd0643ce9ac8bb31f6974e0a024aa854ba8061c5426
                                                                                    • Instruction ID: ac755ba1f447136e236b6bbdad060524b4ffd14bbdc1a223b7c7c5a88051f754
                                                                                    • Opcode Fuzzy Hash: 5a8f096ce44ebfb2a39dafd0643ce9ac8bb31f6974e0a024aa854ba8061c5426
                                                                                    • Instruction Fuzzy Hash: 3F41E271A00609AFEB21CFA9C944B9EFBF5FF44724F1083A9E464AB3D0C7755A008B80
                                                                                    Function 10007330 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: %s: %s, %02d %s %4d %02d:%02d:%02d GMT$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified
                                                                                    • API String ID: 0-4153637960
                                                                                    • Opcode ID: 6aad25258a79b56374d68cad3744f35cfba30c522d9e41fe8c5999a004b1b27c
                                                                                    • Instruction ID: 4feb17d41867483a2f4ef312684b0fc069b218fb9c6b881eed6427a0e496a46f
                                                                                    • Opcode Fuzzy Hash: 6aad25258a79b56374d68cad3744f35cfba30c522d9e41fe8c5999a004b1b27c
                                                                                    • Instruction Fuzzy Hash: D031EA76A045005FE314CB68DC91A6FB3E5FFC8651FA0861DF95D87284E639FE048BA2
                                                                                    Function 00FFC540 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000,B69A1A1E,?,?,?,80004005), ref: 00FFC56E
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,80004005), ref: 00FFC58A
                                                                                      • Part of subcall function 00FC4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC4167
                                                                                    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,?,?,?,?,?,80004005), ref: 00FFC5D2
                                                                                    • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00FFC64B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Wait$Cursor@Lib@@$CreateD__@@@DirectoryException@8ObjectSingleThrow
                                                                                    • String ID: %s//%s//$data2
                                                                                    • API String ID: 3658049664-229016458
                                                                                    • Opcode ID: 1cba1be921cf0956d4d496420b4c85c955d912f74a8b7cba44c0f68737fe4cb1
                                                                                    • Instruction ID: 49a83141262624b9c13822b8c774a1903a483d5e5bed044f5a0dbf9d9f4ac123
                                                                                    • Opcode Fuzzy Hash: 1cba1be921cf0956d4d496420b4c85c955d912f74a8b7cba44c0f68737fe4cb1
                                                                                    • Instruction Fuzzy Hash: F231E170900609AFD720DF68CD09BA9BBB4FF04320F148219F964A76D1DBB5A914CB91
                                                                                    Function 00FFC410 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 94synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CWaitCursor@DuiLib@@QAE@PAUHWND__@@@Z.YCOMUIU(00000000,B69A1A1E), ref: 00FFC43E
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00FFC45A
                                                                                      • Part of subcall function 00FC4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC4167
                                                                                    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00FFC4A2
                                                                                    • ??1CWaitCursor@DuiLib@@QAE@XZ.YCOMUIU ref: 00FFC51C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Wait$Cursor@Lib@@$CreateD__@@@DirectoryException@8ObjectSingleThrow
                                                                                    • String ID: %s//%s//$data2
                                                                                    • API String ID: 3658049664-229016458
                                                                                    • Opcode ID: 71bcc393a4d6ffcae7985cfddbf8a47eff46b55f337475832f6cf192422a1194
                                                                                    • Instruction ID: 66e3ec96c284ff52d5c6770165395868f82469503feafcfd4a8d41d022ac176c
                                                                                    • Opcode Fuzzy Hash: 71bcc393a4d6ffcae7985cfddbf8a47eff46b55f337475832f6cf192422a1194
                                                                                    • Instruction Fuzzy Hash: 2331E270900609AFD720DF69CD09BAABBB4FF00324F148258F964A76D1DBB9A914CB95
                                                                                    Function 10005BE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10004C90: __time32.LIBCMT ref: 10004C97
                                                                                    • _fputs.LIBCMT ref: 10005C48
                                                                                    • curl_mfprintf.LIBCURL(00000000,%s,00000000), ref: 10005C71
                                                                                    • curl_mfprintf.LIBCURL(00000000,## Fatal libcurl error), ref: 10005CA3
                                                                                    Strings
                                                                                    • # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 10005C43
                                                                                    • %s, xrefs: 10005C6B
                                                                                    • ## Fatal libcurl error, xrefs: 10005C9D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_mfprintf$__time32_fputs
                                                                                    • String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s
                                                                                    • API String ID: 3022673664-1525338603
                                                                                    • Opcode ID: c0e4ecc51e3ab5e2cd3209c06ad495b91503155e74bb00c8cbbcbd9f08743ea7
                                                                                    • Instruction ID: ccd39e36d9e70a9e9fb49be1f1cae8cf7a20a295351cb7d9432ffc9c8cf38566
                                                                                    • Opcode Fuzzy Hash: c0e4ecc51e3ab5e2cd3209c06ad495b91503155e74bb00c8cbbcbd9f08743ea7
                                                                                    • Instruction Fuzzy Hash: E921D271A043056FF710DA64AC59F5B73D8DB806E7F054438F909AA206EB77FC8886A2
                                                                                    Function 0100C3A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,Guide,00000000,00000001,?,B69A1A1E,?,00000000,?,?,?,010B8A82,000000FF), ref: 0100C3F6
                                                                                    • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(FFFFFFFF,010C8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0100C456
                                                                                    • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 0100C45E
                                                                                    • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,Guide,00000004,?), ref: 0100C486
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@ValueWindowWnd@$Create@D__@@Modal@ShowU__@@@
                                                                                    • String ID: Guide$Software\EasePaintWatermarkRemover
                                                                                    • API String ID: 1895500408-2466343132
                                                                                    • Opcode ID: d63e82b035f6af58915f1d46a639998ac3d6ea6d2e81526e44a945bdbe83bfaa
                                                                                    • Instruction ID: 3746f58b62db8aa2967daf047e43942e5e0e0b8336bf5785722edc7425f21922
                                                                                    • Opcode Fuzzy Hash: d63e82b035f6af58915f1d46a639998ac3d6ea6d2e81526e44a945bdbe83bfaa
                                                                                    • Instruction Fuzzy Hash: B7218EB1640318BFEB218F54CD45BAEBBA8FB04B64F108259FD95A63C0DBB69504CB94
                                                                                    Function 01026380 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpdateDay,00000000,00000000,?,00000000), ref: 010263BA
                                                                                    • GetLocalTime.KERNEL32(?), ref: 010263CA
                                                                                    • GetLocalTime.KERNEL32(?), ref: 010263DE
                                                                                    • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UpdateDay,00000004,?,00000004), ref: 01026402
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: LocalTimeValue
                                                                                    • String ID: Software\EasePaintWatermarkRemover$UpdateDay
                                                                                    • API String ID: 3740244869-2909744634
                                                                                    • Opcode ID: 27a8e8a4183f99e9508bd22cb6d74204189962349f72287980eb9c1cb8727897
                                                                                    • Instruction ID: 8f580f3a1b5dda7dd3a3f7b75b43f84ac567eb2a9e505ca0a911a2da46db4a26
                                                                                    • Opcode Fuzzy Hash: 27a8e8a4183f99e9508bd22cb6d74204189962349f72287980eb9c1cb8727897
                                                                                    • Instruction Fuzzy Hash: C7214FB1940318AFDB20EFA1D945FEEB7B8EB08710F50411AFD81BA240D7B6A544CBA4
                                                                                    Function 00FF4410 Relevance: 10.6, APIs: 7, Instructions: 59synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ReleaseMutex.KERNEL32(?,B69A1A1E,?,?,?,?,010B4DCB,000000FF), ref: 00FF4444
                                                                                    • SetEvent.KERNEL32(?,?,?,?,?,010B4DCB,000000FF), ref: 00FF444D
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,010B4DCB,000000FF), ref: 00FF445C
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,010B4DCB,000000FF), ref: 00FF4470
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,010B4DCB,000000FF), ref: 00FF447C
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,010B4DCB,000000FF), ref: 00FF4486
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,010B4DCB,000000FF), ref: 00FF4497
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$EventMutexObjectReleaseSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 573140249-0
                                                                                    • Opcode ID: 8c0e88127829fb2430fb0af47baea1c3219c1e6be0ba2bbd249bf6d9b3777eb0
                                                                                    • Instruction ID: 7719ac89512524971755a8cb058e3542154951d45935e472b5de067b5a990af8
                                                                                    • Opcode Fuzzy Hash: 8c0e88127829fb2430fb0af47baea1c3219c1e6be0ba2bbd249bf6d9b3777eb0
                                                                                    • Instruction Fuzzy Hash: 6C110671500A04AFD730EF69DD44B67FBF8EF44720F104A2DE8A6936A0DB79B9048B94
                                                                                    Function 01004030 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?GetFont@CPaintManagerUI@DuiLib@@QAEPAUHFONT__@@H@Z.YCOMUIU(00000000), ref: 01004045
                                                                                    • ?GetPaintDC@CPaintManagerUI@DuiLib@@QBEPAUHDC__@@XZ.YCOMUIU(00000000), ref: 01004054
                                                                                    • SelectObject.GDI32(00000000), ref: 01004057
                                                                                    • ?GetPaintDC@CPaintManagerUI@DuiLib@@QBEPAUHDC__@@XZ.YCOMUIU(?,?,?), ref: 01004088
                                                                                    • GetTextExtentPoint32W.GDI32(00000000), ref: 0100408B
                                                                                    • ?GetPaintDC@CPaintManagerUI@DuiLib@@QBEPAUHDC__@@XZ.YCOMUIU(?), ref: 010040A0
                                                                                    • SelectObject.GDI32(00000000), ref: 010040A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Paint$Lib@@Manager$C__@@$ObjectSelect$ExtentFont@Point32T__@@Text
                                                                                    • String ID:
                                                                                    • API String ID: 2082224380-0
                                                                                    • Opcode ID: a1ef4b61e17256c39d745d58a37b9469a8c3132a2cf99efedbb19da03940a728
                                                                                    • Instruction ID: edf2468e5fe6bb4dbee3fac8f29bda2672f150046c6bfb1e4e39f603fac2f477
                                                                                    • Opcode Fuzzy Hash: a1ef4b61e17256c39d745d58a37b9469a8c3132a2cf99efedbb19da03940a728
                                                                                    • Instruction Fuzzy Hash: 4201D279A00208AFDB249F68D888DAF7BB9EF84690B144054FD06D3341DA36DE01CBA4
                                                                                    Function 00FD61E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??8CStdString@DuiLib@@QBE_NPB_W@Z.YCOMUIU(windowinit), ref: 00FD61F2
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(DlgFrame), ref: 00FD620C
                                                                                    • ?SetBorderSize@CControlUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00FD624B
                                                                                    • ?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.YCOMUIU ref: 00FD625F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Control$BorderSize@$Control@FindI@2@ManagerPaintString@T@@@Utag
                                                                                    • String ID: DlgFrame$windowinit
                                                                                    • API String ID: 3871759311-3490495730
                                                                                    • Opcode ID: 7875322dbcdee8cc01b3d764f970990f60e951c4474044b76642c5a8fa6f5843
                                                                                    • Instruction ID: ffa27306b61a3e09a6f36187bfc3711338cedf2790e379a73e867eec7cd893cd
                                                                                    • Opcode Fuzzy Hash: 7875322dbcdee8cc01b3d764f970990f60e951c4474044b76642c5a8fa6f5843
                                                                                    • Instruction Fuzzy Hash: 2011BF30E00209CBCB119FA8D5489BDB7B1FF98305B144269E8459B215EF329E90CB91
                                                                                    Function 00FAA54D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FA8610: InternetCloseHandle.WININET(?), ref: 00FA863F
                                                                                      • Part of subcall function 00FA8610: InternetCloseHandle.WININET(?), ref: 00FA8649
                                                                                      • Part of subcall function 00FA8610: InternetCloseHandle.WININET(?), ref: 00FA8653
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00FAA559
                                                                                      • Part of subcall function 01053E56: RaiseException.KERNEL32(?,?,B69A1A1E,?,?,?,?,?,?,00FD56AD,80004005,B69A1A1E), ref: 01053EB6
                                                                                      • Part of subcall function 00FA6400: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA6427
                                                                                      • Part of subcall function 00FA6590: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA65AF
                                                                                    • GetLastError.KERNEL32(00000000,CHttpClientT::_ProceedUploadContext: nDesired can not be zero.,00000000,CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.,00000000,00000068), ref: 00FAA597
                                                                                      • Part of subcall function 00FA6430: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA6477
                                                                                    Strings
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL., xrefs: 00FAA57F
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL., xrefs: 00FAA567
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL., xrefs: 00FAA573
                                                                                    • CHttpClientT::_ProceedUploadContext: nDesired can not be zero., xrefs: 00FAA58B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw$CloseHandleInternet$ErrorExceptionLastRaise
                                                                                    • String ID: CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.$CHttpClientT::_ProceedUploadContext: nDesired can not be zero.
                                                                                    • API String ID: 3363223308-1511392354
                                                                                    • Opcode ID: cf592c3929ec4a84e38776ae4294da3bc179918ba2a1f1576fc9d738f86b7eb3
                                                                                    • Instruction ID: 85b0ecd5d80a5a26a941fc3e29d775965f6fdcbcee40cb0ffb33af84e477645a
                                                                                    • Opcode Fuzzy Hash: cf592c3929ec4a84e38776ae4294da3bc179918ba2a1f1576fc9d738f86b7eb3
                                                                                    • Instruction Fuzzy Hash: 7D0121B1E803047AEA20B7D4CC07F5D71555F86F08F1C4428B658AD1C2CABF2945A66E
                                                                                    Function 10046140 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsGetValue.KERNEL32(00000000,100461B5,00000000,1005118A,00000000,00000000,00000314,?,?,?,10067B70,1004D3FB,10067B70,Microsoft Visual C++ Runtime Library,00012010), ref: 1004614D
                                                                                    • TlsGetValue.KERNEL32(00000009,?,?,?,10067B70,1004D3FB,10067B70,Microsoft Visual C++ Runtime Library,00012010), ref: 10046164
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,10067B70,1004D3FB,10067B70,Microsoft Visual C++ Runtime Library,00012010), ref: 10046179
                                                                                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10046194
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$AddressHandleModuleProc
                                                                                    • String ID: EncodePointer$KERNEL32.DLL
                                                                                    • API String ID: 1929421221-3682587211
                                                                                    • Opcode ID: 84383f053ef220bbafbf7c75bf3cf0a9c6a308fec520b0ee3f7bc63b937b6a0c
                                                                                    • Instruction ID: 35616ab26bb36ba372ed8922de5f7bbd40bcb336a40847acddb1a6c44ee3b2b9
                                                                                    • Opcode Fuzzy Hash: 84383f053ef220bbafbf7c75bf3cf0a9c6a308fec520b0ee3f7bc63b937b6a0c
                                                                                    • Instruction Fuzzy Hash: C8F03030501622DBEB81DB74CC54A9A3BE6EF493D27254134F815D31B1EB31DD51CA5A
                                                                                    Function 100461B7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsGetValue.KERNEL32(00000000,10046267,?,?,?,00000000), ref: 100461C4
                                                                                    • TlsGetValue.KERNEL32(00000009,?,?,?,00000000), ref: 100461DB
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00000000), ref: 100461F0
                                                                                    • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 1004620B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$AddressHandleModuleProc
                                                                                    • String ID: DecodePointer$KERNEL32.DLL
                                                                                    • API String ID: 1929421221-629428536
                                                                                    • Opcode ID: 6c770e020706639d9c05222799467963697507923977ff21f673b70603059f4b
                                                                                    • Instruction ID: 179c8ec4262fb6de2ad37e36d002bc077a6b721c22efcb3846338f00c99824f0
                                                                                    • Opcode Fuzzy Hash: 6c770e020706639d9c05222799467963697507923977ff21f673b70603059f4b
                                                                                    • Instruction Fuzzy Hash: 33F09030505932EBE741DB24CDA4A9A3FE6EF092907214130FC15D31B1EB62DD41CA5A
                                                                                    Function 00FAA0CC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FA85C0: InternetCloseHandle.WININET(?), ref: 00FA85EF
                                                                                      • Part of subcall function 00FA85C0: InternetCloseHandle.WININET(?), ref: 00FA85F9
                                                                                      • Part of subcall function 00FA85C0: InternetCloseHandle.WININET(?), ref: 00FA8603
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00FAA0D8
                                                                                      • Part of subcall function 01053E56: RaiseException.KERNEL32(?,?,B69A1A1E,?,?,?,?,?,?,00FD56AD,80004005,B69A1A1E), ref: 01053EB6
                                                                                      • Part of subcall function 00FA61D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA61F7
                                                                                      • Part of subcall function 00FA62B0: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA62CF
                                                                                    • GetLastError.KERNEL32(00000000,CHttpClientT::_ProceedUploadContext: nDesired can not be zero.,00000000,CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.,00000000,CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.,00000000,00000068), ref: 00FAA116
                                                                                      • Part of subcall function 00FA6200: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA6247
                                                                                    Strings
                                                                                    • CHttpClientT::_ProceedUploadContext: nDesired can not be zero., xrefs: 00FAA10A
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL., xrefs: 00FAA0E6
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL., xrefs: 00FAA0F2
                                                                                    • CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL., xrefs: 00FAA0FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw$CloseHandleInternet$ErrorExceptionLastRaise
                                                                                    • String ID: CHttpClientT::_ProceedUploadContext: m_hConnection can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hInternet can not be NULL.$CHttpClientT::_ProceedUploadContext: m_hRequest can not be NULL.$CHttpClientT::_ProceedUploadContext: nDesired can not be zero.
                                                                                    • API String ID: 3363223308-1511392354
                                                                                    • Opcode ID: 2cd79535cd4118bdc538df2aba2bb0fdc21dbe9dba3e41026cb83aac6f5cfd00
                                                                                    • Instruction ID: 60efb3dba2a308ac16c93ad542839be68d5afd959d39c05582f2096b1d39da1d
                                                                                    • Opcode Fuzzy Hash: 2cd79535cd4118bdc538df2aba2bb0fdc21dbe9dba3e41026cb83aac6f5cfd00
                                                                                    • Instruction Fuzzy Hash: 46F0A5F1B803047AEA6577E1CC03F9C36A19F4AF41F288418BA60BC4C2CDD938007A6E
                                                                                    Function 0102E3B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32synchronizationtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000096,?,00FFABE1), ref: 0102E3BA
                                                                                    • KillTimer.USER32(00000000,?,00FFABE1), ref: 0102E3C1
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(wndMedia,00000000,?,00FFABE1), ref: 0102E3D0
                                                                                    • WaitForSingleObject.KERNEL32(?,000249F0,?,00FFABE1), ref: 0102E3F7
                                                                                    • CloseHandle.KERNEL32(?,?,00FFABE1), ref: 0102E405
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@Window$Base@CloseD__@@HandleImplKillObjectShowSingleTimerWaitWindow@Wnd@
                                                                                    • String ID: wndMedia
                                                                                    • API String ID: 1340191913-3868476417
                                                                                    • Opcode ID: 9b22972a79d150d80b23712c698236b005da2418d79a37809fef5d05f61d20fc
                                                                                    • Instruction ID: a94c5b6fb79e92ab6656f0f602fd6a126bf057b60403ecd9f74e04056d088062
                                                                                    • Opcode Fuzzy Hash: 9b22972a79d150d80b23712c698236b005da2418d79a37809fef5d05f61d20fc
                                                                                    • Instruction Fuzzy Hash: 66F017707403219FEA349F68E949B1677E8AF08B01F104828FA8AD7684CE7AE8408F14
                                                                                    Function 01070073 Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __allrem.LIBCMT ref: 01070200
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107021C
                                                                                    • __allrem.LIBCMT ref: 01070233
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01070251
                                                                                    • __allrem.LIBCMT ref: 01070268
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01070286
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                    • String ID:
                                                                                    • API String ID: 1992179935-0
                                                                                    • Opcode ID: ac93dafefa184fc2443a2b6ba8d55c18c1fd927c944c74d6e144d83b47adcd08
                                                                                    • Instruction ID: 8168a4723310701d437909ba67fb40eeb38ef45d032562421c3b7af863c08934
                                                                                    • Opcode Fuzzy Hash: ac93dafefa184fc2443a2b6ba8d55c18c1fd927c944c74d6e144d83b47adcd08
                                                                                    • Instruction Fuzzy Hash: 9081F872A007079BE721AE6CCC41B9E73E9AF56320F14462AF5D1D7295EB70E9018798
                                                                                    Function 10042E3B Relevance: 9.2, APIs: 6, Instructions: 188COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$__filbuf__read_memcpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 1366226143-0
                                                                                    • Opcode ID: 733a2ccbb34d873eb576c11f79d0931adcef9f2f004b744b94b1fb5a60dd8d4f
                                                                                    • Instruction ID: 71a04eee50a1d23c5811626254bc3e83f07ab393598edd3bb028ce586c8bc3f4
                                                                                    • Opcode Fuzzy Hash: 733a2ccbb34d873eb576c11f79d0931adcef9f2f004b744b94b1fb5a60dd8d4f
                                                                                    • Instruction Fuzzy Hash: B351C171F00209EBCB20CFAAC84459EBBB5EF81360FB18279F825D2191D7709E55DB99
                                                                                    Function 01024680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 361COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 01024B70: GetTempPathA.KERNEL32(00000104,?), ref: 01024C07
                                                                                      • Part of subcall function 01024B70: PathFileExistsA.SHLWAPI(00000000,easePaint,00000009,?), ref: 01024C4E
                                                                                      • Part of subcall function 01024B70: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 01024C6F
                                                                                      • Part of subcall function 01025390: std::locale::_Init.LIBCPMT ref: 01025420
                                                                                      • Part of subcall function 01025390: std::ios_base::_Addstd.LIBCPMT ref: 010254B7
                                                                                      • Part of subcall function 01023D10: std::locale::_Init.LIBCPMT ref: 01023D52
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 010249BC
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 010249FE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8InitPathThrowstd::locale::_$AddstdCreateDirectoryExistsFileTempstd::ios_base::_
                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                    • API String ID: 807024382-1866435925
                                                                                    • Opcode ID: 4cb01303d17142d6bead8f2f3287ff27b0c8d046f84edf5a7361c713f11e8bf5
                                                                                    • Instruction ID: 9126da7dc1113850d248e01f10984d359146789347a4ba192a83d67813e958a4
                                                                                    • Opcode Fuzzy Hash: 4cb01303d17142d6bead8f2f3287ff27b0c8d046f84edf5a7361c713f11e8bf5
                                                                                    • Instruction Fuzzy Hash: B9E1FF71D00268DFDB15DFA8C845BEEBBF4BF14300F4441A9D599AB281E7B4AA84CF90
                                                                                    Function 1003B830 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 355COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • GSSAPI handshake failure (invalid security data), xrefs: 1003B9B8
                                                                                    • GSSAPI handshake failure (invalid security layer), xrefs: 1003BA15
                                                                                    • GSSAPI handshake failure (empty security message), xrefs: 1003B88C, 1003B983
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
                                                                                    • API String ID: 0-242323837
                                                                                    • Opcode ID: 03fd3d7f06d9291e7d663ff054fe0b35cee48a837fce946449fe736fc1e0d2e8
                                                                                    • Instruction ID: c504a8b7b4cb2ac6cb3df7fed50af26efa439bb577db8c118cada272d8538b4a
                                                                                    • Opcode Fuzzy Hash: 03fd3d7f06d9291e7d663ff054fe0b35cee48a837fce946449fe736fc1e0d2e8
                                                                                    • Instruction Fuzzy Hash: 33C169755043119FE310DB68DC84A9BBBE9FFC8345F048929F589C7311EA76E909CB92
                                                                                    Function 00FE0440 Relevance: 9.1, APIs: 6, Instructions: 79memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FDDCC0: GdipDeleteGraphics.GDIPLUS(?), ref: 00FDDCD0
                                                                                      • Part of subcall function 00FDDCC0: GdipFree.GDIPLUS(?,?), ref: 00FDDCD6
                                                                                      • Part of subcall function 00FDDCC0: SelectObject.GDI32(?,?), ref: 00FDDCF6
                                                                                      • Part of subcall function 00FDDCC0: DeleteDC.GDI32(?), ref: 00FDDD11
                                                                                    • GetDC.USER32(?), ref: 00FE048C
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00FE0495
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00FE04A5
                                                                                      • Part of subcall function 00FD5840: DeleteObject.GDI32(?), ref: 00FD584F
                                                                                      • Part of subcall function 00FD5840: GetDC.USER32(?), ref: 00FD58D5
                                                                                      • Part of subcall function 00FD5840: CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00FD58E6
                                                                                      • Part of subcall function 00FD5840: ReleaseDC.USER32(00000000,00000000), ref: 00FD58F7
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FE04D6
                                                                                    • GdipAlloc.GDIPLUS(00000008,?,?,?,?,?,010B3E4B,000000FF), ref: 00FE04EA
                                                                                    • GdipCreateFromHDC.GDIPLUS(?,?,00000008,?,?,?,?,?,010B3E4B,000000FF), ref: 00FE050B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Gdip$CreateDeleteObject$ReleaseSelect$AllocCompatibleFreeFromGraphicsSection
                                                                                    • String ID:
                                                                                    • API String ID: 645989474-0
                                                                                    • Opcode ID: 51ac53f1b6be9c1c0b7f29c54e02d8d39c3e34985b9c8c0abdc07ed4fb7976fb
                                                                                    • Instruction ID: 9413e20d2983262e581d5796d2ba47a0105519dac8eb26e062852bf4372ecc84
                                                                                    • Opcode Fuzzy Hash: 51ac53f1b6be9c1c0b7f29c54e02d8d39c3e34985b9c8c0abdc07ed4fb7976fb
                                                                                    • Instruction Fuzzy Hash: 47218D71500785EFDB219F55CC44BAABBB9FB08710F08463AFD559B385DB769800DB60
                                                                                    Function 1000C4A0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 325COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • Request has same path as previous transfer, xrefs: 1000C829
                                                                                    • no memory, xrefs: 1000C627
                                                                                    • Uploading to a URL without a file name!, xrefs: 1000C682
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strncmp
                                                                                    • String ID: Request has same path as previous transfer$Uploading to a URL without a file name!$no memory
                                                                                    • API String ID: 909875538-2111548750
                                                                                    • Opcode ID: 0a11cdacabd06de5105d8d266b59f3b3a2411f088f76c58fcf85352b48e955c5
                                                                                    • Instruction ID: e810f9277d01f0ce56a5771f587e5d50787a2107ede142e497aef37447efc5ee
                                                                                    • Opcode Fuzzy Hash: 0a11cdacabd06de5105d8d266b59f3b3a2411f088f76c58fcf85352b48e955c5
                                                                                    • Instruction Fuzzy Hash: 80B1D071A043499BEB20CF28CC84B9A37E5EB84791F154128FD489B349E77AED49CB91
                                                                                    Function 10034850 Relevance: 9.1, APIs: 6, Instructions: 68networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(100589A4,0000000C,100589A4,?), ref: 10034878
                                                                                      • Part of subcall function 10019330: curl_mvsnprintf.LIBCURL(?,?,?,?,1000A784,?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 10019344
                                                                                      • Part of subcall function 1002C440: getaddrinfo.WS2_32(?,?,?,?), ref: 1002C47D
                                                                                      • Part of subcall function 1002C440: WSASetLastError.WS2_32(00000000), ref: 1002C482
                                                                                    • WSAGetLastError.WS2_32 ref: 100348A3
                                                                                    • WSAGetLastError.WS2_32 ref: 100348A9
                                                                                    • EnterCriticalSection.KERNEL32(00000000), ref: 100348C1
                                                                                    • LeaveCriticalSection.KERNEL32 ref: 100348D0
                                                                                    • LeaveCriticalSection.KERNEL32 ref: 100348F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$Leave$Entercurl_msnprintfcurl_mvsnprintfgetaddrinfo
                                                                                    • String ID:
                                                                                    • API String ID: 2920345821-0
                                                                                    • Opcode ID: 1eb77759fd5047677680b6ee74f11649074c5ee1ea83c7adee22ee72c3642860
                                                                                    • Instruction ID: 8c31e7e72d5248a9c220799ccb75a9918ed3f3da2030ed8128212cafdd636f42
                                                                                    • Opcode Fuzzy Hash: 1eb77759fd5047677680b6ee74f11649074c5ee1ea83c7adee22ee72c3642860
                                                                                    • Instruction Fuzzy Hash: 83216DB55007419FE320EF69CC84E6BB7F8EF88205F11891DE9968B650DB71F849CBA1
                                                                                    Function 00FE2400 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00FE2416
                                                                                    • GetClientRect.USER32(?,?), ref: 00FE2423
                                                                                    • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FE242C
                                                                                    • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FE243D
                                                                                    • ?Width@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FE245D
                                                                                    • ?Height@CDuiRect@DuiLib@@QBEHXZ.YCOMUIU ref: 00FE247E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@Rect@$Height@Width@$ClientRect
                                                                                    • String ID:
                                                                                    • API String ID: 1440935839-0
                                                                                    • Opcode ID: 8d4ce8abc4ae6045e7b5c9eb8855d1a029355d0520e4dd89a0d1d5ef3014f11d
                                                                                    • Instruction ID: 03d2ab033a67e3ec2304a3ce07c773abd0e5f42a925f09dc227ebe63b38dec4c
                                                                                    • Opcode Fuzzy Hash: 8d4ce8abc4ae6045e7b5c9eb8855d1a029355d0520e4dd89a0d1d5ef3014f11d
                                                                                    • Instruction Fuzzy Hash: B421A432C0110D8FCB15EF7AD5858BEFBB6EF69340B188726E84176154EB362995CF80
                                                                                    Function 010023A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(comboFont,B69A1A1E,?,?,?,?,00000000,010B74BD,000000FF,?,C0000005,00000001,B69A1A1E), ref: 010023D5
                                                                                    • ?RemoveAll@CComboUI@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,00000000,010B74BD,000000FF,?,C0000005,00000001,B69A1A1E), ref: 01002401
                                                                                      • Part of subcall function 00FC4FD0: GetProcessHeap.KERNEL32 ref: 00FC504E
                                                                                      • Part of subcall function 00FC4FD0: __Init_thread_footer.LIBCMT ref: 00FC5080
                                                                                      • Part of subcall function 00FC4FD0: __Init_thread_footer.LIBCMT ref: 00FC5104
                                                                                    • ??0CListLabelElementUI@DuiLib@@QAE@XZ.YCOMUIU(?,?,?,?,?,00000000,010B74BD,000000FF), ref: 01002490
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@$Init_thread_footer$All@ComboControlControl@ElementFindHeapI@2@LabelListManagerPaintProcessRemove
                                                                                    • String ID: DefSelectedFont$comboFont
                                                                                    • API String ID: 3574563068-803840066
                                                                                    • Opcode ID: 4fa2fc61b3272ee8da7b78fd00d4bac1162a86999d6aaf9a00659ced9218a3d7
                                                                                    • Instruction ID: 655264df790b89991d171c7e781453343988b5da4dbf5a273769b7a33ed4897d
                                                                                    • Opcode Fuzzy Hash: 4fa2fc61b3272ee8da7b78fd00d4bac1162a86999d6aaf9a00659ced9218a3d7
                                                                                    • Instruction Fuzzy Hash: F1A1C470A00609DFEB11DF58C899FAABBF4FF09314F1441A9E855EB391DB34A904CB91
                                                                                    Function 1004AB14 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: __sopen_s
                                                                                    • String ID: UNICODE$UTF-16LE$UTF-8$ccs=
                                                                                    • API String ID: 2693426323-2506416105
                                                                                    • Opcode ID: 4888b6ac5ad67afade85478e454c5affffa27d5f9bdcd1cccbb72115358600ac
                                                                                    • Instruction ID: 3f44ce7958aaec7035ea4eefc1591be91aeea183186dfcf5107079b8b491c657
                                                                                    • Opcode Fuzzy Hash: 4888b6ac5ad67afade85478e454c5affffa27d5f9bdcd1cccbb72115358600ac
                                                                                    • Instruction Fuzzy Hash: 4871DF71C04249ABDBA1CF65848169DBBE0EB07364F31C07DE85ADA251E3798AC08F98
                                                                                    Function 1003EC70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 199COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_easy_strerror.LIBCURL(00000000,?,?,?,?,?,?,1000F433,1000F433,?,?), ref: 1003EDF9
                                                                                    Strings
                                                                                    • schannel: shutting down SSL/TLS connection with %s port %hu, xrefs: 1003ECCA
                                                                                    • schannel: clear security context handle, xrefs: 1003EE1D
                                                                                    • schannel: ApplyControlToken failure: %s, xrefs: 1003ED40
                                                                                    • schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 1003EE06
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_easy_strerror
                                                                                    • String ID: schannel: ApplyControlToken failure: %s$schannel: clear security context handle$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
                                                                                    • API String ID: 1399792982-4035563756
                                                                                    • Opcode ID: 08b83e92ad452a42a3b32e19039da126a47badf56c0c65eb19282449c279f3e0
                                                                                    • Instruction ID: 8a2801d0eae8eff404092be3d760fd4480446dfdd9d459333b026cbb3168a0b3
                                                                                    • Opcode Fuzzy Hash: 08b83e92ad452a42a3b32e19039da126a47badf56c0c65eb19282449c279f3e0
                                                                                    • Instruction Fuzzy Hash: D57166B1604341AFD714CF28C88096BB7F9FB88345F404A2DFA9A87241D731ED55CBA2
                                                                                    Function 1001C610 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • read function returned funny value, xrefs: 1001C716
                                                                                    • %x%s, xrefs: 1001C773
                                                                                    • operation aborted by callback, xrefs: 1001C66E
                                                                                    • Read callback asked for PAUSE when not supported!, xrefs: 1001C6B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_mvsnprintf
                                                                                    • String ID: %x%s$Read callback asked for PAUSE when not supported!$operation aborted by callback$read function returned funny value
                                                                                    • API String ID: 3418963191-1291304620
                                                                                    • Opcode ID: b10381548fe9e47256f872256d0a86b9b749edea959f773bc38689d106c1288a
                                                                                    • Instruction ID: 3f962129ae34ee16728b4e967cbc17f44bde509c7bf6cdd261e8811554a29ba0
                                                                                    • Opcode Fuzzy Hash: b10381548fe9e47256f872256d0a86b9b749edea959f773bc38689d106c1288a
                                                                                    • Instruction Fuzzy Hash: 5B51E4756043498FD310DF28DC81BDBB3E4EB88354F94092DE5598B281EB75F989CB92
                                                                                    Function 1002E000 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 163COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • *, xrefs: 1002E00F
                                                                                    • Found %I64u bytes to download, xrefs: 1002E0A5
                                                                                    • Failed to parse FETCH response., xrefs: 1002E1BC
                                                                                    • Written %I64u bytes, %I64u bytes are left for transfer, xrefs: 1002E10C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strtol
                                                                                    • String ID: *$Failed to parse FETCH response.$Found %I64u bytes to download$Written %I64u bytes, %I64u bytes are left for transfer
                                                                                    • API String ID: 4256861632-1165716636
                                                                                    • Opcode ID: 76cb9b00893b8d9a53e6ca5235f59d9d0c9d5ee17522a585f2403a28d8beab00
                                                                                    • Instruction ID: 3c917fbb0ca802834ac29363f6fda7c3b890c49c13d75fa62678e4f6021a6708
                                                                                    • Opcode Fuzzy Hash: 76cb9b00893b8d9a53e6ca5235f59d9d0c9d5ee17522a585f2403a28d8beab00
                                                                                    • Instruction Fuzzy Hash: 9A512671A442856FEB20CF24AC81F9B73EAEFC1364F544229F868972C1E631BD558B61
                                                                                    Function 10034E70 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 149COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%sAuthorization: NTLM %s,Proxy-,?), ref: 10034F7A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %sAuthorization: NTLM %s$NTLM$Proxy-
                                                                                    • API String ID: 3307269620-3263743893
                                                                                    • Opcode ID: 37ce841f13fccdbe4fc5da4df06de7dc1b812067c4fa411097dc796fdfeae8fa
                                                                                    • Instruction ID: 5ef90617bb1366178d60d9ebd71da651349a234f546c375eda25b89a78581b79
                                                                                    • Opcode Fuzzy Hash: 37ce841f13fccdbe4fc5da4df06de7dc1b812067c4fa411097dc796fdfeae8fa
                                                                                    • Instruction Fuzzy Hash: A951AFB5908302CFD715DF28D840A6BB7E4FB88346F014D2EF5958B211E776A948CFA2
                                                                                    Function 1000BA90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strrchr.LIBCMT ref: 1000BAF5
                                                                                    • curl_maprintf.LIBCURL(%s%s%s,?,100559C1,100559C1), ref: 1000BB39
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strrchrcurl_maprintf
                                                                                    • String ID: %s%s%s$LIST$NLST
                                                                                    • API String ID: 1669751406-959297966
                                                                                    • Opcode ID: 734ff33143ae1da22cc0ea54be1bd027ed86a6dfe9bacdbea25a889493c25abd
                                                                                    • Instruction ID: 36b1800e6a140db473a12831f90caf706b6c6bce9b0bdc650cacc82b74838229
                                                                                    • Opcode Fuzzy Hash: 734ff33143ae1da22cc0ea54be1bd027ed86a6dfe9bacdbea25a889493c25abd
                                                                                    • Instruction Fuzzy Hash: 72313432A006415BF720DF28AC85BAB33DDDB842D5F054439E90AD7209EBB6ED08C761
                                                                                    Function 10035090 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_mvsnprintf
                                                                                    • String ID: NTLM$NTLM auth restarted$NTLM handshake failure (internal error)$NTLM handshake rejected
                                                                                    • API String ID: 3418963191-2258391893
                                                                                    • Opcode ID: 67f80b3138e6b0d041f72b9e6e49f1f9b8529bbb9256596a497b7103168299e1
                                                                                    • Instruction ID: 8440fb5c4f8ee2d67fa52a3386260d5bbe399951fb65492464e06c976ee15dd6
                                                                                    • Opcode Fuzzy Hash: 67f80b3138e6b0d041f72b9e6e49f1f9b8529bbb9256596a497b7103168299e1
                                                                                    • Instruction Fuzzy Hash: E721E7B6A002016FD711D654EC91B9773A8DF91397F104466F9448F112F733E959C6A1
                                                                                    Function 10006400 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%s:%s,?,?), ref: 1000644C
                                                                                    • curl_maprintf.LIBCURL(%sAuthorization: Basic %s,Proxy-,?), ref: 100064DB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %s:%s$%sAuthorization: Basic %s$Proxy-
                                                                                    • API String ID: 3307269620-2961970465
                                                                                    • Opcode ID: 7a08abb16312043093176354b5c0bc6b264bc25d9541706173f11077669384cc
                                                                                    • Instruction ID: cd22a53c15b318df3f597947af80d5c620fd456ececf7f53a10246f0b4f62463
                                                                                    • Opcode Fuzzy Hash: 7a08abb16312043093176354b5c0bc6b264bc25d9541706173f11077669384cc
                                                                                    • Instruction Fuzzy Hash: BA31BF715042569FE710DF18DC48BEB73E5EB88395F098479F8498B211E376AA0CCB92
                                                                                    Function 1000A6F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 1000A77F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_msnprintf
                                                                                    • String ID: Data$Header$[%s %s %s]$from
                                                                                    • API String ID: 1809024409-3178933089
                                                                                    • Opcode ID: 74ade1e5d357179abadf94c8acdb12b2053f5b1c30fbdd49d36336400642eef7
                                                                                    • Instruction ID: 8ba6fe77e2e6f8735852aca37f7ca1f074d0d0692d88f53d5de07cd9df07f2ca
                                                                                    • Opcode Fuzzy Hash: 74ade1e5d357179abadf94c8acdb12b2053f5b1c30fbdd49d36336400642eef7
                                                                                    • Instruction Fuzzy Hash: 6D31C5753083449BE360CB54CC81FABB3FAEBCD780F448A1CF64987245EB74A9498792
                                                                                    Function 1001C810 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • necessary data rewind wasn't possible, xrefs: 1001C8E4
                                                                                    • ioctl callback returned error %d, xrefs: 1001C8AA
                                                                                    • the ioctl callback returned %d, xrefs: 1001C897
                                                                                    • seek callback returned error %d, xrefs: 1001C868
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_mvsnprintf
                                                                                    • String ID: ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
                                                                                    • API String ID: 3418963191-2561564945
                                                                                    • Opcode ID: 4d13b3f407381394a1698f448d991eb0d96032f495c18e67247a0a1f2cc596bc
                                                                                    • Instruction ID: 66211132e1a28d064d40ffd10c0cd1f34b1837a3d209a62ef0e1b615948209e9
                                                                                    • Opcode Fuzzy Hash: 4d13b3f407381394a1698f448d991eb0d96032f495c18e67247a0a1f2cc596bc
                                                                                    • Instruction Fuzzy Hash: 55210A72A407056BE620D628AC42FDBB3E8DF91770F110529F51AAA1C1EB74E9C287A5
                                                                                    Function 010287A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PathFileExistsW.SHLWAPI(B69A1A1E,B69A1A1E,?,00FF2F1F), ref: 010287E1
                                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 01028827
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExecuteExistsFilePathShell
                                                                                    • String ID: EasePaintSetup.exe$SGFzVXBkYXRl$open
                                                                                    • API String ID: 1078955612-319052967
                                                                                    • Opcode ID: 0b8c00e9336c7c16fee4edf6df463c637229e71a45664467fb976b1549019eb3
                                                                                    • Instruction ID: cb7c691260dcc29460c4f943ae8e6033782b75e330be9e6988ccca2cd9ceae96
                                                                                    • Opcode Fuzzy Hash: 0b8c00e9336c7c16fee4edf6df463c637229e71a45664467fb976b1549019eb3
                                                                                    • Instruction Fuzzy Hash: 90210871A40308AFCB10DB69DC46BADBBB4FB15B20F14835AF421A72C1D7B55500CB41
                                                                                    Function 10020D00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000008,00000004,00000004), ref: 10020D21
                                                                                    • WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 10020D97
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 10020DA1
                                                                                      • Part of subcall function 1000A830: curl_mvsnprintf.LIBCURL(?,00000801,?,?,00000000), ref: 1000A873
                                                                                    Strings
                                                                                    • Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 10020DA9
                                                                                    • Failed to set SO_KEEPALIVE on fd %d, xrefs: 10020D2C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorIoctlLastcurl_mvsnprintfsetsockopt
                                                                                    • String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
                                                                                    • API String ID: 3446994914-277924715
                                                                                    • Opcode ID: d6aee2406d687c760d5de291a3576aefc0cb1144691dabf274ec6988f71d21dc
                                                                                    • Instruction ID: 17f829d0399215c7d3e5d5212c060363777c5d4d1d25014fe8ad09235833d35b
                                                                                    • Opcode Fuzzy Hash: d6aee2406d687c760d5de291a3576aefc0cb1144691dabf274ec6988f71d21dc
                                                                                    • Instruction Fuzzy Hash: 3A119EB1900700AFE700DB758C46F5BB6E8EB95B01F80892CB649D61D2FA75A604CB62
                                                                                    Function 00FA8160 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(000000FF,00000000,010ACD10,000000FF,?,00000002,?,?,00FA7D2C,000000FF,010ACD10), ref: 00FA817F
                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000002,00000000,00000007,00000000,00000000,?,?,00FA7D2C,000000FF,010ACD10), ref: 00FA819F
                                                                                    • GetLastError.KERNEL32(00000000,?,?,00FA7D2C,000000FF,010ACD10), ref: 00FA81AD
                                                                                    • GetLastError.KERNEL32(00000000,00000259,00000000,?,?,00FA7D2C,000000FF,010ACD10), ref: 00FA81C0
                                                                                    Strings
                                                                                    • CHttpEncoderA::_AnsiCharToUtf8Char: szUtf8Char and szAnsiChar can not be NULL., xrefs: 00FA81D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharErrorLastMultiWide
                                                                                    • String ID: CHttpEncoderA::_AnsiCharToUtf8Char: szUtf8Char and szAnsiChar can not be NULL.
                                                                                    • API String ID: 203985260-1887996956
                                                                                    • Opcode ID: 4c53cb0471c2371f8c8a0dabb2d4cd7b99a48196027867f4f1cfc9b2e0beccaa
                                                                                    • Instruction ID: 094cee504a57eccdac198889a2a6b38819158864a613e047d87bc8f6218fd6fb
                                                                                    • Opcode Fuzzy Hash: 4c53cb0471c2371f8c8a0dabb2d4cd7b99a48196027867f4f1cfc9b2e0beccaa
                                                                                    • Instruction Fuzzy Hash: 18018670780209BEFB346B90CC0BF793758EB01B51F1445147B619C1C0DEF6A901AB25
                                                                                    Function 10027517 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_ALGORITHM_MISMATCH$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2996312882
                                                                                    • Opcode ID: 749f88db1fd9978f4b9b9685d9db1ba7f00b4712f5ecc584ce425c25933d4889
                                                                                    • Instruction ID: 6b46fdac7af6673d77d3cb8ff55c09087faca4bde8f9f56166045d10172388eb
                                                                                    • Opcode Fuzzy Hash: 749f88db1fd9978f4b9b9685d9db1ba7f00b4712f5ecc584ce425c25933d4889
                                                                                    • Instruction Fuzzy Hash: 1AF020B8608742AFD726DB24A84172E7310FF80342FC20038F84A86282DF356894CAA6
                                                                                    Function 10027521 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_BAD_BINDINGS$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-942103111
                                                                                    • Opcode ID: 836a54409f96a01bbcaf0a8dfb9fa05dac11241ca62e68298c68a667cc254201
                                                                                    • Instruction ID: 188fce86068c97bf51d61d3911380da5487588eb66cab8aeb5d14af29d000df9
                                                                                    • Opcode Fuzzy Hash: 836a54409f96a01bbcaf0a8dfb9fa05dac11241ca62e68298c68a667cc254201
                                                                                    • Instruction Fuzzy Hash: D8F055B8608742AFD726DB34A84173E7310FF80342FD20038F84EC6282DF356894C6A6
                                                                                    Function 1002752B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_BAD_PKGID$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-945561728
                                                                                    • Opcode ID: c8b59127b5dd7b4ae0da3dec02e30ff3592f23236bf9ee50f1887f1183967f8d
                                                                                    • Instruction ID: 5c1ac16f809ac17c5efc31f8127d34a34d2f9fd89b383a089d067eee3b7663d7
                                                                                    • Opcode Fuzzy Hash: c8b59127b5dd7b4ae0da3dec02e30ff3592f23236bf9ee50f1887f1183967f8d
                                                                                    • Instruction Fuzzy Hash: 73F020B8A08742AFD726DB24A84173E7310FF80342FC20038F84A86282DF35689486A6
                                                                                    Function 10027535 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_BUFFER_TOO_SMALL$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-810525677
                                                                                    • Opcode ID: cf6918cecc038236923d04ed61f1f79346d25949cfcb0e0d50bd62dadaf173ee
                                                                                    • Instruction ID: bd75e794ee6ee27d4a4137b75642eff72426498fd6c02e4533a8d7e3b18cee04
                                                                                    • Opcode Fuzzy Hash: cf6918cecc038236923d04ed61f1f79346d25949cfcb0e0d50bd62dadaf173ee
                                                                                    • Instruction Fuzzy Hash: C9F027786047469FD725DB24A84172E7310FF80342FC20038F84A85291DF3558548666
                                                                                    Function 10027553 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_CERT_EXPIRED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2334300041
                                                                                    • Opcode ID: 9817d39b9ef2d10b495fabc645017c7ee5397adb601084eb721a9eea6889b912
                                                                                    • Instruction ID: c5532d71b0b09247848d76e090cf47c9a09f1d8d45b0c288bca2e7e5335b5637
                                                                                    • Opcode Fuzzy Hash: 9817d39b9ef2d10b495fabc645017c7ee5397adb601084eb721a9eea6889b912
                                                                                    • Instruction Fuzzy Hash: C4F027796047469FD725DB24A84173E7350FF80342FC20038F84A85281DF3558548666
                                                                                    Function 1002755D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_CERT_UNKNOWN$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2247992313
                                                                                    • Opcode ID: 17a481bbde6700dc394599bfcdcdb8d6ed166566adafd96bcfe874d1bd9f99f2
                                                                                    • Instruction ID: 2a13ccb81a3104632371078ff43f2eb0c03c3f6b800651a385c066ca997164a0
                                                                                    • Opcode Fuzzy Hash: 17a481bbde6700dc394599bfcdcdb8d6ed166566adafd96bcfe874d1bd9f99f2
                                                                                    • Instruction Fuzzy Hash: BCF05C786047429FD725DB34A84573E7350FF81342FC20038F84EC5281DF355854C666
                                                                                    Function 10027567 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_CERT_WRONG_USAGE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1694533537
                                                                                    • Opcode ID: ca6c6ba0cda2ffd074fbc92adf9f0a845373b3de1ff05994e951d563a3fdd4f5
                                                                                    • Instruction ID: 15241795378b9d6f976b5d561c6a3ea1cfc67b22a349562bf1a8a62999de1b4b
                                                                                    • Opcode Fuzzy Hash: ca6c6ba0cda2ffd074fbc92adf9f0a845373b3de1ff05994e951d563a3fdd4f5
                                                                                    • Instruction Fuzzy Hash: B1F020B8608342AFD732DB24A84173E7310FF80342FC20038F84A86282DF3568948AA6
                                                                                    Function 10027571 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_CONTEXT_EXPIRED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1209114829
                                                                                    • Opcode ID: 76405c0066441de4d740b43e94b4efae66de455bd72cab72c9ceee52db21c236
                                                                                    • Instruction ID: 1d0eff30de9930cdfb8cf92e7a2777824e150971b568af750a082a73d0c5f541
                                                                                    • Opcode Fuzzy Hash: 76405c0066441de4d740b43e94b4efae66de455bd72cab72c9ceee52db21c236
                                                                                    • Instruction Fuzzy Hash: D6F020B8608342AFD722DB24A84172E7310FF80342FC20038F84A86282DF3568948AA6
                                                                                    Function 1002757B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 1002757B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1728428445
                                                                                    • Opcode ID: 8eba20e282ca94453399eda81494618e2366727a813cb31c19937475821ff635
                                                                                    • Instruction ID: bc7c5dda466635b7c3e59db30949b6b3588e170cacdd71ae8ef4ff91ad6def3e
                                                                                    • Opcode Fuzzy Hash: 8eba20e282ca94453399eda81494618e2366727a813cb31c19937475821ff635
                                                                                    • Instruction Fuzzy Hash: 9BF027786043429FD721DB24A84173E7310FF80342FC20038F84A85282DF3558948666
                                                                                    Function 10027585 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 10027585
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1994179410
                                                                                    • Opcode ID: 87df86ff356c00e69c8cc71774149d43ef2647eba021f768a20a325d4b12c7cd
                                                                                    • Instruction ID: f900f9f8b52a415a4922e271307779e2218b7c5234628c9791934bfb926475f8
                                                                                    • Opcode Fuzzy Hash: 87df86ff356c00e69c8cc71774149d43ef2647eba021f768a20a325d4b12c7cd
                                                                                    • Instruction Fuzzy Hash: 78F020B8608342AFD722DB24A84172E7310FF80342FC20038F84A86282DF3568948AA6
                                                                                    Function 1002758F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_DECRYPT_FAILURE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2957084375
                                                                                    • Opcode ID: 0fa0bb59a000798ea062ce1f5d1d256b29f50bc64d3a2fb05c31be4ca1ab6a3c
                                                                                    • Instruction ID: 0633af5c2a06f24c508533a8d674d3ddb4f611925b7d72d82f17ca8a4118c8d3
                                                                                    • Opcode Fuzzy Hash: 0fa0bb59a000798ea062ce1f5d1d256b29f50bc64d3a2fb05c31be4ca1ab6a3c
                                                                                    • Instruction Fuzzy Hash: 05F027786043429FD731DB24A84172E7710FF80342FC20038F84A85282DF3558548666
                                                                                    Function 10027599 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_DELEGATION_POLICY$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-373352088
                                                                                    • Opcode ID: 882f75f5b4e8eec3aebd1f848f05f6abf6c40f1f601fd059b004ed469249a70a
                                                                                    • Instruction ID: 2d0a97931ad32ce7c4ba7a5dadf281ef866d18eb86a4070a1cac5a249604601f
                                                                                    • Opcode Fuzzy Hash: 882f75f5b4e8eec3aebd1f848f05f6abf6c40f1f601fd059b004ed469249a70a
                                                                                    • Instruction Fuzzy Hash: 87F020B8608342AFD722DB24A84172E7310FF81342FC20038F84A86292DF3568948AA6
                                                                                    Function 100275A3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_DELEGATION_REQUIRED, xrefs: 100275A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_DELEGATION_REQUIRED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1336467790
                                                                                    • Opcode ID: b042afb9d1030ef6e32c9a460bd19941e2f933aeb1c2f2597560d859ec866afd
                                                                                    • Instruction ID: 93c359cca3b04e2c5f8ba301e4bc6adc89f75cde7e3e2b4a6106975a4ef0f6b6
                                                                                    • Opcode Fuzzy Hash: b042afb9d1030ef6e32c9a460bd19941e2f933aeb1c2f2597560d859ec866afd
                                                                                    • Instruction Fuzzy Hash: D9F020B8608742AFD732DB24A84173E7310FF80352FC20038F84A86282DF3568948AA6
                                                                                    Function 100275AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_DOWNGRADE_DETECTED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-808614159
                                                                                    • Opcode ID: 5bc0017d0c7556d0b3f63441e0f1c472fb6fd1ada2a567f503fa6ea1f42c5beb
                                                                                    • Instruction ID: 389e4bb1390753da957cf4ca6b3403f6565b5957387957019cf889a5aa8b1fb4
                                                                                    • Opcode Fuzzy Hash: 5bc0017d0c7556d0b3f63441e0f1c472fb6fd1ada2a567f503fa6ea1f42c5beb
                                                                                    • Instruction Fuzzy Hash: 33F020B8608342AFD732DB24A84176E7350FF80342FC20038F84A86282DF3568948AA6
                                                                                    Function 100275B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_ENCRYPT_FAILURE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-619797272
                                                                                    • Opcode ID: fc0970abd4aa84b3303d60f6b1fb12a165829fc05b28e6e651f82105ad8c483b
                                                                                    • Instruction ID: 360c39cb461f80d5d9a26653fe641a6915a9c1937dcc8ee14a69fc9a8a5a6623
                                                                                    • Opcode Fuzzy Hash: fc0970abd4aa84b3303d60f6b1fb12a165829fc05b28e6e651f82105ad8c483b
                                                                                    • Instruction Fuzzy Hash: F0F027786043429FD731DB24A84172E7310FF80342FC20038F84A85282DF355894C666
                                                                                    Function 100275C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_ILLEGAL_MESSAGE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1574295650
                                                                                    • Opcode ID: 90ee1f345a8c3a721113153a71c3a91639a181ae36c2bf6c1cbbc4888fdf3fc7
                                                                                    • Instruction ID: e6c9a48c698efbc765a233f49cb4fa67c70d60f89a17d50eebef69a818f4b3d8
                                                                                    • Opcode Fuzzy Hash: 90ee1f345a8c3a721113153a71c3a91639a181ae36c2bf6c1cbbc4888fdf3fc7
                                                                                    • Instruction Fuzzy Hash: B2F027786043529FD731DB24A84572E7310FF80342FC20038F84A85282DF3558548666
                                                                                    Function 100275CB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 100275CB
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1251709352
                                                                                    • Opcode ID: f288d2df75861f2d05ea9d554a8575350cef63fbe73261f8388f8cbc3f861393
                                                                                    • Instruction ID: 316bf8599250b2a1b2a159bc48204f55e5b1848a41917375cd6169f786273cd5
                                                                                    • Opcode Fuzzy Hash: f288d2df75861f2d05ea9d554a8575350cef63fbe73261f8388f8cbc3f861393
                                                                                    • Instruction Fuzzy Hash: 66F05C786043429FD721DB34A84173E7310FF80342FC20039F84ED5281DF355854C666
                                                                                    Function 100275D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_INCOMPLETE_MESSAGE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1938747175
                                                                                    • Opcode ID: 333e91430394b1f909de8aa8e602c7899213e9d65ff8c49e47def7644557ea47
                                                                                    • Instruction ID: 4cb8c08945f273265e591308c20a61cd509ffed8e9f3f9a9f58b5350410eb745
                                                                                    • Opcode Fuzzy Hash: 333e91430394b1f909de8aa8e602c7899213e9d65ff8c49e47def7644557ea47
                                                                                    • Instruction Fuzzy Hash: 93F020B8608342AFD722DB24A841B3E7710FF80342FC20038F84A96282DF35689486A6
                                                                                    Function 100275FD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_INVALID_PARAMETER$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-170380494
                                                                                    • Opcode ID: 737668d10fad322605796d37107148262a063520b51b8f0f55136cc6d7d34d99
                                                                                    • Instruction ID: 065f5931f16d935ab09695dc6cab07d7e2e466c4ca322978e8d12163dbb43bc5
                                                                                    • Opcode Fuzzy Hash: 737668d10fad322605796d37107148262a063520b51b8f0f55136cc6d7d34d99
                                                                                    • Instruction Fuzzy Hash: B0F02778604342AFD721DB24A84172E7310FF80342FC20038F84A95291DF3558548666
                                                                                    Function 10027611 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 10027611
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-3953322954
                                                                                    • Opcode ID: 89f4cbdabc8033a2d7395792227bbd186f3567fe67d1401332dce68e11964bf7
                                                                                    • Instruction ID: 35c0679f6db4da1e168aafc3f5754f56ae955a913ece1a50766bc961d1506108
                                                                                    • Opcode Fuzzy Hash: 89f4cbdabc8033a2d7395792227bbd186f3567fe67d1401332dce68e11964bf7
                                                                                    • Instruction Fuzzy Hash: E4F055B8608342AFD722DB34A84173E7350FF80342FC20038F84ED6282DF356894C6A6
                                                                                    Function 1002761B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 1002761B
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1301703659
                                                                                    • Opcode ID: a70977aab3561e1b30af1c56baa4a8f91970fe427a95feba36d30137b43b6328
                                                                                    • Instruction ID: cd7e206373f8938f039e3a1f9a8971e64e9dbb8fe0c278619f2239301aec2812
                                                                                    • Opcode Fuzzy Hash: a70977aab3561e1b30af1c56baa4a8f91970fe427a95feba36d30137b43b6328
                                                                                    • Instruction Fuzzy Hash: 2BF020B8608342AFD722DB24A84172E7310FF80342FC20038F84A96282DF356894CAB6
                                                                                    Function 10027625 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_KDC_CERT_EXPIRED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1432954256
                                                                                    • Opcode ID: 46425b116307c2793982a4723ab3b2d596cccda02ea6aad17080ba21abd89eb4
                                                                                    • Instruction ID: 33ffa380bd8938bd5e4de76b76238c99239e67962b74c3b524c1e0760c2e925f
                                                                                    • Opcode Fuzzy Hash: 46425b116307c2793982a4723ab3b2d596cccda02ea6aad17080ba21abd89eb4
                                                                                    • Instruction Fuzzy Hash: A0F027786043429FD721DB24A84173E7310FF80342FC20038F84E85281DF3558548666
                                                                                    Function 1002762F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_KDC_CERT_REVOKED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1648702936
                                                                                    • Opcode ID: 7565d132e31a6b3abdebdae9a805c76c56395e2a2470ccff47d34cb46779b62f
                                                                                    • Instruction ID: 904a335a06e1ed55fcac949424b1cc442f21b9bc1406211ef05ce161368406ce
                                                                                    • Opcode Fuzzy Hash: 7565d132e31a6b3abdebdae9a805c76c56395e2a2470ccff47d34cb46779b62f
                                                                                    • Instruction Fuzzy Hash: DBF020B8608342AFD722DB24A84173E7310FF80342FC20039F84A86282DF35689486AA
                                                                                    Function 10027639 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_KDC_INVALID_REQUEST, xrefs: 10027639
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_KDC_INVALID_REQUEST$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-923278453
                                                                                    • Opcode ID: c5b53b308ee8de8884efad1279dd403dc6cd09705de7df232e1266c566e3c399
                                                                                    • Instruction ID: 16470008104726426ec10f983aee9477818a90efff3013e1bccfa818db1f4d92
                                                                                    • Opcode Fuzzy Hash: c5b53b308ee8de8884efad1279dd403dc6cd09705de7df232e1266c566e3c399
                                                                                    • Instruction Fuzzy Hash: E5F020B8608342AFD722DB24A841B3E7710FF80342FC20038F84A86282DF35689486A6
                                                                                    Function 10027643 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_KDC_UNABLE_TO_REFER, xrefs: 10027643
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_KDC_UNABLE_TO_REFER$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2776967552
                                                                                    • Opcode ID: 7a58aa6fd5b858eadc64fa8074a897d74abfd0e6b69e326fc934caf9e497dedd
                                                                                    • Instruction ID: d419863381a569a85eda16d0e6793a57e89417a3877fc3844f9751f40535d519
                                                                                    • Opcode Fuzzy Hash: 7a58aa6fd5b858eadc64fa8074a897d74abfd0e6b69e326fc934caf9e497dedd
                                                                                    • Instruction Fuzzy Hash: 58F020B8608342AFD726DB24A84172E7310FF80342FC20038F84E86282DF3568948AA6
                                                                                    Function 1002764D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-3095558726
                                                                                    • Opcode ID: 9b8c36f34070a85980df367fb8b9abd339292a1618aadd6bf11f3fc82ab2d034
                                                                                    • Instruction ID: bbe01ce106170e590ad0b03c74f51b0cf48c7687b2e7a7548bc624bbc7a4e349
                                                                                    • Opcode Fuzzy Hash: 9b8c36f34070a85980df367fb8b9abd339292a1618aadd6bf11f3fc82ab2d034
                                                                                    • Instruction Fuzzy Hash: 64F020B8608342AFD722DB24A84172E7310FF80342FC20038F84E86282DF35689486A6
                                                                                    Function 10027661 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 10027661
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1545583215
                                                                                    • Opcode ID: 661a404eb970a537afbf49673d17523d0697eeda528998a058f7954504a589bc
                                                                                    • Instruction ID: 29b4cf9b7c149de3790a4ed64b8700a8ea3ecee396afe0dbcafae642c48bbd65
                                                                                    • Opcode Fuzzy Hash: 661a404eb970a537afbf49673d17523d0697eeda528998a058f7954504a589bc
                                                                                    • Instruction Fuzzy Hash: B6F020B8608346AFD722DB24A88172E7310FF80342FC20038F84A86292DF35689496A6
                                                                                    Function 10027675 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_MULTIPLE_ACCOUNTS$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-3493655102
                                                                                    • Opcode ID: 23695fb58d2d36c75b5e06193883543ad920aa6048f8b16da31761c9c8560a79
                                                                                    • Instruction ID: 5938403f2c4cd291f76286c4920b82b20d6820c05814c43a79e7958417b730bd
                                                                                    • Opcode Fuzzy Hash: 23695fb58d2d36c75b5e06193883543ad920aa6048f8b16da31761c9c8560a79
                                                                                    • Instruction Fuzzy Hash: 94F020B8608342AFD722DB24A84172E7350FF80342FC20038F84A86282DF39689486B6
                                                                                    Function 1002767F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_MUST_BE_KDC$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-754988098
                                                                                    • Opcode ID: 1a6c2b1a64b507d12c56d9c91682ba4d63631499191065da7ce9169b5e82c0ad
                                                                                    • Instruction ID: 1b1654f190392b5381335c874852f1deeb28cf591b679ce57aee2e5a7abc4ae1
                                                                                    • Opcode Fuzzy Hash: 1a6c2b1a64b507d12c56d9c91682ba4d63631499191065da7ce9169b5e82c0ad
                                                                                    • Instruction Fuzzy Hash: 6EF020B8648342AFD722DB24A84172E7310FF80342FC20038F84E86282DF356894C6B6
                                                                                    Function 100276B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_NO_IP_ADDRESSES$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-3380493386
                                                                                    • Opcode ID: 217ee14f255fba30fcde076a2b24b74c18f8b749fe0ef06104ebe6807e739d89
                                                                                    • Instruction ID: 183f1b8beab616fa5a6693fa71d2cd05c4ee0e41c20af36dd2bac1a8303a5650
                                                                                    • Opcode Fuzzy Hash: 217ee14f255fba30fcde076a2b24b74c18f8b749fe0ef06104ebe6807e739d89
                                                                                    • Instruction Fuzzy Hash: B7F055B8608742AFE762DB34A85577E7310FF80342FC20038F84EC6282DF356894C6A6
                                                                                    Function 100276BB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_NO_KERB_KEY$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1265541653
                                                                                    • Opcode ID: c4f390c1a47f0c6f6878c5092d425defe102a330418a6def180c752990209b21
                                                                                    • Instruction ID: e7821a318a8c0515b6ed3f6467b00d462dcc349339dcd76695d93175a8dd8c23
                                                                                    • Opcode Fuzzy Hash: c4f390c1a47f0c6f6878c5092d425defe102a330418a6def180c752990209b21
                                                                                    • Instruction Fuzzy Hash: 95F055B8608742AFD762DB34A85173E7310FF81342FC20038F84EC6282DF356894C6A6
                                                                                    Function 100276C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_NO_PA_DATA$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-462261175
                                                                                    • Opcode ID: e84eca340d4750abd80dee1d474e4253bce0d6efb75bdb500137b9937c8f6071
                                                                                    • Instruction ID: c195b110c4d599ca25625cbfa434fab880aa7e75cfd120805d653ca2c93a46d2
                                                                                    • Opcode Fuzzy Hash: e84eca340d4750abd80dee1d474e4253bce0d6efb75bdb500137b9937c8f6071
                                                                                    • Instruction Fuzzy Hash: 9AF027786047429FD761DB24A85173E7310FF80342FC20038F84A86281DF3568948666
                                                                                    Function 100276CF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 100276CF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-3398403623
                                                                                    • Opcode ID: 0ba9ddc367163cbe4cf37a37e847e5b87e0d771e4826e91d2c12f2526c10f726
                                                                                    • Instruction ID: 02bf670323c2c5abb9cc0ca1d8c7c1cae1c337184063a48ea504e2810d83c1d3
                                                                                    • Opcode Fuzzy Hash: 0ba9ddc367163cbe4cf37a37e847e5b87e0d771e4826e91d2c12f2526c10f726
                                                                                    • Instruction Fuzzy Hash: 7AF020B8608742AFD762DB24A85172E7310FF81342FC20038F84A86282DF3568948AA6
                                                                                    Function 100276D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_NO_TGT_REPLY$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-4074602245
                                                                                    • Opcode ID: 54269a648bbef816c8d48c7c44922c6e0fdbc9f155c6fb46f9f1ed77541be0d5
                                                                                    • Instruction ID: a4be975aa58ba14a4532ac8742ae619fcdc7359aacab35a6bf2ffc584592de76
                                                                                    • Opcode Fuzzy Hash: 54269a648bbef816c8d48c7c44922c6e0fdbc9f155c6fb46f9f1ed77541be0d5
                                                                                    • Instruction Fuzzy Hash: B3F055B8608742AFD762DB34A85173E7310FF80342FC20038F84EC6282DF356894C6A6
                                                                                    Function 100276ED Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 100276ED
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-4043996442
                                                                                    • Opcode ID: de1868490fa0ed1d8597d137159684bd3dce0e1ea8914a96607cb65dc591db1e
                                                                                    • Instruction ID: aa81f1d1c5d51266c9080e544da84e2eb24cdc720e46f73538078c04f622c7a5
                                                                                    • Opcode Fuzzy Hash: de1868490fa0ed1d8597d137159684bd3dce0e1ea8914a96607cb65dc591db1e
                                                                                    • Instruction Fuzzy Hash: A4F027786047429FD761DB24A85172E7310FF80342FC20038F84A85281DF355854C676
                                                                                    Function 100276F7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_PKINIT_NAME_MISMATCH, xrefs: 100276F7
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_PKINIT_NAME_MISMATCH$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-950525325
                                                                                    • Opcode ID: 991e994ab102d90516cfc39a4ed334a7a9c201f52abe14422cda1a768f6a675a
                                                                                    • Instruction ID: 95345d16c5bf5967e45d03703d984264d4d90470cb144a165df0fcf2d343e63d
                                                                                    • Opcode Fuzzy Hash: 991e994ab102d90516cfc39a4ed334a7a9c201f52abe14422cda1a768f6a675a
                                                                                    • Instruction Fuzzy Hash: 53F020B8608342AFD722DB24A85177E7310FF80342FC20038F84A86282DF35689486A6
                                                                                    Function 10027701 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_POLICY_NLTM_ONLY$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-517804941
                                                                                    • Opcode ID: 6fba0602bf0684792f7a61f8cdf808501e3bd875e5b4cb090593a76be7682b84
                                                                                    • Instruction ID: 6f57d4b7f0ac34e48599003cf9db1f925227e65af65d625c167f1947fb96a137
                                                                                    • Opcode Fuzzy Hash: 6fba0602bf0684792f7a61f8cdf808501e3bd875e5b4cb090593a76be7682b84
                                                                                    • Instruction Fuzzy Hash: F3F020B8608342AFD722DB24A84272E7310FF80342FC20039F84A86282DF35689486A6
                                                                                    Function 10027715 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_REVOCATION_OFFLINE_C, xrefs: 10027715
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_REVOCATION_OFFLINE_C$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2174284414
                                                                                    • Opcode ID: 7c7648c5354c1f96dc12551fa3256bc900af9707b2a325d3b11ec51e51b9aff5
                                                                                    • Instruction ID: ae3bf7865c31fe9dd9d6d6fa5f74c0ccad703bbfa1a1f70a5282c605473896f9
                                                                                    • Opcode Fuzzy Hash: 7c7648c5354c1f96dc12551fa3256bc900af9707b2a325d3b11ec51e51b9aff5
                                                                                    • Instruction Fuzzy Hash: D0F020B8608342AFD722DB24A84172E7310FF80352FC20038F84A86282DF3568948AA6
                                                                                    Function 1002771F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 1002771F
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-594758841
                                                                                    • Opcode ID: 38d123b553bc06ef27cadbff8a179872e73d40cfc06e23ce72c3bcc06c212102
                                                                                    • Instruction ID: dbf21c5cf955a78d26f95878b97e16facd68e3cfcfc94f1de4d8e50b4cdda9aa
                                                                                    • Opcode Fuzzy Hash: 38d123b553bc06ef27cadbff8a179872e73d40cfc06e23ce72c3bcc06c212102
                                                                                    • Instruction Fuzzy Hash: C4F020B8608342AFD722DB24A84172E7320FF80352FC20038F84A86282DF35689486A6
                                                                                    Function 10027733 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_SECURITY_QOS_FAILED, xrefs: 10027733
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_SECURITY_QOS_FAILED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-993058843
                                                                                    • Opcode ID: c260c051bb8a11b9c54e8ed660e82bb08f396e63efaa559d898188d735ac6053
                                                                                    • Instruction ID: 80a8025b2b7e50aea0a1832c35db90f73c7e0c73405c7df3efac63b539a03226
                                                                                    • Opcode Fuzzy Hash: c260c051bb8a11b9c54e8ed660e82bb08f396e63efaa559d898188d735ac6053
                                                                                    • Instruction Fuzzy Hash: ABF027786043429FD721DB24A84173E7310FF80342FC20038F84A852C1DF3558948666
                                                                                    Function 1002773D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 1002773D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2778760208
                                                                                    • Opcode ID: 194d37680fab4e2feb75bb28955573d97d6db475b1f44c099a6429bd6241b502
                                                                                    • Instruction ID: 9890c08446fdae3526a6c59a49eadd4add64cbb4c3b34907065fe5ba7482c9ee
                                                                                    • Opcode Fuzzy Hash: 194d37680fab4e2feb75bb28955573d97d6db475b1f44c099a6429bd6241b502
                                                                                    • Instruction Fuzzy Hash: 78F020B8608342AFD722DB24A84572E7350FF80352FD20038F84AC6282DF35689486A6
                                                                                    Function 10027747 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 10027747
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1879880751
                                                                                    • Opcode ID: 774dacff03e4d56b2c61d4bb83b267b6d85a356192bb7fba3f3e6b4bbe94ac0b
                                                                                    • Instruction ID: af8cc7db32da746077e11e033df41e308ceadb9c3e618d15f2a022c3c1640617
                                                                                    • Opcode Fuzzy Hash: 774dacff03e4d56b2c61d4bb83b267b6d85a356192bb7fba3f3e6b4bbe94ac0b
                                                                                    • Instruction Fuzzy Hash: 8DF020B8608342AFD736DB24A84172E7310FF80352FC20038F84A86282DF356894D6A6
                                                                                    Function 10027751 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 10027751
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1193321575
                                                                                    • Opcode ID: 780e01ef021ac62bd0ea27d8e6be033203b36d94044507e2436b6d379315a9d5
                                                                                    • Instruction ID: 38eb6410b55963041a7d07bc2927f9892a552a8b7ca9959e27aeab2dee80db2b
                                                                                    • Opcode Fuzzy Hash: 780e01ef021ac62bd0ea27d8e6be033203b36d94044507e2436b6d379315a9d5
                                                                                    • Instruction Fuzzy Hash: B8F055B8608352AFD722DB34A84173E7310FF81342FC20038F84EC6282DF355894C6A6
                                                                                    Function 1002775B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 1002775B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-162033295
                                                                                    • Opcode ID: c44975fbcb0fc9493efba894ba91b92f1f61e57688960390fc421c912b26f04a
                                                                                    • Instruction ID: 9eb186de366c4082bc98833b8390ce3a174131fcebfc0fbae68e49b433daea86
                                                                                    • Opcode Fuzzy Hash: c44975fbcb0fc9493efba894ba91b92f1f61e57688960390fc421c912b26f04a
                                                                                    • Instruction Fuzzy Hash: 5CF020B8608342AFD722DB34A84172E7310FF81342FC20038F84A86282DF35589496A6
                                                                                    Function 10027765 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 10027765
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1888885811
                                                                                    • Opcode ID: 3d7f394028a60ccb9cfac672be77a7156c53081c6c07825dbe14b4ff9520d9fb
                                                                                    • Instruction ID: 0c8e5f731634f5bbbd9fe82d89d3a7161d64f415c34e10325f729725ded88164
                                                                                    • Opcode Fuzzy Hash: 3d7f394028a60ccb9cfac672be77a7156c53081c6c07825dbe14b4ff9520d9fb
                                                                                    • Instruction Fuzzy Hash: ABF020B8608342AFD722DB24A84172EB720FF81342FC20038F84A86282DF35589486A6
                                                                                    Function 10027779 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_TIME_SKEW$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-3829546215
                                                                                    • Opcode ID: 7c944e658d153956fb468ff9dc717ce577f1fbf2b9521604336229f7dcd52644
                                                                                    • Instruction ID: 617b67f77d3fb5d38a7aed6d6d6e3f6823da95965bddab1703ea12c9428e98bb
                                                                                    • Opcode Fuzzy Hash: 7c944e658d153956fb468ff9dc717ce577f1fbf2b9521604336229f7dcd52644
                                                                                    • Instruction Fuzzy Hash: E9F020B8608342AFD722DB24A84172E7310FF81342FC20038F84A86282DF35589486A6
                                                                                    Function 10027783 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_TOO_MANY_PRINCIPALS, xrefs: 10027783
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_TOO_MANY_PRINCIPALS$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2249462595
                                                                                    • Opcode ID: ab034f5ef14641db1dd6942f27ab887473ed0a45e25fcac0ce3abeab0fc01197
                                                                                    • Instruction ID: 140a1be011566016a6f39bc7b6a70bb1226dfe892a0c8bc527fc1361028fe3f6
                                                                                    • Opcode Fuzzy Hash: ab034f5ef14641db1dd6942f27ab887473ed0a45e25fcac0ce3abeab0fc01197
                                                                                    • Instruction Fuzzy Hash: 05F020B8608342AFD722DB24A841B2E7310FF81342FC20038F84A86282DF39589486A6
                                                                                    Function 1002778D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 1002778D
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1288379965
                                                                                    • Opcode ID: 67d96d26c9d7483497982587424a9cedd4da3cefba8d6894dcd7b23d290cc3f0
                                                                                    • Instruction ID: 1388f16050f228e9ceb0da7a5f72bac7a8afddd4be2cc0804e39586a08dd3918
                                                                                    • Opcode Fuzzy Hash: 67d96d26c9d7483497982587424a9cedd4da3cefba8d6894dcd7b23d290cc3f0
                                                                                    • Instruction Fuzzy Hash: E4F055B8A08342AFD722DB34A84173E7310FF81342FC20038F84EC6282DF355894C6A6
                                                                                    Function 100277AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_UNSUPPORTED_PREAUTH, xrefs: 100277AB
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_UNSUPPORTED_PREAUTH$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-2877769204
                                                                                    • Opcode ID: aed39ef5f5312d97db07ad69888b783367ccc0dad1d04ca7a815ce8b6bc34edf
                                                                                    • Instruction ID: ee680c0be02f90f938b7f26d7bcae06968403627aae9405a5ab3309e6d3f2dbf
                                                                                    • Opcode Fuzzy Hash: aed39ef5f5312d97db07ad69888b783367ccc0dad1d04ca7a815ce8b6bc34edf
                                                                                    • Instruction Fuzzy Hash: 23F055B8608342AFD722DB34A84273EB310FF81342FD20038F84ED6282DF355894C6A6
                                                                                    Function 100277B5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1424888476
                                                                                    • Opcode ID: e9ec8239bbc4d0dc4c733beac7559316162a993339e176b2d1dcae8ad0132df6
                                                                                    • Instruction ID: aa79d0cdef19e6acfe27e710042b2bd6c48e86da7e7cb6a75d82dff57c293b7b
                                                                                    • Opcode Fuzzy Hash: e9ec8239bbc4d0dc4c733beac7559316162a993339e176b2d1dcae8ad0132df6
                                                                                    • Instruction Fuzzy Hash: F8F027786043429FD721DB24A84172E7310FF81342FC20039F94A85281DF3558948666
                                                                                    Function 100277BF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    • SEC_E_WRONG_PRINCIPAL, xrefs: 1002790E
                                                                                    • SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 100277BF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1940017991
                                                                                    • Opcode ID: 76074a065df21ab0434c8ffcbfd6d6405af9266ef926ac4c49cd3e0c681639df
                                                                                    • Instruction ID: acac5f0f5666cad86b2442d20eba12db3e6970b756f81cb0f3f432fb9a7e6897
                                                                                    • Opcode Fuzzy Hash: 76074a065df21ab0434c8ffcbfd6d6405af9266ef926ac4c49cd3e0c681639df
                                                                                    • Instruction Fuzzy Hash: D5F027786043429FD721DB24A85572E7310FF81352FC20038F94A852C1DF355C948666
                                                                                    Function 010A25D8 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f0a4b2e819f7b98e72a8ef65ba10a3b96219fa25d716f7b114923d01e31e1358
                                                                                    • Instruction ID: 6494b4140e307df9fb47949128c39bdd758fccc4fa8c341a0f25e7a8ad770513
                                                                                    • Opcode Fuzzy Hash: f0a4b2e819f7b98e72a8ef65ba10a3b96219fa25d716f7b114923d01e31e1358
                                                                                    • Instruction Fuzzy Hash: 2C71B131902216DBDB329FD8C884ABEBFB5FF45360F940279F9A157281D7718981CBA0
                                                                                    Function 100519D5 Relevance: 7.7, APIs: 5, Instructions: 172COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __invoke_watson.LIBCMT ref: 100519F4
                                                                                      • Part of subcall function 100467ED: _memset.LIBCMT ref: 10046879
                                                                                      • Part of subcall function 100467ED: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 10046897
                                                                                      • Part of subcall function 100467ED: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 100468A1
                                                                                      • Part of subcall function 100467ED: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 100468AB
                                                                                      • Part of subcall function 100467ED: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 100468C6
                                                                                      • Part of subcall function 100467ED: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 100468CD
                                                                                    • _cvtdate.LIBCMT ref: 10051A80
                                                                                    • _cvtdate.LIBCMT ref: 10051ADD
                                                                                    • _cvtdate.LIBCMT ref: 10051B1B
                                                                                    • _cvtdate.LIBCMT ref: 10051B33
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _cvtdate$ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate__invoke_watson_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3518405098-0
                                                                                    • Opcode ID: 07a9a56bcc9db291b556edbe6a1e10972b0f96d1f1a7251de1f92874c49250bd
                                                                                    • Instruction ID: 72067ec3c64bf4785c603dc7080c67c250a751fecacead202f4fe720c95f800a
                                                                                    • Opcode Fuzzy Hash: 07a9a56bcc9db291b556edbe6a1e10972b0f96d1f1a7251de1f92874c49250bd
                                                                                    • Instruction Fuzzy Hash: 8651DFF2601132BAFBA0CB558DC1DBB3BFEF749685B104616F504C5091F3B49A88D7A1
                                                                                    Function 1004ADB4 Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock.LIBCMT ref: 1004ADC9
                                                                                      • Part of subcall function 10049029: __mtinitlocknum.LIBCMT ref: 1004903D
                                                                                      • Part of subcall function 10049029: __amsg_exit.LIBCMT ref: 10049049
                                                                                      • Part of subcall function 10049029: EnterCriticalSection.KERNEL32(-0000000F,-0000000F,?,10044A87,00000004,10064158,0000000C,1004B092,?,?,00000000,00000000,00000000,100463B9,00000001,00000214), ref: 10049051
                                                                                    • __mtinitlocknum.LIBCMT ref: 1004AE09
                                                                                    • __malloc_crt.LIBCMT ref: 1004AE4D
                                                                                    • ___crtInitCritSecAndSpinCount.LIBCMT ref: 1004AE72
                                                                                    • EnterCriticalSection.KERNEL32(?,100643E8,00000010,1004314B,10064078,0000000C,100431C5,1000475C,1000475C,00000040,1000475C,?,10055854), ref: 1004AE9C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalEnterSection__mtinitlocknum$CountCritInitSpin___crt__amsg_exit__lock__malloc_crt
                                                                                    • String ID:
                                                                                    • API String ID: 1486408876-0
                                                                                    • Opcode ID: 4eb7a7c06388f6507576787e6827b9306653352789de1fa2d891a4e289e7ac27
                                                                                    • Instruction ID: 340cb93d49f4029c665e8e48d0573285439e6c688c90ce0dff95cae929e45956
                                                                                    • Opcode Fuzzy Hash: 4eb7a7c06388f6507576787e6827b9306653352789de1fa2d891a4e289e7ac27
                                                                                    • Instruction Fuzzy Hash: 6C31C076500B129FE761CFAAC88191AB7E5FF0A320761823DE464D72A1CB70F981CF58
                                                                                    Function 00FFC680 Relevance: 7.6, APIs: 5, Instructions: 98windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000409,00000000,00000001), ref: 00FFC6B9
                                                                                    • SendMessageW.USER32(00000000), ref: 00FFC6C0
                                                                                    • MessageBeep.USER32(00000040), ref: 00FFC722
                                                                                    • ??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ.YCOMUIU(00000409,00000000,00000001), ref: 00FFC746
                                                                                    • SendMessageW.USER32(00000000), ref: 00FFC74D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$D__@@Lib@@SendWindowWnd@$Beep
                                                                                    • String ID:
                                                                                    • API String ID: 1648407695-0
                                                                                    • Opcode ID: ee7dedcc30628252e328115196924b185cbbb9ac81dcda2173f5e59c7cb80520
                                                                                    • Instruction ID: 2b682debc36d363bb9145e187ef51ea4b7631c2388ff36420e1fa71bc5315560
                                                                                    • Opcode Fuzzy Hash: ee7dedcc30628252e328115196924b185cbbb9ac81dcda2173f5e59c7cb80520
                                                                                    • Instruction Fuzzy Hash: A9312C31E4531C9FDB309F64CA81B76B7E4AF04B14F044499EB89AB291CB72F8408BD0
                                                                                    Function 00FDA1B0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 00FDA230
                                                                                    • SetViewportOrgEx.GDI32(?,?,00000000,?), ref: 00FDA21D
                                                                                      • Part of subcall function 00FD7AD0: ??0CDuiRect@DuiLib@@QAE@HHHH@Z.YCOMUIU(00000000,00000000,?,?,B69A1A1E), ref: 00FD7B27
                                                                                      • Part of subcall function 00FD7AD0: ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00FD7B36
                                                                                      • Part of subcall function 00FD7AD0: ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00FD7B3B
                                                                                      • Part of subcall function 00FD7AD0: GetClientRect.USER32(00000000,?), ref: 00FD7B44
                                                                                      • Part of subcall function 00FD7AD0: GetWindowRect.USER32(00000000,?), ref: 00FD7B51
                                                                                      • Part of subcall function 00FD7AD0: GdipGetImageHeight.GDIPLUS(?,?), ref: 00FD7B71
                                                                                      • Part of subcall function 00FD7AD0: GdipGetImageWidth.GDIPLUS(?,?,?,?), ref: 00FD7B9D
                                                                                      • Part of subcall function 00FD7AD0: GdipCloneBitmapAreaI.GDIPLUS(00000000,00000000,00000000,00000000,0026200A,?,?,?,?,?,?), ref: 00FD7BD3
                                                                                    • BeginPaint.USER32(?,?,B69A1A1E), ref: 00FDA24D
                                                                                    • SetViewportOrgEx.GDI32(00000000,00000000,00000002,00000000), ref: 00FDA26D
                                                                                    • EndPaint.USER32(?,?), ref: 00FDA29B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: GdipLib@@Rect@Viewport$ImagePaintRect$AreaBeginBitmapClientCloneHeightWidthWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3911760940-0
                                                                                    • Opcode ID: fa0af90f43d050f6641b151d1e5ca5cb4beeed66d73e73b8dc44dda6a3a7260d
                                                                                    • Instruction ID: ff61ee0ef9e6255faa37d80d2615e2a846d8c00bb1c026e6931d1f6f498c9572
                                                                                    • Opcode Fuzzy Hash: fa0af90f43d050f6641b151d1e5ca5cb4beeed66d73e73b8dc44dda6a3a7260d
                                                                                    • Instruction Fuzzy Hash: 34315BB1904248EFDB11CFD8C845BAEFBF9FB48710F104119E455AB380DB766A04DB50
                                                                                    Function 01014560 Relevance: 7.6, APIs: 5, Instructions: 93windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32 ref: 010145F5
                                                                                    • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(769523D0,010C8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0101461F
                                                                                    • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 01014627
                                                                                    • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 0101462F
                                                                                    • PostMessageW.USER32(769523D0,00000403,00000000,00000000), ref: 01014652
                                                                                      • Part of subcall function 01014670: IsWindow.USER32(00000001), ref: 0101470A
                                                                                      • Part of subcall function 01014670: ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(00000001,010C8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01014734
                                                                                      • Part of subcall function 01014670: ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,0111E7C0,010BABB4,000000FF,?,010089C9,00000001,00000001), ref: 0101473C
                                                                                      • Part of subcall function 01014670: ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU(?,?,?,?,?,?,?,?,?,0111E7C0,010BABB4,000000FF,?,010089C9,00000001,00000001), ref: 01014744
                                                                                      • Part of subcall function 01014670: PostMessageW.USER32(00000001,00000404,00000000,00000000), ref: 0101476A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Lib@@Wnd@$CenterCreate@D__@@MessageModal@PostShowU__@@@Window@
                                                                                    • String ID:
                                                                                    • API String ID: 3637571515-0
                                                                                    • Opcode ID: 3b5894852a3e76587a2cc9de99b8f0125fee06ef1000f19d48f5f133161af7d9
                                                                                    • Instruction ID: d820261923feb478c5fad10a0e1fb5ee932032b3603ffba90e86538516e9e20f
                                                                                    • Opcode Fuzzy Hash: 3b5894852a3e76587a2cc9de99b8f0125fee06ef1000f19d48f5f133161af7d9
                                                                                    • Instruction Fuzzy Hash: 6C212871B80244BFDB359F64AC05BADBBE4EB4DB10F00016EFA95D7385DB7A59008B45
                                                                                    Function 00FB05C0 Relevance: 7.6, APIs: 5, Instructions: 89memorywindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalAlloc.KERNEL32(00000042,?,B69A1A1E), ref: 00FB05F4
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FB0610
                                                                                    • GdipAlloc.GDIPLUS(00000010), ref: 00FB0638
                                                                                    • GdipCreateBitmapFromStream.GDIPLUS(00000000,?,00000010), ref: 00FB0669
                                                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,00000000,000000FF,00000010), ref: 00FB0693
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateGdip$AllocBitmapFromGlobalStream
                                                                                    • String ID:
                                                                                    • API String ID: 2713546604-0
                                                                                    • Opcode ID: a4f3f0335390b30ee41e55a87c76386416f404d42acd3bf814e20784236fb36d
                                                                                    • Instruction ID: 25a7d6d5965df76af071954e58bb0274d7c5aad1fd9a21bac441906a29cb35ae
                                                                                    • Opcode Fuzzy Hash: a4f3f0335390b30ee41e55a87c76386416f404d42acd3bf814e20784236fb36d
                                                                                    • Instruction Fuzzy Hash: 4D314CB1A0021AEFDB20DF95C944BEFBBF9FF48720F104559E955A7280DB75A900CBA0
                                                                                    Function 00FE20B0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdipGraphicsClear.GDIPLUS(?,05000000,FFFFFFFF,?,?,?,?,?,?,?,?,?,?,?,00FDD60C,?), ref: 00FE20D9
                                                                                    • GetDC.USER32(?), ref: 00FE20F5
                                                                                    • GetWindowRect.USER32(?,?), ref: 00FE2112
                                                                                    • UpdateLayeredWindow.USER32(?,00000000,?,?,?,?,00000000,01FF0000,00000002), ref: 00FE215A
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00FE2164
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClearGdipGraphicsLayeredRectReleaseUpdate
                                                                                    • String ID:
                                                                                    • API String ID: 3259010597-0
                                                                                    • Opcode ID: af9310de4343961a74d8e50cceb2c616cb75af65d6ea25c7b156373e159163f4
                                                                                    • Instruction ID: b3a668fe5b19ee062a6e2b648818ceb539d27d75fff3ea380691f7d1d967d72c
                                                                                    • Opcode Fuzzy Hash: af9310de4343961a74d8e50cceb2c616cb75af65d6ea25c7b156373e159163f4
                                                                                    • Instruction Fuzzy Hash: 00213E71E00219AFDB14DFA5CD45AEEFBB9FF49310F10422AE805B3210EB31A950DBA0
                                                                                    Function 00FD0570 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(00080020,00000000,80880000,80000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00FD05BD
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD05CB
                                                                                    • GetWindowLongW.USER32(?,000000FC), ref: 00FD0609
                                                                                    • SetWindowLongW.USER32(?,000000FC,00FD1090), ref: 00FD061C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Create
                                                                                    • String ID:
                                                                                    • API String ID: 1733017098-0
                                                                                    • Opcode ID: be9b98cd3c4e3662335faa0cc1d291c08165efc26127ea261532c74ccbe86085
                                                                                    • Instruction ID: 43a5121bb58ff4c939d2165a96b0411a93eb5cee135fda2f9c2b01098d7f4b0c
                                                                                    • Opcode Fuzzy Hash: be9b98cd3c4e3662335faa0cc1d291c08165efc26127ea261532c74ccbe86085
                                                                                    • Instruction Fuzzy Hash: FE11E330544700BFEB315F50DC08F49BE66EB00721F248005FAA9663D5CB7AE0A0EF48
                                                                                    Function 1003EECA Relevance: 7.5, APIs: 5, Instructions: 36timethreadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 1003EEE7
                                                                                    • GetCurrentProcessId.KERNEL32 ref: 1003EEF3
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1003EEFB
                                                                                    • GetTickCount.KERNEL32 ref: 1003EF03
                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 1003EF0F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                    • String ID:
                                                                                    • API String ID: 1445889803-0
                                                                                    • Opcode ID: d74bad8e41324a01ff4e891a462ccedb6796ccf66fb89d1ba0f007521b685e00
                                                                                    • Instruction ID: 5fa5e588f6514f0c98b3afe36d1e7ec01dbf71d727e6430b1fd5420f78eb2bc7
                                                                                    • Opcode Fuzzy Hash: d74bad8e41324a01ff4e891a462ccedb6796ccf66fb89d1ba0f007521b685e00
                                                                                    • Instruction Fuzzy Hash: F0F0EC769001699FEB11DBB4DC9859FBBF8FF0C352B521A71E501EB150EB75A9008A80
                                                                                    Function 10037700 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%s%lx,100559C1,00000000), ref: 100379E5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %s%lx$FALSE$TRUE
                                                                                    • API String ID: 3307269620-3905555377
                                                                                    • Opcode ID: 145a638f604e1deeec7d09740805c6d2f2a33df0f975a56527b93e82afcce46f
                                                                                    • Instruction ID: 08a9915f20460e5e34d9b10caaa3125d023278b802237e009d2ff029c72870be
                                                                                    • Opcode Fuzzy Hash: 145a638f604e1deeec7d09740805c6d2f2a33df0f975a56527b93e82afcce46f
                                                                                    • Instruction Fuzzy Hash: E4C103759087459FD332CB248C8061FB7E5FF89252F290929F99A9B351EA35ED00C7A3
                                                                                    Function 00FBE1B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00FBD2C0: std::_Lockit::_Lockit.LIBCPMT ref: 00FBD2F1
                                                                                      • Part of subcall function 00FBD2C0: std::_Lockit::_Lockit.LIBCPMT ref: 00FBD30F
                                                                                      • Part of subcall function 00FBD2C0: std::_Lockit::~_Lockit.LIBCPMT ref: 00FBD337
                                                                                      • Part of subcall function 00FBD2C0: std::_Lockit::~_Lockit.LIBCPMT ref: 00FBD44D
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00FBE373
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$Exception@8Throw
                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                    • API String ID: 2777619170-1866435925
                                                                                    • Opcode ID: af8820b476d688e4a00a863e68a0a9dbf370885253d7a9dff1c733738db9ee06
                                                                                    • Instruction ID: b90d2874dfe1cd1b999677c489fb2dfdc34daa52602cb0ba7cc28f788090d0c2
                                                                                    • Opcode Fuzzy Hash: af8820b476d688e4a00a863e68a0a9dbf370885253d7a9dff1c733738db9ee06
                                                                                    • Instruction Fuzzy Hash: 2BA167B0A00248EFDB00DFA9C985BDEBBB4BF44314F148169E415AB281D779AA05DF90
                                                                                    Function 1000D6A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%s%s,?), ref: 1000D72E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
                                                                                    • API String ID: 3307269620-1133524294
                                                                                    • Opcode ID: 12193679a16df16ddec95afe7092c8dc9d004ba59e5d5d1ba5d2b4d40910fdff
                                                                                    • Instruction ID: fca2eb1ba07e375057dd9c7a7f60bb8680fd51b5f5da1f6808338dc6962b83a5
                                                                                    • Opcode Fuzzy Hash: 12193679a16df16ddec95afe7092c8dc9d004ba59e5d5d1ba5d2b4d40910fdff
                                                                                    • Instruction Fuzzy Hash: 4D61A6B56002058FE710DFA8E8C0A67B7E4FB44394F24857EE6498B346EB36F855CB90
                                                                                    Function 10034C80 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • getaddrinfo() failed for %s:%d; %s, xrefs: 10034E03
                                                                                    • init_resolve_thread() failed for %s; %s, xrefs: 10034DCA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: getaddrinfo() failed for %s:%d; %s$init_resolve_thread() failed for %s; %s
                                                                                    • API String ID: 0-1389973398
                                                                                    • Opcode ID: 74051e535da1f6d2830cc1f4eaf6ce42a34196e37a4d18e18c28af4250921dd4
                                                                                    • Instruction ID: aa9961a7cc98a1f41821c3090a4428c87d54d9c79a6850f5b570301f2b1d56f0
                                                                                    • Opcode Fuzzy Hash: 74051e535da1f6d2830cc1f4eaf6ce42a34196e37a4d18e18c28af4250921dd4
                                                                                    • Instruction Fuzzy Hash: 1C5174BA6043446FD740DB65DC42E6BB3E8EFC8751F80492DF645CA241EB75B9048B62
                                                                                    Function 1000CAB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • FTP response aborted due to select/poll error: %d, xrefs: 1000CC58
                                                                                    • FTP response timeout, xrefs: 1000CC32
                                                                                    • We got a 421 - timeout!, xrefs: 1000CBFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: FTP response aborted due to select/poll error: %d$FTP response timeout$We got a 421 - timeout!
                                                                                    • API String ID: 1452528299-2064316097
                                                                                    • Opcode ID: fb772f4210361e575c1bc8980877e7dca229a31b00c9ca90b7d9b7febbd8df52
                                                                                    • Instruction ID: 35ad8987197f53818be03551916f9301986bcefc2765bc3fc343dfdb63d5d069
                                                                                    • Opcode Fuzzy Hash: fb772f4210361e575c1bc8980877e7dca229a31b00c9ca90b7d9b7febbd8df52
                                                                                    • Instruction Fuzzy Hash: D851C475A043099FE700DF28DC81B9BB3E4FB853A4F404A2DF85997245E735EA49CB92
                                                                                    Function 00FDC530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??0CDuiRect@DuiLib@@QAE@XZ.YCOMUIU ref: 00FDC61C
                                                                                    • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00FDC665
                                                                                    • ??0CDuiPoint@DuiLib@@QAE@XZ.YCOMUIU ref: 00FDC66D
                                                                                      • Part of subcall function 00FDF710: GlobalUnlock.KERNEL32(?), ref: 00FDF753
                                                                                      • Part of subcall function 00FDF710: GlobalFree.KERNEL32(?), ref: 00FDF75C
                                                                                      • Part of subcall function 00FDF710: FindResourceW.KERNEL32(00000000,?,00000000,B69A1A1E,?,?,?,?,010B3DD3,000000FF,?,00FDC7C1,000000D9,PNG), ref: 00FDF773
                                                                                      • Part of subcall function 00FDF710: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,010B3DD3,000000FF,?,00FDC7C1,000000D9,PNG), ref: 00FDF785
                                                                                      • Part of subcall function 00FDF710: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,010B3DD3,000000FF,?,00FDC7C1,000000D9,PNG), ref: 00FDF798
                                                                                      • Part of subcall function 00FDF710: LockResource.KERNEL32(00000000,?,?,?,?,010B3DD3,000000FF,?,00FDC7C1,000000D9,PNG), ref: 00FDF79F
                                                                                      • Part of subcall function 00FDF710: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,010B3DD3,000000FF,?,00FDC7C1,000000D9,PNG), ref: 00FDF7B5
                                                                                      • Part of subcall function 00FDF710: GlobalLock.KERNEL32(00000000), ref: 00FDF7C7
                                                                                      • Part of subcall function 00FDF710: CreateStreamOnHGlobal.OLE32(?,00000000,00000000), ref: 00FDF7F0
                                                                                      • Part of subcall function 00FDF710: GdipAlloc.GDIPLUS(00000010), ref: 00FDF803
                                                                                      • Part of subcall function 00FDF710: GdipCreateBitmapFromStream.GDIPLUS(00000000,?,00000010), ref: 00FDF834
                                                                                      • Part of subcall function 00FDF710: GlobalUnlock.KERNEL32(?), ref: 00FDF89F
                                                                                      • Part of subcall function 00FDF710: GlobalFree.KERNEL32(?), ref: 00FDF8A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$Resource$Lib@@$AllocCreateFreeGdipLockPoint@StreamUnlock$BitmapFindFromLoadRect@Sizeof
                                                                                    • String ID: PNG
                                                                                    • API String ID: 2582079666-364855578
                                                                                    • Opcode ID: aa07ad756ab2acc42f9cd573d20f5a2f7018f62bf9a3d3da0850a65328f36504
                                                                                    • Instruction ID: 6f495ba75e1121645693f1439f6491c738ce99b684fd7df44fed91ca07245f33
                                                                                    • Opcode Fuzzy Hash: aa07ad756ab2acc42f9cd573d20f5a2f7018f62bf9a3d3da0850a65328f36504
                                                                                    • Instruction Fuzzy Hash: 788100B090178AEFE714CF64C958B8ABFF0BB04308F148259D4585B781C7BAA668DFD1
                                                                                    Function 1002A220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • recvfrom.WS2_32(?,?,?,00000000,?), ref: 1002A271
                                                                                      • Part of subcall function 1000A830: curl_mvsnprintf.LIBCURL(?,00000801,?,?,00000000), ref: 1000A873
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_mvsnprintfrecvfrom
                                                                                    • String ID: %s$Internal error: Unexpected packet$Received too short packet
                                                                                    • API String ID: 3832050-1418437813
                                                                                    • Opcode ID: e9148bc0004bf59b84171f76806a3131bfab9f33664396b621544128f5d1477b
                                                                                    • Instruction ID: c5c8185e6c96c6528cab77553d87f9037f5311898bf07f4c745b3882df6747bf
                                                                                    • Opcode Fuzzy Hash: e9148bc0004bf59b84171f76806a3131bfab9f33664396b621544128f5d1477b
                                                                                    • Instruction Fuzzy Hash: B951D0756006019FE354CB38EC81BABB3E9EF86314F44862DF59A83242DB35F9498B91
                                                                                    Function 1002F400 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _sscanf.LIBCMT ref: 1002F43B
                                                                                      • Part of subcall function 100424E0: _vscan_fn.LIBCMT ref: 100424F5
                                                                                    Strings
                                                                                    • OK [UIDVALIDITY %19[0123456789]], xrefs: 1002F435
                                                                                    • Mailbox UIDVALIDITY has changed, xrefs: 1002F4C9
                                                                                    • Select failed, xrefs: 1002F558
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _sscanf_vscan_fn
                                                                                    • String ID: Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$Select failed
                                                                                    • API String ID: 3764390770-3309259123
                                                                                    • Opcode ID: 97d8974c6728400fb4455196581f24c3db4ea9e6091a4f59755382209b4a974d
                                                                                    • Instruction ID: 3ada6feb993a73e144ae10c256f1e30f4878607809b1d88ef4a6c8d137bd173f
                                                                                    • Opcode Fuzzy Hash: 97d8974c6728400fb4455196581f24c3db4ea9e6091a4f59755382209b4a974d
                                                                                    • Instruction Fuzzy Hash: 4841FA766001404FD740EF2CFC825BB73D5EF992A1FD4057EE649C7282E92AA90987E2
                                                                                    Function 0100A600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?Create@CWindowWnd@DuiLib@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z.YCOMUIU(FFFFFFFF,010C8660,96C80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0100A733
                                                                                    • ?CenterWindow@CWindowWnd@DuiLib@@QAEXXZ.YCOMUIU ref: 0100A73B
                                                                                    • ?ShowModal@CWindowWnd@DuiLib@@QAEIXZ.YCOMUIU ref: 0100A743
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Lib@@WindowWnd@$CenterCreate@D__@@Modal@ShowU__@@@Window@
                                                                                    • String ID: ErrVideoFile
                                                                                    • API String ID: 4232685419-2017487813
                                                                                    • Opcode ID: ae272e8eaf6acaeebf704d2d4340d66bedb97b4304ed3c2926a1becb1b0b00c7
                                                                                    • Instruction ID: 6b34f9a4c0fccc33bbbd4e3a2012ae9c1e56200ff80e3bf078a81bd3fdafcced
                                                                                    • Opcode Fuzzy Hash: ae272e8eaf6acaeebf704d2d4340d66bedb97b4304ed3c2926a1becb1b0b00c7
                                                                                    • Instruction Fuzzy Hash: 8341A071A006099FDB15DF68C804BAEFBB5FF88320F144269E569A73D0DB75A900CB90
                                                                                    Function 00FFA580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,B69A1A1E), ref: 00FFA5BC
                                                                                      • Part of subcall function 00FC4150: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC4167
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8ObjectSingleThrowWait
                                                                                    • String ID: %s//%s//$*.*$data2
                                                                                    • API String ID: 11775685-3752667982
                                                                                    • Opcode ID: 16e84f753a00ca52c365998df66c39ea8d50ed403fa10ed6189eaba5600aafa2
                                                                                    • Instruction ID: d1e131548516313997c4b26dae92953ca83afb1ba9ed6f1e6b47adb72c1e8b55
                                                                                    • Opcode Fuzzy Hash: 16e84f753a00ca52c365998df66c39ea8d50ed403fa10ed6189eaba5600aafa2
                                                                                    • Instruction Fuzzy Hash: 7A41B2B1900A1A9FC720DF69C945B6AB7F4FF40320F18462DE5699B7A1DB35E800DF81
                                                                                    Function 00FB4680 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00FB47AE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw
                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                    • API String ID: 2005118841-1866435925
                                                                                    • Opcode ID: bd1fdabd7cb4b435cf572fd5e67b368fa2c86f535df7cae2f2aa85bc8e3f3972
                                                                                    • Instruction ID: 51b7f2ab6b30b484ea4ef25eeb95edd95cdf5e54566fc2c216222674d54f941a
                                                                                    • Opcode Fuzzy Hash: bd1fdabd7cb4b435cf572fd5e67b368fa2c86f535df7cae2f2aa85bc8e3f3972
                                                                                    • Instruction Fuzzy Hash: BA417B78A006048FCB24DF5AC685FA9B7E5BF09728F64855DE8568B792CB35ED00DF80
                                                                                    Function 10037560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s,?,?,?,?,?,?,00000000,10055A98,00000000,?,00000030,?,?,00000000,?), ref: 10037656
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$0
                                                                                    • API String ID: 3307269620-879362929
                                                                                    • Opcode ID: acdf4743c822dbcdec52d9644668b5814928578915fbe4dfcd6dbc40cbbcc2d3
                                                                                    • Instruction ID: 554b58a5b5f353e23bd6ca54128798ff229a04b6b5b48779d84e37de0b275d3d
                                                                                    • Opcode Fuzzy Hash: acdf4743c822dbcdec52d9644668b5814928578915fbe4dfcd6dbc40cbbcc2d3
                                                                                    • Instruction Fuzzy Hash: 0E3158B2908AC51ED73FC9348C69AABBBDAFB41242F454A1DE44A8F641D2969D08C391
                                                                                    Function 00F9E550 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9E670
                                                                                    Strings
                                                                                    • CHttpClientT::AddParam: It is not allowed to call this method if the POST context is active., xrefs: 00F9E6C7
                                                                                    • CHttpToolW::AddHeader: hRequest can not be NULL., xrefs: 00F9E626
                                                                                    • CHttpToolW::AddHeader: szName can not be NULL., xrefs: 00F9E634
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw
                                                                                    • String ID: CHttpClientT::AddParam: It is not allowed to call this method if the POST context is active.$CHttpToolW::AddHeader: hRequest can not be NULL.$CHttpToolW::AddHeader: szName can not be NULL.
                                                                                    • API String ID: 2005118841-4239911162
                                                                                    • Opcode ID: 9a08c4fe61ed268abe716dbd01e61971f1265f8647b93520ce296916e93bf831
                                                                                    • Instruction ID: f7a6db8f74d9a485ea7784fbf95766d2a7a0e342eccfb97ca3bfc19bb608e01c
                                                                                    • Opcode Fuzzy Hash: 9a08c4fe61ed268abe716dbd01e61971f1265f8647b93520ce296916e93bf831
                                                                                    • Instruction Fuzzy Hash: F12179F1E4020A97FF20EF65CD46BAF76B89B20B14F140028F514BB2C1D7B5E94496E5
                                                                                    Function 1000AEF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getsockname.WS2_32 ref: 1000AF28
                                                                                    • accept.WS2_32(?,?,?), ref: 1000AF45
                                                                                      • Part of subcall function 1000A830: curl_mvsnprintf.LIBCURL(?,00000801,?,?,00000000), ref: 1000A873
                                                                                      • Part of subcall function 1002D9A0: ioctlsocket.WS2_32(?,8004667E,?), ref: 1002D9BC
                                                                                    Strings
                                                                                    • Connection accepted from server, xrefs: 1000AF71
                                                                                    • Error accept()ing server connect, xrefs: 1000AF5C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: acceptcurl_mvsnprintfgetsocknameioctlsocket
                                                                                    • String ID: Connection accepted from server$Error accept()ing server connect
                                                                                    • API String ID: 1401384079-2331703088
                                                                                    • Opcode ID: 8a32f521d5f0390fa74a0be271aade95bec0474d381475f307a4cdb770733238
                                                                                    • Instruction ID: 98282cbbfb71397d0fa9f96fae906ca1b3470875baae6d3218b7dda174f0c9f0
                                                                                    • Opcode Fuzzy Hash: 8a32f521d5f0390fa74a0be271aade95bec0474d381475f307a4cdb770733238
                                                                                    • Instruction Fuzzy Hash: 8D2129B52043065BF320DF65DC81BEBB7E8EF86394F00472DF958821C1DB75A9498BA2
                                                                                    Function 00FF47D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00FF4838
                                                                                    • SetEvent.KERNEL32(?), ref: 00FF4841
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryEvent
                                                                                    • String ID: %s//%s//$data2
                                                                                    • API String ID: 3642801631-229016458
                                                                                    • Opcode ID: 28e93d118b4ff0254b6f3b1d94596710ee15dc061aae2cc5b3786e095b0c58d9
                                                                                    • Instruction ID: 127345c8ce048c01f098f88aeb666ecbd2d291a217c9c82f27f41a1f93af9b8c
                                                                                    • Opcode Fuzzy Hash: 28e93d118b4ff0254b6f3b1d94596710ee15dc061aae2cc5b3786e095b0c58d9
                                                                                    • Instruction Fuzzy Hash: 0311BE31A00609AFC7149F69CC05F6ABBB8FF05720F14462DF92597691DB76A800CB80
                                                                                    Function 01012570 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStringW.KERNEL32(Config,SampleRatio,010C8660,B69A1A1E,00000104,00000000), ref: 010125E7
                                                                                      • Part of subcall function 010270B0: GetPrivateProfileStringW.KERNEL32(Config,SampleRatio,010C8660,?,00000104,?), ref: 0102718C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileString
                                                                                    • String ID: Config$Config.ini$SampleRatio
                                                                                    • API String ID: 1096422788-1085615553
                                                                                    • Opcode ID: 26cc946ac97ad334110bf7348fb445a1638dd5a56ee2ebb29b74d532f0a69f28
                                                                                    • Instruction ID: 0ff13f5c429ede3e5399d930e1cca37656894d675dc440d5c487aec2a63a683c
                                                                                    • Opcode Fuzzy Hash: 26cc946ac97ad334110bf7348fb445a1638dd5a56ee2ebb29b74d532f0a69f28
                                                                                    • Instruction Fuzzy Hash: 5D21D470A8020D9FDB10EF64CC49FEAB7B8FF14710F5086A9E4559B2D4EB759A508F40
                                                                                    Function 100075D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • The requested URL returned error: %d, xrefs: 10007651
                                                                                    • HTTP, xrefs: 100075E0
                                                                                    • The requested URL returned error: %s, xrefs: 10007632
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strncmp
                                                                                    • String ID: HTTP$The requested URL returned error: %d$The requested URL returned error: %s
                                                                                    • API String ID: 909875538-4174864708
                                                                                    • Opcode ID: d996c09e0d084610cb92b883ddb8aadd75c2454c47ac4c2a1513852dd5ee8ee7
                                                                                    • Instruction ID: 39591eca520fa7e0f0a8b4f09a544920d57e84c3d12d67199960e43824828386
                                                                                    • Opcode Fuzzy Hash: d996c09e0d084610cb92b883ddb8aadd75c2454c47ac4c2a1513852dd5ee8ee7
                                                                                    • Instruction Fuzzy Hash: 6B012827E8125036E22081986C02FCB73C8DFA25E3F194025FD0DBA246FA5B2984C2F6
                                                                                    Function 10026790 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%sAuthorization: Negotiate %s,Proxy-,?), ref: 100267EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %sAuthorization: Negotiate %s$Negotiate$Proxy-
                                                                                    • API String ID: 3307269620-2422926165
                                                                                    • Opcode ID: a3dbaf6a2463fe332a5c0af913287c53dbf4275d25c2f4cfa42683b0437d0f6d
                                                                                    • Instruction ID: 0be3d061ef62f8b0a9875cbb4fa6244612e874d8a621c0936cc4b4666548659f
                                                                                    • Opcode Fuzzy Hash: a3dbaf6a2463fe332a5c0af913287c53dbf4275d25c2f4cfa42683b0437d0f6d
                                                                                    • Instruction Fuzzy Hash: 871190B56043129FE304CF69EC84A9BB7A8FB88254F04462DF959C7241EB71E808C7A2
                                                                                    Function 10025BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 10025BFA
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    Strings
                                                                                    • Error while processing content unencoding: %s, xrefs: 10025C2F
                                                                                    • 1.2.11, xrefs: 10025C01
                                                                                    • Error while processing content unencoding: Unknown failure within decompression software., xrefs: 10025C45
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memsetcurl_mvsnprintf
                                                                                    • String ID: 1.2.11$Error while processing content unencoding: %s$Error while processing content unencoding: Unknown failure within decompression software.
                                                                                    • API String ID: 926105211-2427623519
                                                                                    • Opcode ID: 100d77a946268c9c901de8d02869eb607bae03a4bb8f713ee3705b8e61f2f233
                                                                                    • Instruction ID: c0c25e528d41f27cfeadb23cf5aad54a1a7e28b6ec1544be3cbeadca727bbb2b
                                                                                    • Opcode Fuzzy Hash: 100d77a946268c9c901de8d02869eb607bae03a4bb8f713ee3705b8e61f2f233
                                                                                    • Instruction Fuzzy Hash: B901AD75A00700ABC210CA28FC01B86B3E8EF9536AF80851AF84AA7241D775B9498BE5
                                                                                    Function 10018640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000C8, zlib/%s,00000000), ref: 100186DA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_msnprintf
                                                                                    • String ID: zlib/%s$libcurl/7.55.1$libcurl/7.55.1 WinSSL zlib/1.2.11
                                                                                    • API String ID: 1809024409-887414331
                                                                                    • Opcode ID: 2351ac7435ce026bbc98e169d1292a02b2dcaa819301dd0fd881aba2f0bc884e
                                                                                    • Instruction ID: 5709dfda54ebfbdbb29430ea4e780c90661329260c33279c3972d8a4e77926f2
                                                                                    • Opcode Fuzzy Hash: 2351ac7435ce026bbc98e169d1292a02b2dcaa819301dd0fd881aba2f0bc884e
                                                                                    • Instruction Fuzzy Hash: AD11C27A8012628BE300DB28CD84B417BE6FB49241F444695DC8DDB322F3B4A745CB94
                                                                                    Function 00FA0200 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00FA021D
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,CHttpToolA::CreateFileAlwaysToWrite: szFilePath can not be NULL.,00000000), ref: 00FA024D
                                                                                    Strings
                                                                                    • CHttpToolA::CreateFileAlwaysToWrite: szFilePath can not be NULL., xrefs: 00FA0225
                                                                                    • CHttpToolW::CreateFileAlwaysToWrite: szFilePath can not be NULL., xrefs: 00FA0257
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID: CHttpToolA::CreateFileAlwaysToWrite: szFilePath can not be NULL.$CHttpToolW::CreateFileAlwaysToWrite: szFilePath can not be NULL.
                                                                                    • API String ID: 823142352-1657713534
                                                                                    • Opcode ID: 78f6144dfa4ec72da224c8067c8918d5d163a91e6aeaae27ae3ec51bacffd3d8
                                                                                    • Instruction ID: 591171b305a8151993a2b869ca71c4543619f83e5ca43dc66e3dba086ec899f5
                                                                                    • Opcode Fuzzy Hash: 78f6144dfa4ec72da224c8067c8918d5d163a91e6aeaae27ae3ec51bacffd3d8
                                                                                    • Instruction Fuzzy Hash: E8F0EDB07C030876FA306695AC0FF95768D9B49F05F20C014BB98AE5C2DAE6F800965C
                                                                                    Function 1002E440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,00000005,%c%03d,-00000041), ref: 1002E480
                                                                                      • Part of subcall function 10019330: curl_mvsnprintf.LIBCURL(?,?,?,?,1000A784,?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 10019344
                                                                                    • curl_maprintf.LIBCURL(%s %s,?,?,?,00000005,%c%03d,-00000041), ref: 1002E490
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintfcurl_msnprintfcurl_mvsnprintf
                                                                                    • String ID: %c%03d$%s %s
                                                                                    • API String ID: 226328973-883683383
                                                                                    • Opcode ID: aad49dbf124ba7705658b1c681ef5a9796731136f2ea13ce5f8cc790b9465c11
                                                                                    • Instruction ID: ca6ead76a640e73e30a73f773fd5e373f30456c0f575d937e8ac158d71be6475
                                                                                    • Opcode Fuzzy Hash: aad49dbf124ba7705658b1c681ef5a9796731136f2ea13ce5f8cc790b9465c11
                                                                                    • Instruction Fuzzy Hash: 450121BB6002116BD300DA09EC45EEBB3AEEFC5720F09043DF605DB211E636EA07C2A1
                                                                                    Function 00FA600C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00FA604B
                                                                                    Strings
                                                                                    • CHttpClientT::SetProxyAccount: szPassword can not be an empty string., xrefs: 00FA606A
                                                                                    • CHttpClientT::SetProxyAccount: szUserName can not be an empty string., xrefs: 00FA6052
                                                                                    • CHttpClientT::SetProxyAccount: szPassword can not be NULL., xrefs: 00FA605E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw
                                                                                    • String ID: CHttpClientT::SetProxyAccount: szPassword can not be NULL.$CHttpClientT::SetProxyAccount: szPassword can not be an empty string.$CHttpClientT::SetProxyAccount: szUserName can not be an empty string.
                                                                                    • API String ID: 2005118841-1178449450
                                                                                    • Opcode ID: aeb977ee8da78086e8d61bb73a155ee18e74d5e19df70cc0e4be1ecb5a00cb9c
                                                                                    • Instruction ID: bdc01ad92868465785e77d3cd83adaddf939df9255b0b7b44465c0977a2fd033
                                                                                    • Opcode Fuzzy Hash: aeb977ee8da78086e8d61bb73a155ee18e74d5e19df70cc0e4be1ecb5a00cb9c
                                                                                    • Instruction Fuzzy Hash: 22F0A9F0D403066BEB20EBA1CD06B5F7BE49F01B04F188418F644AA280D7B5F9419AA5
                                                                                    Function 00FD6440 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(DlgFrame), ref: 00FD6456
                                                                                    • ?SetBorderSize@CControlUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00FD6492
                                                                                    • ?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.YCOMUIU ref: 00FD64A6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ControlLib@@$BorderSize@$Control@FindI@2@ManagerPaintT@@@Utag
                                                                                    • String ID: DlgFrame
                                                                                    • API String ID: 3762731894-587853529
                                                                                    • Opcode ID: 9ecabee10709dafbc845da1bb9109c861d0ff437775e392115c479b25578152d
                                                                                    • Instruction ID: e3021a1c3b3b7dd225e60565f53da3f5a3840eeb86f31a2ca593689ab652aff6
                                                                                    • Opcode Fuzzy Hash: 9ecabee10709dafbc845da1bb9109c861d0ff437775e392115c479b25578152d
                                                                                    • Instruction Fuzzy Hash: 56F04431E013298B832167BC99091BAB7B6EF99A14B09436AEC8597309EF31A8D043C0
                                                                                    Function 10019FE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAStartup.WS2_32(00000002,0000CA1E), ref: 10019FFA
                                                                                    • WSACleanup.WS2_32 ref: 1001A015
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    Strings
                                                                                    • WSAStartup failed (%d), xrefs: 1001A005
                                                                                    • insufficient winsock version to support telnet, xrefs: 1001A03E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CleanupStartupcurl_mvsnprintf
                                                                                    • String ID: WSAStartup failed (%d)$insufficient winsock version to support telnet
                                                                                    • API String ID: 2269550233-1763879679
                                                                                    • Opcode ID: 38b4d89ff1a48e4f956748f289708d83260f4bff3c94252362815425fe89b78b
                                                                                    • Instruction ID: 63910a3bc027d3561a1cf3f2d51d952ad06fbcf2b9aa050b64d2458753ee86f8
                                                                                    • Opcode Fuzzy Hash: 38b4d89ff1a48e4f956748f289708d83260f4bff3c94252362815425fe89b78b
                                                                                    • Instruction Fuzzy Hash: 41F096B85101905FE725D7249C17BFA73E4EF5E341FC00528E94989181FB39A9468B63
                                                                                    Function 00FD63D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z.YCOMUIU(DlgFrame), ref: 00FD63DF
                                                                                    • ?SetBorderSize@CControlUI@DuiLib@@QAEXH@Z.YCOMUIU(00000000), ref: 00FD641E
                                                                                    • ?SetBorderSize@CControlUI@DuiLib@@QAEXUtagRECT@@@Z.YCOMUIU ref: 00FD6432
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ControlLib@@$BorderSize@$Control@FindI@2@ManagerPaintT@@@Utag
                                                                                    • String ID: DlgFrame
                                                                                    • API String ID: 3762731894-587853529
                                                                                    • Opcode ID: b7934ec09dda19b53aa035ddce7176b4bb500ca2ab54e6970f402904d55991d2
                                                                                    • Instruction ID: 0f5ea660d8697236b6bb113b79c5ca2d3217a7072d5cdfd7ef6cae375bb6d802
                                                                                    • Opcode Fuzzy Hash: b7934ec09dda19b53aa035ddce7176b4bb500ca2ab54e6970f402904d55991d2
                                                                                    • Instruction Fuzzy Hash: 4FF0FF30E11319CBD3216B7C98192BABBA5EF68604F08836AEC8596305EF3199E087D1
                                                                                    Function 10049B8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32,100428E7), ref: 10049B91
                                                                                    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 10049BA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                    • API String ID: 1646373207-3105848591
                                                                                    • Opcode ID: 2ef6283bdc002855744b7022c83bdd9bcf6f44ae6bfc513219261782bbeeab24
                                                                                    • Instruction ID: 4f820beeb3f5ff8b1bc9d235e8ef564a76c697b09ce6e8257939b3bf97525fad
                                                                                    • Opcode Fuzzy Hash: 2ef6283bdc002855744b7022c83bdd9bcf6f44ae6bfc513219261782bbeeab24
                                                                                    • Instruction Fuzzy Hash: 05F0D031900D1AD2EF00ABA1BD596AE7A79FB80746F9205B0D5D1E00D4DF729074D299
                                                                                    Function 1001A1F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • send.WS2_32(?,?,00000003,00000000), ref: 1001A215
                                                                                    • WSAGetLastError.WS2_32 ref: 1001A21F
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastcurl_mvsnprintfsend
                                                                                    • String ID: SENT$Sending data failed (%d)
                                                                                    • API String ID: 3410051995-3459338696
                                                                                    • Opcode ID: 748ed0bfe14ea8a734ae4a02315d89fbcdb250e3e7c8e956d35c9e050e85c669
                                                                                    • Instruction ID: 2437cc1aa9a7968a45920bcd633ca9da12a875ad7885fabd43c5dd62b589fee5
                                                                                    • Opcode Fuzzy Hash: 748ed0bfe14ea8a734ae4a02315d89fbcdb250e3e7c8e956d35c9e050e85c669
                                                                                    • Instruction Fuzzy Hash: D2F0E9755092416FD300DF649C50A9BBB98EF4A320F04455DF99597282E730E548CBA3
                                                                                    Function 100277C9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(?,000000FF,SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.,?), ref: 10027929
                                                                                    • _strncpy.LIBCMT ref: 1002793E
                                                                                    • GetLastError.KERNEL32 ref: 1002795D
                                                                                    • SetLastError.KERNEL32(?), ref: 1002796C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strncpycurl_msnprintf
                                                                                    • String ID: SEC_E_WRONG_PRINCIPAL
                                                                                    • API String ID: 4101537214-1567375120
                                                                                    • Opcode ID: 3b20043eb60a70ea104e8d69219f651adc373f4ba9b8d775358598bcd8f3bcf9
                                                                                    • Instruction ID: c856082071605485353e3612d7c0438a124cce3041f597813d2de50b9b380e42
                                                                                    • Opcode Fuzzy Hash: 3b20043eb60a70ea104e8d69219f651adc373f4ba9b8d775358598bcd8f3bcf9
                                                                                    • Instruction Fuzzy Hash: 90F055B8608342AFD722DB34A84673EB310FF81342FC20038F84ED6282DF355894C6A6
                                                                                    Function 10018BA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strncmp
                                                                                    • String ID: I32$I64
                                                                                    • API String ID: 909875538-3980630743
                                                                                    • Opcode ID: a1c4b673d77723dfd637a95b88002553b3daed4cbef5399d6a7a06aae64e3a1b
                                                                                    • Instruction ID: e49e16f09913b9d48f40984fd960c57d3709dcfa393943f40adbdc7a46aa4dd4
                                                                                    • Opcode Fuzzy Hash: a1c4b673d77723dfd637a95b88002553b3daed4cbef5399d6a7a06aae64e3a1b
                                                                                    • Instruction Fuzzy Hash: 23E08CC420C9915AE65186306CE2BEA368C9F02683F5540B2FE40E82C6EB68D740C619
                                                                                    Function 0102E1F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPlay,00000001,?,010062C7), ref: 0102E1FC
                                                                                    • ?ShowWindow@WindowImplBase@DuiLib@@QAEXPB_W_N@Z.YCOMUIU(btnPause,00000000,?,010062C7), ref: 0102E20B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Base@ImplLib@@ShowWindowWindow@
                                                                                    • String ID: btnPause$btnPlay
                                                                                    • API String ID: 1918941322-2951056387
                                                                                    • Opcode ID: 051e2ef5bd0732ea1c8683a10c39dd209b855ce2186bbff0f1a96d0766c0a088
                                                                                    • Instruction ID: 6b928f56a88b538a88550d13caecfbce82bc7e9a875f85a922b4d85fe3a6a105
                                                                                    • Opcode Fuzzy Hash: 051e2ef5bd0732ea1c8683a10c39dd209b855ce2186bbff0f1a96d0766c0a088
                                                                                    • Instruction Fuzzy Hash: C9D012353403015FE2249759D88AF247365EB88B11F20001AF542872C4DF92A8518A20
                                                                                    Function 00FAC220 Relevance: 6.4, APIs: 4, Instructions: 417networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetCloseHandle.WININET(?), ref: 00FAC278
                                                                                      • Part of subcall function 00F9F540: WideCharToMultiByte.KERNEL32(-00000100,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,B69A1A1E,?,00000000), ref: 00F9F5AD
                                                                                    • InternetCloseHandle.WININET(?), ref: 00FAC282
                                                                                    • InternetCloseHandle.WININET(?), ref: 00FAC28C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleInternet$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 1622922300-0
                                                                                    • Opcode ID: 6f8dbd7081313a0b22f8ed13c0fc904fd3244a356daa89510d8742fe2e773824
                                                                                    • Instruction ID: be537e5ef903c6ccc213963741e9642b0e0e1335351fbe2a4da49b564f22fce9
                                                                                    • Opcode Fuzzy Hash: 6f8dbd7081313a0b22f8ed13c0fc904fd3244a356daa89510d8742fe2e773824
                                                                                    • Instruction Fuzzy Hash: BBF169B1D00209AFDF14EFA4CD81BEEBBB5BF09314F144119E815B7291DB39A944EBA1
                                                                                    Function 00FAA6C0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • CHttpClientT::_ReleasePostResponse: The post context is not active., xrefs: 00FAA905
                                                                                    • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00FAAB71
                                                                                    • CHttpPostStatT::FileCount: The post context is not active., xrefs: 00FAA911
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle
                                                                                    • String ID: CHttpClientT::_ReleasePostResponse: The post context is not active.$CHttpPostStatT::FileCount: The post context is not active.$CHttpPostStatT::FileCount: The post context is not active.
                                                                                    • API String ID: 2962429428-1075908693
                                                                                    • Opcode ID: 93f720b692432203d858acd7784826e882b3fc383b84fde5fc07a68faf8b44e4
                                                                                    • Instruction ID: 14f9d8c6c62242ec2f0ccba2da7a743a2f75078790420aca7e4da86e5c68dddd
                                                                                    • Opcode Fuzzy Hash: 93f720b692432203d858acd7784826e882b3fc383b84fde5fc07a68faf8b44e4
                                                                                    • Instruction Fuzzy Hash: 1551D6F0500B01CFE7209F74D859B97BBE4BB01714F05492DD5AE9B381DBB9A848DBA2
                                                                                    Function 00FE2650 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??9CDuiPoint@DuiLib@@QBEHUtagPOINT@@@Z.YCOMUIU(?,?), ref: 00FE268C
                                                                                    • GdipCreatePen1.GDIPLUS(FFFF0000,?,00000000,B69A1A1E), ref: 00FE2749
                                                                                    • GdipDrawRectangle.GDIPLUS(?,00000000), ref: 00FE278E
                                                                                    • GdipDeletePen.GDIPLUS(00000000,?,00000000), ref: 00FE27A4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Gdip$CreateDeleteDrawLib@@Pen1Point@RectangleT@@@Utag
                                                                                    • String ID:
                                                                                    • API String ID: 2148718937-0
                                                                                    • Opcode ID: eac8fca3bcb70c8afceea5723e5961ab0e90e98b2a16f1cd63278ec5cf5bcfd1
                                                                                    • Instruction ID: 2dc9b9148c641c44b6c7a818124e35cd3684e965b601cf87a98645a6fafdb5a7
                                                                                    • Opcode Fuzzy Hash: eac8fca3bcb70c8afceea5723e5961ab0e90e98b2a16f1cd63278ec5cf5bcfd1
                                                                                    • Instruction Fuzzy Hash: AB41A231D24B4A9FCB12DF77C8406AEF7B4EF9A650F14871AE855B2290E7706990EF40
                                                                                    Function 1004EA86 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1004EAB6
                                                                                    • __isleadbyte_l.LIBCMT ref: 1004EAEA
                                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,FF000002,?,00000000,?,?,?,1004889B,?,?,00000001), ref: 1004EB1B
                                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,1004889B,?,?,00000001), ref: 1004EB89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                    • String ID:
                                                                                    • API String ID: 3058430110-0
                                                                                    • Opcode ID: 9c730ce7952e2b627b317e01ad1b145974d4a1f4fede98f3591adb4b7a0f34e9
                                                                                    • Instruction ID: 9c79ee1bb4bdc1cedf611f69e0581f35899ec4864ab9987ac5dd926da86c2cb8
                                                                                    • Opcode Fuzzy Hash: 9c730ce7952e2b627b317e01ad1b145974d4a1f4fede98f3591adb4b7a0f34e9
                                                                                    • Instruction Fuzzy Hash: FB318E31A08396EFEB10CF64C8849AE7BE5FF01351F2185B9E495CB191D330AD60DB96
                                                                                    Function 00FE27C0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdipSetSmoothingMode.GDIPLUS(?,00000002,B69A1A1E), ref: 00FE2807
                                                                                    • GdipCreatePen1.GDIPLUS(FFFF0000,?,00000000,B69A1A1E,?,00000002), ref: 00FE2875
                                                                                    • GdipDrawRectangle.GDIPLUS(?,00000000,00000002), ref: 00FE28B7
                                                                                    • GdipDeletePen.GDIPLUS(00000000,?,00000000,00000002), ref: 00FE28CD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Gdip$CreateDeleteDrawModePen1RectangleSmoothing
                                                                                    • String ID:
                                                                                    • API String ID: 3418039581-0
                                                                                    • Opcode ID: 404e2d92833afd8b12ed1fb8a46bbe9bf7ce2c38231b9545d246c0f992b3e6e4
                                                                                    • Instruction ID: 227236cf5b3ce6fd2486a2badb131b582ebd7aa30ff8079a6ef63a364c0df639
                                                                                    • Opcode Fuzzy Hash: 404e2d92833afd8b12ed1fb8a46bbe9bf7ce2c38231b9545d246c0f992b3e6e4
                                                                                    • Instruction Fuzzy Hash: A531B031C1474EAACB02DF37C8416AAF7B4FF6A350F14CB1AF850721A0E7306594AB90
                                                                                    Function 00FA6658 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FA6673
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FA669E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 626452242-0
                                                                                    • Opcode ID: ee21d0df59ec9a68ec1ceb3231d9a23d0d422c1a299d491027dee7c9e7b5cb05
                                                                                    • Instruction ID: 98101f92b86c033930c55a12a45db370197496e50c7d03f760a244f0c6255a8e
                                                                                    • Opcode Fuzzy Hash: ee21d0df59ec9a68ec1ceb3231d9a23d0d422c1a299d491027dee7c9e7b5cb05
                                                                                    • Instruction Fuzzy Hash: 5F01D0B17807057AF7302B646C46F5A371DDBC2F35F284224F724EC2C0DEAAD4006629
                                                                                    Function 10010F40 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset_strncpy
                                                                                    • String ID:
                                                                                    • API String ID: 3140232205-0
                                                                                    • Opcode ID: 1db06c2b31e23d922c23e583eb829f0f97851f8785b49fca14e959a418f1488a
                                                                                    • Instruction ID: 527ee988e04d19710a04e043ebacaaf5b3f7200028b3bdad06bd043691935b6c
                                                                                    • Opcode Fuzzy Hash: 1db06c2b31e23d922c23e583eb829f0f97851f8785b49fca14e959a418f1488a
                                                                                    • Instruction Fuzzy Hash: 1411EBB69443856FD331CB549CC2FEB72DCDB98204F04093DF19896142E57479484777
                                                                                    Function 100347A0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 100347AD
                                                                                    • InitializeCriticalSection.KERNEL32(00000000), ref: 100347DC
                                                                                    • DeleteCriticalSection.KERNEL32(00000000,?), ref: 10034805
                                                                                    • _memset.LIBCMT ref: 10034839
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection_memset$DeleteInitialize
                                                                                    • String ID:
                                                                                    • API String ID: 4176218707-0
                                                                                    • Opcode ID: bd2f5aa1201275f04c32bf705390aaa0236c3f283dba3650b16b7ba1ca23c861
                                                                                    • Instruction ID: cbf8b7a025f263a9f617c8f508d9ff05d3e189f14c15eb30bd5e822830511d5d
                                                                                    • Opcode Fuzzy Hash: bd2f5aa1201275f04c32bf705390aaa0236c3f283dba3650b16b7ba1ca23c861
                                                                                    • Instruction Fuzzy Hash: 681149B9A002109BFB00DF69ECC5B1737E8EB4875AF054475F905EF242EA75E914CBA1
                                                                                    Function 00FA6620 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • CHttpToolA::Unicode2Ansi: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter., xrefs: 00FA66B1
                                                                                    • CHttpPostStatT::TotalCount: The post context is not active., xrefs: 00FA662C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CHttpPostStatT::TotalCount: The post context is not active.$CHttpToolA::Unicode2Ansi: CP_UTF8 and CP_UTF7 can not be used for the CodePage parameter.
                                                                                    • API String ID: 0-3665396777
                                                                                    • Opcode ID: 0cf913e930ec963dc0adbdd5b0a9361d81933f2319f46aab081dd698e7a7fd2e
                                                                                    • Instruction ID: c07a303101dd6fe9f8ab711995a5bbf915addf6ac37ac1bf5310c609a08947cc
                                                                                    • Opcode Fuzzy Hash: 0cf913e930ec963dc0adbdd5b0a9361d81933f2319f46aab081dd698e7a7fd2e
                                                                                    • Instruction Fuzzy Hash: B8F027B09402043AFA2033A84C0BF6D30088B07F11F1C4028FA24BD1C1CEE92C00756B
                                                                                    Function 00FA83DF Relevance: 6.1, APIs: 4, Instructions: 56networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00FA83F0
                                                                                      • Part of subcall function 01053E56: RaiseException.KERNEL32(?,?,B69A1A1E,?,?,?,?,?,?,00FD56AD,80004005,B69A1A1E), ref: 01053EB6
                                                                                    • InternetCloseHandle.WININET(?), ref: 00FA8435
                                                                                    • InternetCloseHandle.WININET(?), ref: 00FA843F
                                                                                    • InternetCloseHandle.WININET(?), ref: 00FA8449
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleInternet$ExceptionException@8RaiseThrow
                                                                                    • String ID:
                                                                                    • API String ID: 1390451768-0
                                                                                    • Opcode ID: 7282c8fcb43d3a6383bccc528eec4a15693fb75da3798bce6649acb6dcc90f76
                                                                                    • Instruction ID: 02dbb5bfcf19118e77c46b60a94ed8d1390f4fbd0379e6d17e4bf47f5441ae5e
                                                                                    • Opcode Fuzzy Hash: 7282c8fcb43d3a6383bccc528eec4a15693fb75da3798bce6649acb6dcc90f76
                                                                                    • Instruction Fuzzy Hash: 770131B1E0010DABDF10DAF8DC45FDE77BC9B09750F0405A6BD05E7280DAB5EA419AA1
                                                                                    Function 10049A61 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                    • String ID:
                                                                                    • API String ID: 3016257755-0
                                                                                    • Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                                                    • Instruction ID: b9aa073f03d61498076d92bc8aa3a45f0e6e44aa689d445a32d8d5246c27020b
                                                                                    • Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                                                    • Instruction Fuzzy Hash: A5014B3644014ABBCF129E84CC418EE3F66FB19394B698435FE1898031D236DAB1AB86
                                                                                    Function 1004591F Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10046407: __amsg_exit.LIBCMT ref: 10046415
                                                                                    • __amsg_exit.LIBCMT ref: 1004594B
                                                                                    • __lock.LIBCMT ref: 1004595B
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 10045978
                                                                                    • InterlockedIncrement.KERNEL32(02DC1608), ref: 100459A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                                                                    • String ID:
                                                                                    • API String ID: 4129207761-0
                                                                                    • Opcode ID: e95d3633c6b2f11e2f04b93012a1168df2187cae0b2af10eacc2252bd6f1e863
                                                                                    • Instruction ID: 1089d4e86a32b4915337fb6dc27ba9e41df148c507d30f5dc147301e63979de5
                                                                                    • Opcode Fuzzy Hash: e95d3633c6b2f11e2f04b93012a1168df2187cae0b2af10eacc2252bd6f1e863
                                                                                    • Instruction Fuzzy Hash: 0101AD36901B22EBEB11DB64888574D77A0FB09762F310029E814F7A82CB757D41DBE9
                                                                                    Function 10046390 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,1004640D,?,1004193E,00000000,10041B2C,?,?,?,?,00000000,?,?,?,?), ref: 10046392
                                                                                      • Part of subcall function 10046249: TlsGetValue.KERNEL32(?,100463A5,?,?,?,00000000), ref: 10046250
                                                                                      • Part of subcall function 10046249: TlsSetValue.KERNEL32(00000000,?,?,00000000), ref: 10046271
                                                                                    • __calloc_crt.LIBCMT ref: 100463B4
                                                                                      • Part of subcall function 1004B07F: __calloc_impl.LIBCMT ref: 1004B08D
                                                                                      • Part of subcall function 1004B07F: Sleep.KERNEL32(00000000,?,?,?,00000000,00000000,100463B9,00000001,00000214,?,?,?,00000000), ref: 1004B0A4
                                                                                      • Part of subcall function 100461B7: TlsGetValue.KERNEL32(00000000,10046267,?,?,?,00000000), ref: 100461C4
                                                                                      • Part of subcall function 100461B7: TlsGetValue.KERNEL32(00000009,?,?,?,00000000), ref: 100461DB
                                                                                      • Part of subcall function 100462D1: GetModuleHandleA.KERNEL32(KERNEL32.DLL,10064278,0000000C,100463E2,00000000,00000000,?,?,?,00000000), ref: 100462E2
                                                                                      • Part of subcall function 100462D1: GetProcAddress.KERNEL32(?,EncodePointer), ref: 10046316
                                                                                      • Part of subcall function 100462D1: GetProcAddress.KERNEL32(?,DecodePointer), ref: 10046326
                                                                                      • Part of subcall function 100462D1: InterlockedIncrement.KERNEL32(10066540), ref: 10046348
                                                                                      • Part of subcall function 100462D1: __lock.LIBCMT ref: 10046350
                                                                                      • Part of subcall function 100462D1: ___addlocaleref.LIBCMT ref: 1004636F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 100463E4
                                                                                    • SetLastError.KERNEL32(00000000,?,?,?,00000000), ref: 100463FC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                                                                    • String ID:
                                                                                    • API String ID: 1081334783-0
                                                                                    • Opcode ID: e19e0a0ebe24f18689f5fd4e9f1c24fae35a99f5e01f0a1b4db586982f667fcb
                                                                                    • Instruction ID: 039e540da85a55bbd00d3b44ffa00ce6a1717d6aeda1284da835423c8a9c9710
                                                                                    • Opcode Fuzzy Hash: e19e0a0ebe24f18689f5fd4e9f1c24fae35a99f5e01f0a1b4db586982f667fcb
                                                                                    • Instruction Fuzzy Hash: 28F04C36909A72EBD335AF745C1A68E3B91DF087B2B310538F451D61F0EF61D880469E
                                                                                    Function 10054418 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: __invoke_watson_malloc_strcpy_s_strlen
                                                                                    • String ID:
                                                                                    • API String ID: 979628620-0
                                                                                    • Opcode ID: 39bb3c781dc7f2b812a768d0bfc9e4b5b92475d275650cfeef2df2d837c52097
                                                                                    • Instruction ID: 34c912fd01e15a09025dc7636a664c40bd418f9492a86d13d5844df3697870a1
                                                                                    • Opcode Fuzzy Hash: 39bb3c781dc7f2b812a768d0bfc9e4b5b92475d275650cfeef2df2d837c52097
                                                                                    • Instruction Fuzzy Hash: 8DE092AB7891A9365520E4756C85EAF678CCAC60F973344B9FD09C2103FD129C0995B5
                                                                                    Function 00FDA380 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetCursor.USER32(00000000), ref: 00FDA39C
                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00FDA3BD
                                                                                      • Part of subcall function 0100F7C0: ReleaseCapture.USER32 ref: 0100F7C9
                                                                                    • SetCursor.USER32(00000000), ref: 00FDA3DC
                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00FDA3FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: CursorInvalidateRect$CaptureRelease
                                                                                    • String ID:
                                                                                    • API String ID: 2232807753-0
                                                                                    • Opcode ID: d0759f2bf6c84ea898b766a12e0a95363549f25eec059d09a8c92a8f698b90c1
                                                                                    • Instruction ID: 8b3849ef886b63c4438ebc780ba0b1f73f00482d17aec6b5ce21eb59f571ef96
                                                                                    • Opcode Fuzzy Hash: d0759f2bf6c84ea898b766a12e0a95363549f25eec059d09a8c92a8f698b90c1
                                                                                    • Instruction Fuzzy Hash: 8B016D30548740AFF3729774DC09F96BAD6AF10B00F084849E1CAD66D5CBBAB884DF69
                                                                                    Function 00FE2580 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteGdip$FreeGraphicsObjectSelect
                                                                                    • String ID:
                                                                                    • API String ID: 1630502854-0
                                                                                    • Opcode ID: 2409f46b5d357bbb8212d18f0715021490370da3e4a18487b61395f8d185af75
                                                                                    • Instruction ID: 8488e6111f9e05ba03c562bcfee67ec9741066f2e23819f675fa4dd544db639c
                                                                                    • Opcode Fuzzy Hash: 2409f46b5d357bbb8212d18f0715021490370da3e4a18487b61395f8d185af75
                                                                                    • Instruction Fuzzy Hash: B0F0C231600B00CFE7709F35D954BE7B3F8AF41710F08041DE8D682210EB72A901EB62
                                                                                    Function 100399C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 297COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Invalid input packet$Q
                                                                                    • API String ID: 0-1423188339
                                                                                    • Opcode ID: 73bd5968f7ae62e78ab3930ee0f227636e2b656ca51634262a577a71f45e56c5
                                                                                    • Instruction ID: f2fe52ed724a6a238e9ef84cd706d2a89478f6ab8af3e1de367a7f29abd5fd66
                                                                                    • Opcode Fuzzy Hash: 73bd5968f7ae62e78ab3930ee0f227636e2b656ca51634262a577a71f45e56c5
                                                                                    • Instruction Fuzzy Hash: D9B11274A043009FD315DF24D881BAAB3E6FF88302F25457EE9598F352E776A846CB91
                                                                                    Function 10025D90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 229COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset
                                                                                    • String ID: 1.2.0.4$1.2.11
                                                                                    • API String ID: 2102423945-3557954862
                                                                                    • Opcode ID: 10efc0a2b4f26ae79193483ff18862e3f504beea2e70cd01f72c94664bfb6d3d
                                                                                    • Instruction ID: 951e9336588d9c9dabd141dec0aa73917bc7e773b5f6c4338d0a77ef278ef728
                                                                                    • Opcode Fuzzy Hash: 10efc0a2b4f26ae79193483ff18862e3f504beea2e70cd01f72c94664bfb6d3d
                                                                                    • Instruction Fuzzy Hash: 8071A7B6B00205DFD700CF28FD85B6AB7E8EB84266F548175F806CB346D736E90987A5
                                                                                    Function 10017CC0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LDAP$Z
                                                                                    • API String ID: 0-1365892505
                                                                                    • Opcode ID: 56e724dd0474b0b821e74b3de97201fcb809d64cfaf2f3247e74776d87713944
                                                                                    • Instruction ID: c2546b03e04a7a601750497279bb0acedff6b270031262eed4389e17c1e6331a
                                                                                    • Opcode Fuzzy Hash: 56e724dd0474b0b821e74b3de97201fcb809d64cfaf2f3247e74776d87713944
                                                                                    • Instruction Fuzzy Hash: 6171CEB1A003529BD710CF248C40B6B77F4FB88784F55096DF9889F282E775E981CBA2
                                                                                    Function 1003DFF0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • select/poll on SSL socket, errno: %d, xrefs: 1003E1E2
                                                                                    • schannel: timed out sending data (bytes sent: %zd), xrefs: 1003E1BB, 1003E203
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
                                                                                    • API String ID: 0-3891197721
                                                                                    • Opcode ID: fb3b7b51be1aad654f680406309ac37ff1e237f04e63dc6f999dc420ec5b9ed2
                                                                                    • Instruction ID: f027e35cf7f907aebbf4425a95172f9117f1cddf0de17b210ff45e8ea19cc82d
                                                                                    • Opcode Fuzzy Hash: fb3b7b51be1aad654f680406309ac37ff1e237f04e63dc6f999dc420ec5b9ed2
                                                                                    • Instruction Fuzzy Hash: 947166B16083409FE310CF69DC80A5BB7E9FB88364F144A1DF9698B3D1D771E9498B62
                                                                                    Function 1001DC40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strrchr
                                                                                    • String ID: /
                                                                                    • API String ID: 3213747228-2043925204
                                                                                    • Opcode ID: 535568f48526c54f4f11bef35c2ab330a88cd4c4f6a2a0ddf67b5c26c0c754d4
                                                                                    • Instruction ID: 13aabc7a8131bc031bf3d34950bb5f0b6403875eff56069af9a2a5651ba2ff8c
                                                                                    • Opcode Fuzzy Hash: 535568f48526c54f4f11bef35c2ab330a88cd4c4f6a2a0ddf67b5c26c0c754d4
                                                                                    • Instruction Fuzzy Hash: 5D511361D083966BE721FB24BC417677BD5DB01681F0A087BEC459F242E7B5E988C3E2
                                                                                    Function 1003EA30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
                                                                                    • API String ID: 0-3791222319
                                                                                    • Opcode ID: 5c8f1837d975c2687c41356c1af36d6e24f10c5a336ec1abe43ced67d5b74ca4
                                                                                    • Instruction ID: a6a50d44b9258fd3bf4ada97758209568abb07209a7a8cac3365b7ffe06e809d
                                                                                    • Opcode Fuzzy Hash: 5c8f1837d975c2687c41356c1af36d6e24f10c5a336ec1abe43ced67d5b74ca4
                                                                                    • Instruction Fuzzy Hash: EB5106756006869FD712DE14EC8179BB3D4EB80366F100A2AFA128A2C1D731FD54C792
                                                                                    Function 100390D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 10035380: _memset.LIBCMT ref: 100353E4
                                                                                    • _memset.LIBCMT ref: 100391A3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset
                                                                                    • String ID: curl$i386-pc-win32
                                                                                    • API String ID: 2102423945-3250060130
                                                                                    • Opcode ID: 9b1ed696a9c9f8f91ad27659fabbc3157fb2527714eed2d065c4ac92153aac39
                                                                                    • Instruction ID: 5cbea4088eb9aceb0b192855b3950d11bd5f3f6da5cebf236636f8dc2c9806e4
                                                                                    • Opcode Fuzzy Hash: 9b1ed696a9c9f8f91ad27659fabbc3157fb2527714eed2d065c4ac92153aac39
                                                                                    • Instruction Fuzzy Hash: 10714CB42087818FD325CF28C490A9BB7F6FFC9304F54891DE9898B351EB72A509CB56
                                                                                    Function 10005D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Set-Cookie:$none
                                                                                    • API String ID: 0-3629594122
                                                                                    • Opcode ID: f235adaed21e20db2c8a579844452287c9dd04799dc848f25037370a6580180d
                                                                                    • Instruction ID: 2da708c24ea4987124cae2047acdb53195306fd66a9f37bb029681acac454c4f
                                                                                    • Opcode Fuzzy Hash: f235adaed21e20db2c8a579844452287c9dd04799dc848f25037370a6580180d
                                                                                    • Instruction Fuzzy Hash: C7410171A043919BF310CB24CC49B5B77E5EF883C7F14442AF98597246EB66EA04C6A2
                                                                                    Function 10032130 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%s,?,?,?,?,?,10032274,?,?,?,1000B0F6,?,USER %s,?), ref: 10032145
                                                                                    • curl_mvaprintf.LIBCURL(00000000,?), ref: 10032162
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintfcurl_mvaprintf
                                                                                    • String ID: %s
                                                                                    • API String ID: 2226252885-3043279178
                                                                                    • Opcode ID: a5d8c1dd0c3eea15a9a21cd3e40970c83eef16944b9c27e403d4bf6ecb40a432
                                                                                    • Instruction ID: 47c2f3b62e0b31c90ef798fabcc13ef0cfd9f06a0ee516219d4ee16ad755145b
                                                                                    • Opcode Fuzzy Hash: a5d8c1dd0c3eea15a9a21cd3e40970c83eef16944b9c27e403d4bf6ecb40a432
                                                                                    • Instruction Fuzzy Hash: 5831A0B66043059FD310CF69EC84A97B7E8EF882A1F144A2EF54AC7601E771F549CBA1
                                                                                    Function 100017F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: __close__open
                                                                                    • String ID: Couldn't open file %s
                                                                                    • API String ID: 3618140344-447283422
                                                                                    • Opcode ID: 11a8315306041adcb55569b808dba59668749fd71490b1ed0e418f89b3d15bcb
                                                                                    • Instruction ID: 0f2e988d8e4c8e9d945fca0a8ecd18d6386b020a49f8be79bec91f43b61e2ef6
                                                                                    • Opcode Fuzzy Hash: 11a8315306041adcb55569b808dba59668749fd71490b1ed0e418f89b3d15bcb
                                                                                    • Instruction Fuzzy Hash: EE31F3716047429FF310CF24D880B9BB7E5EF453A4F24C52DE5958B286DB31FA888792
                                                                                    Function 10011880 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%s%s%s,100562B4,?,100562C8), ref: 100118DA
                                                                                    • _strtol.LIBCMT ref: 1001196A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strtolcurl_maprintf
                                                                                    • String ID: %s%s%s
                                                                                    • API String ID: 2117670504-3094730333
                                                                                    • Opcode ID: 5d04e2398fe23a3ce6088c70d4ad2b2767e19366c795c02a28deac6b4c3d03d9
                                                                                    • Instruction ID: 76b1e7b62af2e4080bb76340dceea20dfd96fa29f05b987bb8880ba00b813f8b
                                                                                    • Opcode Fuzzy Hash: 5d04e2398fe23a3ce6088c70d4ad2b2767e19366c795c02a28deac6b4c3d03d9
                                                                                    • Instruction Fuzzy Hash: 5531E371A082419BD318CB18DC10BEAB7E8EF89394F154629FC98DB241D775ED89CB92
                                                                                    Function 10018960 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strtoul
                                                                                    • String ID: $%
                                                                                    • API String ID: 2527007707-2111875603
                                                                                    • Opcode ID: 6f655cd63469fd03d5e8d2b9a00a861b40712ad3f80959c517e3aa0d2fc7ad02
                                                                                    • Instruction ID: 923d0ec5fd0918bf0f94405ae5688d2d4d94f40bc0860bb7f220b35e4c244835
                                                                                    • Opcode Fuzzy Hash: 6f655cd63469fd03d5e8d2b9a00a861b40712ad3f80959c517e3aa0d2fc7ad02
                                                                                    • Instruction Fuzzy Hash: 77314B72E083814FE310CB389C4869B7BD5DF85255F49446DE8C98B202E236D74CC3A3
                                                                                    Function 1002FCB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: %02x$APOP %s %s
                                                                                    • API String ID: 0-177642706
                                                                                    • Opcode ID: 5cd53990a2227655412ca76a6d6482bcb0db88c92834ca30baa647e7da4b9012
                                                                                    • Instruction ID: e99558f73c59a57c4fdc4772257c671f96e2badb5d7207bfe661cc1121dbe8a9
                                                                                    • Opcode Fuzzy Hash: 5cd53990a2227655412ca76a6d6482bcb0db88c92834ca30baa647e7da4b9012
                                                                                    • Instruction Fuzzy Hash: BC31F4B69042405FE711EF24AC56BEB73E9EF84300FC94569FC094F242E735BA05C6A2
                                                                                    Function 010A07DD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,010A0A7E,?,00000050,?,?,?,?,?), ref: 010A08B8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ACP$OCP
                                                                                    • API String ID: 0-711371036
                                                                                    • Opcode ID: 5940705306542a6d26321eae6edacef24a23a3034aeabb4e3b92b7bc836a2e1d
                                                                                    • Instruction ID: f3f781ec9384d76fb72e197f4c7c454b9aa9cb66783f4d4e0fceb3f6e1f4ad6f
                                                                                    • Opcode Fuzzy Hash: 5940705306542a6d26321eae6edacef24a23a3034aeabb4e3b92b7bc836a2e1d
                                                                                    • Instruction Fuzzy Hash: 2721C772A00209AAEB758BD8C9017AB73D6EF44A50FC645A4F9C5D720DE732D940C3D8
                                                                                    Function 1000E990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strtol.LIBCMT ref: 1000E9CF
                                                                                      • Part of subcall function 1004209B: strtoxq.LIBCMT ref: 100420BA
                                                                                    • curl_msnprintf.LIBCURL(?,00000080,Content-Length: %I64d), ref: 1000EA08
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strtolcurl_msnprintfstrtoxq
                                                                                    • String ID: Content-Length: %I64d
                                                                                    • API String ID: 2142799606-326554249
                                                                                    • Opcode ID: eba38e955dc4b22748359dceaf9b5f4d960d6b3ea6b44b33dadba7dbc517907f
                                                                                    • Instruction ID: 5684146caac0d8c38e40ff63ee1277816ac9fd274925a4aae80720ebac04e97e
                                                                                    • Opcode Fuzzy Hash: eba38e955dc4b22748359dceaf9b5f4d960d6b3ea6b44b33dadba7dbc517907f
                                                                                    • Instruction Fuzzy Hash: D921DBB5A043845BF230CA289C41F9F72ECFB8A394F504529F558E61C6EBB47E048763
                                                                                    Function 1003D150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(00000000,?,%s:,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 1003D19E
                                                                                      • Part of subcall function 10019330: curl_mvsnprintf.LIBCURL(?,?,?,?,1000A784,?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 10019344
                                                                                    • curl_slist_free_all.LIBCURL(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 1003D1EB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_msnprintfcurl_mvsnprintfcurl_slist_free_all
                                                                                    • String ID: %s:
                                                                                    • API String ID: 2849102733-64597662
                                                                                    • Opcode ID: ef04f41616d644892b4c83567e23418faf795bb920225f4e4d8a5309d6745c0c
                                                                                    • Instruction ID: e9d08de4fb7fb0f606a5ed4ffbdfefd84f7f6e851f1692e129597886e62c238c
                                                                                    • Opcode Fuzzy Hash: ef04f41616d644892b4c83567e23418faf795bb920225f4e4d8a5309d6745c0c
                                                                                    • Instruction Fuzzy Hash: 8D21CFB6205205ABC314DF58EC80DDBB7E9FF8A265F11421AF9498B701CB32A915CBA1
                                                                                    Function 1000AA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastrecv
                                                                                    • String ID: Recv failure: %s
                                                                                    • API String ID: 2514157807-4276829032
                                                                                    • Opcode ID: ff8c1e7fc926528fdce9ee8cdef0d335d79e871e6819f72056af57feef6f6fbc
                                                                                    • Instruction ID: 305b9d34d77a85a4a6672d863ffb4592ebae2f87d47c77bbec4ed0b6ed0dc5db
                                                                                    • Opcode Fuzzy Hash: ff8c1e7fc926528fdce9ee8cdef0d335d79e871e6819f72056af57feef6f6fbc
                                                                                    • Instruction Fuzzy Hash: 9A11A5763043149BD710DF59DC84BABB7E9EBCA2A6F100669F60487241C731B845CBA1
                                                                                    Function 10037670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_maprintf.LIBCURL(%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s,00000014,?,?,?,?,?,1005E7F4,?,?,00000000,00000000,10037AA7), ref: 100376F1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_maprintf
                                                                                    • String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
                                                                                    • API String ID: 3307269620-632690687
                                                                                    • Opcode ID: 7010df02046964cdd923b02cbb0627a72dd0dd3cde7959506707fe618d4ebc13
                                                                                    • Instruction ID: 15ce0f443ccfb7e52b1343b85ab836ccf9747a17162539279753e369f237c801
                                                                                    • Opcode Fuzzy Hash: 7010df02046964cdd923b02cbb0627a72dd0dd3cde7959506707fe618d4ebc13
                                                                                    • Instruction Fuzzy Hash: 68016D776044942FD727C93CDC9BBD63A8FEBC9351F1A85A5E849CF106E2318D4AC2A1
                                                                                    Function 100216E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getsockopt.WS2_32(?,0000FFFF,00001001,?,?), ref: 1002174F
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 10021775
                                                                                      • Part of subcall function 1003A040: _memset.LIBCMT ref: 1003A062
                                                                                      • Part of subcall function 1003A040: GetVersionExA.KERNEL32 ref: 1003A077
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Version_memsetgetsockoptsetsockopt
                                                                                    • String ID: @
                                                                                    • API String ID: 2132495733-2726393805
                                                                                    • Opcode ID: 8d0bf8ef15bbe6e9edb18a39c17b751fa02e591fe8cb6426bea91bae351b1c4f
                                                                                    • Instruction ID: 6204370dbd34ac565daabde033db29cf983e5203c6bb5f447c48de699b6a97f9
                                                                                    • Opcode Fuzzy Hash: 8d0bf8ef15bbe6e9edb18a39c17b751fa02e591fe8cb6426bea91bae351b1c4f
                                                                                    • Instruction Fuzzy Hash: 78015274608312AAF710DB10EDC6B9B77E9EB94B41F804458F649961D0E3F599888793
                                                                                    Function 1000C390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_easy_strerror.LIBCURL(00000000), ref: 1000C3BC
                                                                                      • Part of subcall function 1000A8C0: curl_mvsnprintf.LIBCURL(?,00000100,?,?,?), ref: 1000A8F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_easy_strerrorcurl_mvsnprintf
                                                                                    • String ID: Failure sending QUIT command: %s$QUIT
                                                                                    • API String ID: 1275829525-1162443993
                                                                                    • Opcode ID: 662ef6d82a93484939d914aa36455428add2509be97ce06ee8289a9f632080e1
                                                                                    • Instruction ID: 1b0c5fedbf4289fdc4ece57c7bd62352e09757093ba3cad9a5f46d3eb0daa7dd
                                                                                    • Opcode Fuzzy Hash: 662ef6d82a93484939d914aa36455428add2509be97ce06ee8289a9f632080e1
                                                                                    • Instruction Fuzzy Hash: 7601D175A017066AEA40DB74AC81BE6A2D8FF042C2F04053ABA18D2142E7B5B9E486E0
                                                                                    Function 10007480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: HTTP/
                                                                                    • API String ID: 0-2417072641
                                                                                    • Opcode ID: e2bce70489d0ff49e5e2561062aa219f3b08d011217821f86f1ab0b1d662f39c
                                                                                    • Instruction ID: 19e3bfb836c9a72e1cf6480ef6b33acfd964f1161703e4a39b25dc971252b389
                                                                                    • Opcode Fuzzy Hash: e2bce70489d0ff49e5e2561062aa219f3b08d011217821f86f1ab0b1d662f39c
                                                                                    • Instruction Fuzzy Hash: DCF0B43AF012591BE22185596C05BA33BCCDB867D9F0A00A5FD8CDB305E356EC0442E0
                                                                                    Function 00FA6590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00FA65AF
                                                                                      • Part of subcall function 01053E56: RaiseException.KERNEL32(?,?,B69A1A1E,?,?,?,?,?,?,00FD56AD,80004005,B69A1A1E), ref: 01053EB6
                                                                                    Strings
                                                                                    • CHttpPostStatT::TotalByte: The post context is not active., xrefs: 00FA65CC
                                                                                    • CHttpPostStatT::TotalByte: The post context is not active., xrefs: 00FA65EC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionException@8RaiseThrow
                                                                                    • String ID: CHttpPostStatT::TotalByte: The post context is not active.$CHttpPostStatT::TotalByte: The post context is not active.
                                                                                    • API String ID: 3976011213-2071995965
                                                                                    • Opcode ID: a6fd5a284c45d4599c1ecde0d5990455c4201f229dde4a03d03cf33e6964361f
                                                                                    • Instruction ID: 5e31c5c0575548bcc81e8690d51c21951a98f9e46fd0623eddc04a483a0ff39e
                                                                                    • Opcode Fuzzy Hash: a6fd5a284c45d4599c1ecde0d5990455c4201f229dde4a03d03cf33e6964361f
                                                                                    • Instruction Fuzzy Hash: BEE09270940208BADB057BD0CC07F9D7B64AB05B04F1C840C7700690D2D6B5A146E6C4
                                                                                    Function 100370C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • curl_msnprintf.LIBCURL(00000000,00000004,%02x:,00000000,00000000), ref: 100370FC
                                                                                      • Part of subcall function 10019330: curl_mvsnprintf.LIBCURL(?,?,?,?,1000A784,?,000000A0,[%s %s %s],Header,from,?,?,?,?,00000000), ref: 10019344
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4043514388.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4043497627.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043546322.0000000010055000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043568082.0000000010066000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4043585884.000000001006A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_10000000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: curl_msnprintfcurl_mvsnprintf
                                                                                    • String ID: %02x:$TUUU
                                                                                    • API String ID: 4251218765-534085559
                                                                                    • Opcode ID: f45ac0fdcdfeaeb4935da25b619fcbd7e1c408397fe09d6998551914bb8375a6
                                                                                    • Instruction ID: 9270c8012c1090b1fa08eade8d78097ea70b91a98350ba5e9bdb9ea06059773f
                                                                                    • Opcode Fuzzy Hash: f45ac0fdcdfeaeb4935da25b619fcbd7e1c408397fe09d6998551914bb8375a6
                                                                                    • Instruction Fuzzy Hash: 1FF05C63B041181BD7B1EC6C2C84A76F3DDEB54016F06087EEF4ADF202F5639E460190
                                                                                    Function 00FA0610 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 00FA0621
                                                                                    • GetLastError.KERNEL32(00000000,CHttpToolA::EndRequest: hRequest can not be NULL.,00000000), ref: 00FA0639
                                                                                    Strings
                                                                                    • CHttpToolA::EndRequest: hRequest can not be NULL., xrefs: 00FA062D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHttpLastRequest
                                                                                    • String ID: CHttpToolA::EndRequest: hRequest can not be NULL.
                                                                                    • API String ID: 4268994570-438178888
                                                                                    • Opcode ID: 318b94cbe2205f8fc6543009a04980d51d646415d1502c2d0b5857a593055331
                                                                                    • Instruction ID: 805339d0c4a5c2d051fbc3b727558afb66559061c3c451e0dbdacfaaa7bc2761
                                                                                    • Opcode Fuzzy Hash: 318b94cbe2205f8fc6543009a04980d51d646415d1502c2d0b5857a593055331
                                                                                    • Instruction Fuzzy Hash: D1E05BB07803057EFA3067A99C0BFDA338C5B05F05F1844047B15D92C0DE95E400AA6A
                                                                                    Function 01014520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHSetValueW.SHLWAPI(80000001,Software\EasePaintWatermarkRemover,UtilFlag,00000004,?,00000004,?,?,00FF5822,00000001), ref: 0101454A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.4038343702.0000000000F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F90000, based on PE: true
                                                                                    • Associated: 00000009.00000002.4038322351.0000000000F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038457232.00000000010C6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038503922.0000000001115000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038526339.0000000001117000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.000000000111E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038549199.0000000001120000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000009.00000002.4038590503.0000000001123000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_f90000_EasePaint.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value
                                                                                    • String ID: Software\EasePaintWatermarkRemover$UtilFlag
                                                                                    • API String ID: 3702945584-3823976766
                                                                                    • Opcode ID: 6840544f1ee64da07dfd3ca3c4bd6e5b35c198b7aa6acdfed791b3bde7b23705
                                                                                    • Instruction ID: 1a0712905a6732a8dc9e214dd5fdcf3a75981f2de2ad77ecfebf49b47855c23f
                                                                                    • Opcode Fuzzy Hash: 6840544f1ee64da07dfd3ca3c4bd6e5b35c198b7aa6acdfed791b3bde7b23705
                                                                                    • Instruction Fuzzy Hash: 42E04F7168030CBEEB20CE959801BA97B98D701725F0041D9FE5C9A582D6B2A9509794