Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe

Overview

General Information

Sample name:6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe
Analysis ID:1465785
MD5:3871bbbefaf123ebba9f9206f883b745
SHA1:26d3061bdfef52df29f9217b2b14fdc8b8b64b4b
SHA256:b96ead45662311cf0c80a5e328a09f7dbcb5eb0af898b522bd3ae3f1062804f4
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "94.156.69.93:2973:0", "Assigned name": "REVOLT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HKC0PV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6aaa8:$a1: Remcos restarted by watchdog!
      • 0x6b020:$a3: %02i:%02i:%02i:%03i
      6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeREMCOS_RAT_variantsunknownunknown
      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x64b6c:$str_b2: Executing file:
      • 0x65bec:$str_b3: GetDirectListeningPort
      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x65718:$str_b7: \update.vbs
      • 0x64b94:$str_b9: Downloaded file:
      • 0x64b80:$str_b10: Downloading file:
      • 0x64c24:$str_b12: Failed to upload file:
      • 0x65bb4:$str_b13: StartForward
      • 0x65bd4:$str_b14: StopForward
      • 0x65670:$str_b15: fso.DeleteFile "
      • 0x65604:$str_b16: On Error Resume Next
      • 0x656a0:$str_b17: fso.DeleteFolder "
      • 0x64c14:$str_b18: Uploaded file:
      • 0x64bd4:$str_b19: Unable to delete:
      • 0x65638:$str_b20: while fso.FileExists("
      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
      6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6497c:$s1: CoGetObject
      • 0x64990:$s1: CoGetObject
      • 0x649ac:$s1: CoGetObject
      • 0x6e938:$s1: CoGetObject
      • 0x6493c:$s2: Elevation:Administrator!new:

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.4092450793.000000000237F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x134a8:$a1: Remcos restarted by watchdog!
                • 0x13a20:$a3: %02i:%02i:%02i:%03i
                Click to see the 7 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aaa8:$a1: Remcos restarted by watchdog!
                        • 0x6b020:$a3: %02i:%02i:%02i:%03i
                        Click to see the 5 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, ProcessId: 7428, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Snort Signatures

                        Timestamp:07/02/24-04:11:56.507450
                        SID:2032776
                        Source Port:49730
                        Destination Port:2973
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-04:14:27.058280
                        SID:2032777
                        Source Port:2973
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeAvira: detected
                        Found malware configuration
                        Source: 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "94.156.69.93:2973:0", "Assigned name": "REVOLT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HKC0PV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                        Multi AV Scanner detection for domain / URL
                        Source: 94.156.69.93Virustotal: Detection: 9%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeReversingLabs: Detection: 86%
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeVirustotal: Detection: 79%Perma Link
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4092450793.000000000237F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe PID: 7428, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00433837
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_31521145-9

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe PID: 7428, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004074FD _wcslen,CoGetObject,0_2_004074FD
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49730 -> 94.156.69.93:2973
                        Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 94.156.69.93:2973 -> 192.168.2.4:49730
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 94.156.69.93
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 94.156.69.93:2973
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: TERASYST-ASBG TERASYST-ASBG
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B380
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000053D000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000053D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000051C000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000053D000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000053D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000051C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000051C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpr
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000053D000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000053D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpunixPschedvmbusRFCOMMfn

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000000_2_0040A2B8
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168C1
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A3E0

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4092450793.000000000237F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe PID: 7428, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041C9E2 SystemParametersInfoW,0_2_0041C9E2

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_004132D2
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB09
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BB35
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167B4
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0043E0CC0_2_0043E0CC
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041F0FA0_2_0041F0FA
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004541590_2_00454159
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004381680_2_00438168
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004461F00_2_004461F0
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0043E2FB0_2_0043E2FB
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0045332B0_2_0045332B
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0042739D0_2_0042739D
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004374E60_2_004374E6
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0043E5580_2_0043E558
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004387700_2_00438770
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004378FE0_2_004378FE
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004339460_2_00433946
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0044D9C90_2_0044D9C9
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00427A460_2_00427A46
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041DB620_2_0041DB62
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00427BAF0_2_00427BAF
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00437D330_2_00437D33
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00435E5E0_2_00435E5E
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00426E0E0_2_00426E0E
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0043DE9D0_2_0043DE9D
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00413FCA0_2_00413FCA
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00436FEA0_2_00436FEA
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: String function: 00434E10 appears 54 times
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: String function: 00402093 appears 50 times
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: String function: 00434770 appears 42 times
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: String function: 00401E65 appears 35 times
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@1/2
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00417952
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F474
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B4A8
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HKC0PV
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: Software\0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: Rmc-HKC0PV0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: Exe0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: Exe0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: Rmc-HKC0PV0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: Inj0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: Inj0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: 8SG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: exepath0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: 8SG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: exepath0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: licence0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: dMG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: PSG0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: Administrator0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: User0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: del0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: del0_2_0040E9C5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCommand line argument: del0_2_0040E9C5
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeReversingLabs: Detection: 86%
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeVirustotal: Detection: 79%
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00457106 push ecx; ret 0_2_00457119
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00457A28 push eax; ret 0_2_00457A46
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00434E56 push ecx; ret 0_2_00434E69
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,0_2_00406EB0
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040F7A7 Sleep,ExitProcess,0_2_0040F7A7
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A748
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeWindow / User API: threadDelayed 9274Jump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe TID: 7456Thread sleep count: 252 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe TID: 7456Thread sleep time: -126000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe TID: 7460Thread sleep count: 217 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe TID: 7460Thread sleep time: -651000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe TID: 7460Thread sleep count: 9274 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe TID: 7460Thread sleep time: -27822000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.0000000000558000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.0000000000558000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeAPI call chain: ExitProcess graph end nodegraph_0-48275
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]0_2_004432B5
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00412077 GetProcessHeap,HeapFree,0_2_00412077
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00434B47 SetUnhandledExceptionFilter,0_2_00434B47
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB22
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434FDC
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412117
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00419627 mouse_event,0_2_00419627
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\38
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*w
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFw-9
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\79
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\$@
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager7w:9
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\72
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\#@
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHw#9
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\791@
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662890028.000000000054B000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000053D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\*@
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\|OR9
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\U@
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managercal\Micj
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager w
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager_w
                        Source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00434C52 cpuid 0_2_00434C52
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: GetLocaleInfoA,0_2_0040F8D1
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: EnumSystemLocalesW,0_2_00452036
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004520C3
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: GetLocaleInfoW,0_2_00452313
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: EnumSystemLocalesW,0_2_00448404
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0045243C
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: GetLocaleInfoW,0_2_00452543
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452610
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: GetLocaleInfoW,0_2_004488ED
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451CD8
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: EnumSystemLocalesW,0_2_00451F50
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: EnumSystemLocalesW,0_2_00451F9B
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,0_2_0041B60D
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: 0_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_004493AD

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4092450793.000000000237F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe PID: 7428, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA12
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB30
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: \key3.db0_2_0040BB30

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HKC0PVJump to behavior
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4092450793.000000000237F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe PID: 7428, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeCode function: cmd.exe0_2_0040569A

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS2
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection                        		1
                        Masquerading                        		LSA Secrets22
                        System Information Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Virtualization/Sandbox Evasion                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input Capture12
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Access Token Manipulation                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Process Injection                        		Proc Filesystem2
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe87%ReversingLabsWin32.Backdoor.Remcos
                        6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe79%VirustotalBrowse
                        6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe100%AviraBDS/Backdoor.Gen
                        6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        geoplugin.net1%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://geoplugin.net/json.gp0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C0%URL Reputationsafe
                        http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
                        94.156.69.930%Avira URL Cloudsafe
                        http://geoplugin.net/json.gpr0%Avira URL Cloudsafe
                        http://geoplugin.net/0%Avira URL Cloudsafe
                        http://geoplugin.net/1%VirustotalBrowse
                        http://geoplugin.net/json.gpr0%VirustotalBrowse
                        94.156.69.939%VirustotalBrowse
                        http://geoplugin.net/json.gpl0%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        geoplugin.net
                        		178.237.33.50
                        		truefalseunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown
                        94.156.69.93true
                        • 9%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpr6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000051C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000053D000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000053D000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp/C6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://geoplugin.net/json.gpl6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, 00000000.00000003.1662804272.000000000051C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        94.156.69.93
                        		unknownBulgaria
                        		31420TERASYST-ASBGtrue
                        178.237.33.50
                        		geoplugin.netNetherlands
                        		8455ATOM86-ASATOM86NLfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1465785
                        Start date and time:2024-07-02 04:11:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 24s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@1/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 38
                        • Number of non-executed functions: 211
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240s for sample files taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        22:12:27API Interceptor8383472x Sleep call for process: 6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        94.156.69.93HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                          UHUH45EDRFQ.exeGet hashmaliciousRemcosBrowse
                            178.237.33.50HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • geoplugin.net/json.gp
                            tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                            • geoplugin.net/json.gp
                            TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • geoplugin.net/json.gp
                            Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            Quotation.xlsGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • geoplugin.net/json.gp

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            geoplugin.netHUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.237.33.50
                            tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                            • 178.237.33.50
                            TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.237.33.50
                            Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            Quotation.xlsGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.237.33.50

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TERASYST-ASBGHUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                            • 94.156.69.93
                            s1C1DWgj73.elfGet hashmaliciousMiraiBrowse
                            • 94.156.67.161
                            ScjfNQG5l0.elfGet hashmaliciousUnknownBrowse
                            • 94.156.67.161
                            Jieok44uQ5.elfGet hashmaliciousMiraiBrowse
                            • 94.156.67.161
                            94.156.67.161-mips-2024-07-01T10_28_03.elfGet hashmaliciousMiraiBrowse
                            • 94.156.67.161
                            94.156.67.161-arm-2024-07-01T10_28_03.elfGet hashmaliciousUnknownBrowse
                            • 94.156.67.161
                            UHUH45EDRFQ.exeGet hashmaliciousRemcosBrowse
                            • 94.156.69.93
                            0GrL5SShus.exeGet hashmaliciousXWormBrowse
                            • 94.156.68.110
                            9444f34a94d494a78e19e19f4e1615744e500aca97a56.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                            • 94.156.68.153
                            9mgWSJhsD0.rtfGet hashmaliciousRemcosBrowse
                            • 94.156.68.221
                            ATOM86-ASATOM86NLHUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.237.33.50
                            tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                            • 178.237.33.50
                            TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.237.33.50
                            Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            Quotation.xlsGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.237.33.50

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\remcos\logs.dat

                            Download File
                            Process:C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):144
                            Entropy (8bit):3.3603882199736725
                            Encrypted:false
                            SSDEEP:3:rhlKlVm8l5b5JWRal2Jl+7R0DAlBG45klovDl6v:6lVNl5b5YcIeeDAlOWAv
                            MD5:A708EC951C76241E593262DE4B488CAB
                            SHA1:3533DFA6749310C3178B69B74FA5A597CD36C722
                            SHA-256:310E55FDC030F9E5A10292C3773A7406A7B952434F9B2222BAE34C0E1FC5013A
                            SHA-512:35E6705948255EEF21DAF6D5FEA55B94008D7E266874943F6D6F225DA339E4E13CCE59D7047B9D6A7CBB8AB17BD6C4AA416DFA3769B9B731471FD7299D28643C
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                            Reputation:low
                            Preview:....[.2.0.2.4./.0.7./.0.1. .2.2.:.1.1.:.5.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                            Download File
                            Process:C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):962
                            Entropy (8bit):5.012309356796613
                            Encrypted:false
                            SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                            MD5:14B479958E659C5A4480548A393022AC
                            SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                            SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                            SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                            Malicious:false
                            Reputation:low
                            Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.5969864081917
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe
                            File size:494'080 bytes
                            MD5:3871bbbefaf123ebba9f9206f883b745
                            SHA1:26d3061bdfef52df29f9217b2b14fdc8b8b64b4b
                            SHA256:b96ead45662311cf0c80a5e328a09f7dbcb5eb0af898b522bd3ae3f1062804f4
                            SHA512:bdaf78daa54e48df8338574b837aa4779d1b94ab6da7f33eb346063084e334c66ca7d286564af81fb4a980030bd97f5d9cd82007b92d120ac4c5c64e7207b843
                            SSDEEP:6144:dXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcN85Gv:dX7tPMK8ctGe4Dzl4h2QnuPs/Z5Fcv
                            TLSH:E8B49E01BAD1C072D57524300D36F776EAB8BD2028364A7B73D61D5BFE31190B62AAB7
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..

                            File Icon

                            Icon Hash:95694d05214c1b33

                            Static PE Info

                            General

                            Entrypoint:0x4349ef
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:TERMINAL_SERVER_AWARE
                            Time Stamp:0x66728C58 [Wed Jun 19 07:44:24 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:8d5087ff5de35c3fbb9f212b47d63cad

                            Entrypoint Preview

                            Instruction
                            call 00007F3F6094E3CCh
                            jmp 00007F3F6094DDE3h
                            push ebp
                            mov ebp, esp
                            sub esp, 00000324h
                            push ebx
                            push esi
                            push 00000017h
                            call 00007F3F60970644h
                            test eax, eax
                            je 00007F3F6094DF57h
                            mov ecx, dword ptr [ebp+08h]
                            int 29h
                            xor esi, esi
                            lea eax, dword ptr [ebp-00000324h]
                            push 000002CCh
                            push esi
                            push eax
                            mov dword ptr [00471D14h], esi
                            call 00007F3F609503B7h
                            add esp, 0Ch
                            mov dword ptr [ebp-00000274h], eax
                            mov dword ptr [ebp-00000278h], ecx
                            mov dword ptr [ebp-0000027Ch], edx
                            mov dword ptr [ebp-00000280h], ebx
                            mov dword ptr [ebp-00000284h], esi
                            mov dword ptr [ebp-00000288h], edi
                            mov word ptr [ebp-0000025Ch], ss
                            mov word ptr [ebp-00000268h], cs
                            mov word ptr [ebp-0000028Ch], ds
                            mov word ptr [ebp-00000290h], es
                            mov word ptr [ebp-00000294h], fs
                            mov word ptr [ebp-00000298h], gs
                            pushfd
                            pop dword ptr [ebp-00000264h]
                            mov eax, dword ptr [ebp+04h]
                            mov dword ptr [ebp-0000026Ch], eax
                            lea eax, dword ptr [ebp+04h]
                            mov dword ptr [ebp-00000260h], eax
                            mov dword ptr [ebp-00000324h], 00010001h
                            mov eax, dword ptr [eax-04h]
                            push 00000050h
                            mov dword ptr [ebp-00000270h], eax
                            lea eax, dword ptr [ebp-58h]
                            push esi
                            push eax
                            call 00007F3F6095032Eh

                            Rich Headers

                            Programming Language:
                            • [C++] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6eea80x104.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4890.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bcc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3400x38.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x6d3d40x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3780x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x590000x4fc.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x571750x57200f959ed65f49a903603bc150bbb7292aaFalse0.571329694225251data6.62552167894442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x590000x179b60x17a00cb0626634f7bf1c5779954b9e8e456d0False0.5005787037037037Zebra Metafile graphic (comment = \210\002\007)5.859466241544869IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x710000x5d440xe00fa1a169b9414830def88848af87110b5False0.22154017857142858data3.00580031855032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .gfids0x780000x2300x40009e4699aa75951ab53e804fe4f9a3b6bFalse0.3271484375data2.349075166240886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x790000x48900x4a00ca713c8db28629121561d2d50e7df732False0.251953125data3.814432858743001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x7e0000x3bcc0x3c000a6e61b09628beca43d4bf9604f65238False0.7639973958333334data6.718533933603825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                            RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                            RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                            RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                            RT_RCDATA0x7d5cc0x281data1.0171606864274572
                            RT_GROUP_ICON0x7d8500x3edataEnglishUnited States0.8064516129032258

                            Imports

                            DLLImport
                            KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                            USER32.dllGetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW
                            GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                            ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                            SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                            ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                            SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                            WINMM.dllwaveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader
                            WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                            urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                            gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                            WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            07/02/24-04:11:56.507450TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497302973192.168.2.494.156.69.93
                            07/02/24-04:14:27.058280TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response29734973094.156.69.93192.168.2.4

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 2, 2024 04:11:56.498486996 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:11:56.503335953 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:11:56.506443977 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:11:56.507450104 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:11:56.512243032 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:11:57.322745085 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:11:57.324259996 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:11:57.329061031 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:11:57.451018095 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:11:57.500910997 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:11:57.513459921 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:11:57.518259048 CEST8049731178.237.33.50192.168.2.4
                            Jul 2, 2024 04:11:57.518325090 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:11:57.518480062 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:11:57.523636103 CEST8049731178.237.33.50192.168.2.4
                            Jul 2, 2024 04:11:58.128983974 CEST8049731178.237.33.50192.168.2.4
                            Jul 2, 2024 04:11:58.129043102 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:11:58.152570009 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:11:58.157493114 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:11:59.128356934 CEST8049731178.237.33.50192.168.2.4
                            Jul 2, 2024 04:11:59.128434896 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:12:25.715359926 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:12:25.716865063 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:12:25.721864939 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:12:55.854429960 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:12:55.859059095 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:12:55.863878965 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:13:26.357368946 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:13:26.359908104 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:13:26.364738941 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:13:47.485515118 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:13:47.813492060 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:13:48.426768064 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:13:49.627728939 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:13:52.040965080 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:13:56.639604092 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:13:56.641139984 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:13:56.645919085 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:13:56.922899961 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:14:06.626018047 CEST4973180192.168.2.4178.237.33.50
                            Jul 2, 2024 04:14:27.058279991 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:14:27.059600115 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:14:27.065602064 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:14:57.384797096 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:14:57.398089886 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:14:57.402910948 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:15:27.816159964 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:15:27.818070889 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:15:27.822768927 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:15:58.368406057 CEST29734973094.156.69.93192.168.2.4
                            Jul 2, 2024 04:15:58.369826078 CEST497302973192.168.2.494.156.69.93
                            Jul 2, 2024 04:15:58.374902010 CEST29734973094.156.69.93192.168.2.4

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 2, 2024 04:11:57.501483917 CEST6130553192.168.2.41.1.1.1
                            Jul 2, 2024 04:11:57.508588076 CEST53613051.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 2, 2024 04:11:57.501483917 CEST192.168.2.41.1.1.10xc1c1Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 2, 2024 04:11:57.508588076 CEST1.1.1.1192.168.2.40xc1c1No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • geoplugin.net

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449731178.237.33.50807428C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe
                            TimestampBytes transferredDirectionData
                            Jul 2, 2024 04:11:57.518480062 CEST71OUTGET /json.gp HTTP/1.1
                            Host: geoplugin.net
                            Cache-Control: no-cache
                            Jul 2, 2024 04:11:58.128983974 CEST1170INHTTP/1.1 200 OK
                            date: Tue, 02 Jul 2024 02:11:58 GMT
                            server: Apache
                            content-length: 962
                            content-type: application/json; charset=utf-8
                            cache-control: public, max-age=300
                            access-control-allow-origin: *
                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                            Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:22:11:55
                            Start date:01/07/2024
                            Path:C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe"
                            Imagebase:0x400000
                            File size:494'080 bytes
                            MD5 hash:3871BBBEFAF123EBBA9F9206F883B745
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4092450793.000000000237F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4092237581.000000000051C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1645890544.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4092237581.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:4.3%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:21%
                              Total number of Nodes:1392
                              Total number of Limit Nodes:42
                              execution_graph 46578 434887 46579 434893 ___scrt_is_nonwritable_in_current_image 46578->46579 46605 434596 46579->46605 46581 43489a 46583 4348c3 46581->46583 46903 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46581->46903 46591 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46583->46591 46904 444251 5 API calls ___crtLCMapStringA 46583->46904 46585 4348dc 46587 4348e2 ___scrt_is_nonwritable_in_current_image 46585->46587 46905 4441f5 5 API calls ___crtLCMapStringA 46585->46905 46588 434962 46616 434b14 46588->46616 46591->46588 46906 4433e7 36 API calls 3 library calls 46591->46906 46598 434984 46599 43498e 46598->46599 46908 44341f 28 API calls _abort 46598->46908 46601 434997 46599->46601 46909 4433c2 28 API calls _abort 46599->46909 46910 43470d 13 API calls 2 library calls 46601->46910 46604 43499f 46604->46587 46606 43459f 46605->46606 46911 434c52 IsProcessorFeaturePresent 46606->46911 46608 4345ab 46912 438f31 10 API calls 4 library calls 46608->46912 46610 4345b0 46611 4345b4 46610->46611 46913 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46610->46913 46611->46581 46613 4345bd 46614 4345cb 46613->46614 46914 438f5a 8 API calls 3 library calls 46613->46914 46614->46581 46915 436e90 46616->46915 46619 434968 46620 4441a2 46619->46620 46917 44f059 46620->46917 46622 434971 46625 40e9c5 46622->46625 46623 4441ab 46623->46622 46921 446815 36 API calls 46623->46921 46923 41cb50 LoadLibraryA GetProcAddress 46625->46923 46627 40e9e1 GetModuleFileNameW 46928 40f3c3 46627->46928 46629 40e9fd 46943 4020f6 46629->46943 46632 4020f6 28 API calls 46633 40ea1b 46632->46633 46949 41be1b 46633->46949 46637 40ea2d 46975 401e8d 46637->46975 46639 40ea36 46640 40ea93 46639->46640 46641 40ea49 46639->46641 46981 401e65 46640->46981 47243 40fbb3 97 API calls 46641->47243 46644 40eaa3 46648 401e65 22 API calls 46644->46648 46645 40ea5b 46646 401e65 22 API calls 46645->46646 46647 40ea67 46646->46647 47244 410f37 36 API calls __EH_prolog 46647->47244 46649 40eac2 46648->46649 46986 40531e 46649->46986 46652 40ead1 46991 406383 46652->46991 46653 40ea79 47245 40fb64 78 API calls 46653->47245 46657 40ea82 47246 40f3b0 71 API calls 46657->47246 46663 401fd8 11 API calls 46665 40eefb 46663->46665 46664 401fd8 11 API calls 46666 40eafb 46664->46666 46907 4432f6 GetModuleHandleW 46665->46907 46667 401e65 22 API calls 46666->46667 46668 40eb04 46667->46668 47008 401fc0 46668->47008 46670 40eb0f 46671 401e65 22 API calls 46670->46671 46672 40eb28 46671->46672 46673 401e65 22 API calls 46672->46673 46674 40eb43 46673->46674 46675 40ebae 46674->46675 47247 406c1e 46674->47247 46677 401e65 22 API calls 46675->46677 46682 40ebbb 46677->46682 46678 40eb70 46679 401fe2 28 API calls 46678->46679 46680 40eb7c 46679->46680 46683 401fd8 11 API calls 46680->46683 46681 40ec02 47012 40d069 46681->47012 46682->46681 46687 413549 3 API calls 46682->46687 46684 40eb85 46683->46684 47252 413549 RegOpenKeyExA 46684->47252 46686 40ec08 46688 40ea8b 46686->46688 47015 41b2c3 46686->47015 46694 40ebe6 46687->46694 46688->46663 46692 40ec23 46695 40ec76 46692->46695 47032 407716 46692->47032 46693 40f34f 47335 4139a9 30 API calls 46693->47335 46694->46681 47255 4139a9 30 API calls 46694->47255 46697 401e65 22 API calls 46695->46697 46701 40ec7f 46697->46701 46700 40f365 47336 412475 65 API calls ___scrt_fastfail 46700->47336 46710 40ec90 46701->46710 46711 40ec8b 46701->46711 46704 40ec42 47256 407738 30 API calls 46704->47256 46705 40ec4c 46706 401e65 22 API calls 46705->46706 46719 40ec55 46706->46719 46707 40f36f 46709 41bc5e 28 API calls 46707->46709 46714 40f37f 46709->46714 46713 401e65 22 API calls 46710->46713 47259 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46711->47259 46712 40ec47 47257 407260 98 API calls 46712->47257 46717 40ec99 46713->46717 47141 413a23 RegOpenKeyExW 46714->47141 47036 41bc5e 46717->47036 46719->46695 46723 40ec71 46719->46723 46720 40eca4 47040 401f13 46720->47040 47258 407260 98 API calls 46723->47258 46727 401f09 11 API calls 46729 40f39c 46727->46729 46731 401f09 11 API calls 46729->46731 46733 40f3a5 46731->46733 46732 401e65 22 API calls 46734 40ecc1 46732->46734 47144 40dd42 46733->47144 46739 401e65 22 API calls 46734->46739 46738 40f3af 46740 40ecdb 46739->46740 46741 401e65 22 API calls 46740->46741 46742 40ecf5 46741->46742 46743 401e65 22 API calls 46742->46743 46745 40ed0e 46743->46745 46744 40ed7b 46746 40ed8a 46744->46746 46753 40ef06 ___scrt_fastfail 46744->46753 46745->46744 46747 401e65 22 API calls 46745->46747 46748 40ed93 46746->46748 46776 40ee0f ___scrt_fastfail 46746->46776 46751 40ed23 _wcslen 46747->46751 46749 401e65 22 API calls 46748->46749 46750 40ed9c 46749->46750 46752 401e65 22 API calls 46750->46752 46751->46744 46754 401e65 22 API calls 46751->46754 46755 40edae 46752->46755 47320 4136f8 RegOpenKeyExA 46753->47320 46756 40ed3e 46754->46756 46758 401e65 22 API calls 46755->46758 46759 401e65 22 API calls 46756->46759 46760 40edc0 46758->46760 46761 40ed53 46759->46761 46764 401e65 22 API calls 46760->46764 47260 40da34 46761->47260 46762 40ef51 46763 401e65 22 API calls 46762->46763 46765 40ef76 46763->46765 46767 40ede9 46764->46767 47062 402093 46765->47062 46770 401e65 22 API calls 46767->46770 46769 401f13 28 API calls 46772 40ed72 46769->46772 46773 40edfa 46770->46773 46775 401f09 11 API calls 46772->46775 47318 40cdf9 46 API calls _wcslen 46773->47318 46774 40ef88 47068 41376f RegCreateKeyA 46774->47068 46775->46744 47052 413947 46776->47052 46780 40eea3 ctype 46785 401e65 22 API calls 46780->46785 46781 40ee0a 46781->46776 46783 401e65 22 API calls 46784 40efaa 46783->46784 47074 43baac 46784->47074 46786 40eeba 46785->46786 46786->46762 46790 40eece 46786->46790 46789 40efc1 47323 41cd9b 88 API calls ___scrt_fastfail 46789->47323 46792 401e65 22 API calls 46790->46792 46791 40efe4 46796 402093 28 API calls 46791->46796 46794 40eed7 46792->46794 46797 41bc5e 28 API calls 46794->46797 46795 40efc8 CreateThread 46795->46791 48277 41d45d 10 API calls 46795->48277 46798 40eff9 46796->46798 46799 40eee3 46797->46799 46800 402093 28 API calls 46798->46800 47319 40f474 107 API calls 46799->47319 46802 40f008 46800->46802 47078 41b4ef 46802->47078 46803 40eee8 46803->46762 46805 40eeef 46803->46805 46805->46688 46807 401e65 22 API calls 46808 40f019 46807->46808 46809 401e65 22 API calls 46808->46809 46810 40f02b 46809->46810 46811 401e65 22 API calls 46810->46811 46812 40f04b 46811->46812 46813 43baac 40 API calls 46812->46813 46814 40f058 46813->46814 46815 401e65 22 API calls 46814->46815 46816 40f063 46815->46816 46817 401e65 22 API calls 46816->46817 46818 40f074 46817->46818 46819 401e65 22 API calls 46818->46819 46820 40f089 46819->46820 46821 401e65 22 API calls 46820->46821 46822 40f09a 46821->46822 46823 40f0a1 StrToIntA 46822->46823 47102 409de4 46823->47102 46826 401e65 22 API calls 46827 40f0bc 46826->46827 46828 40f101 46827->46828 46829 40f0c8 46827->46829 46832 401e65 22 API calls 46828->46832 47324 4344ea 46829->47324 46834 40f111 46832->46834 46833 401e65 22 API calls 46835 40f0e4 46833->46835 46836 40f159 46834->46836 46837 40f11d 46834->46837 46838 40f0eb CreateThread 46835->46838 46840 401e65 22 API calls 46836->46840 46839 4344ea new 22 API calls 46837->46839 46838->46828 48276 419fb4 110 API calls __EH_prolog 46838->48276 46841 40f126 46839->46841 46842 40f162 46840->46842 46843 401e65 22 API calls 46841->46843 46845 40f1cc 46842->46845 46846 40f16e 46842->46846 46844 40f138 46843->46844 46847 40f13f CreateThread 46844->46847 46848 401e65 22 API calls 46845->46848 46849 401e65 22 API calls 46846->46849 46847->46836 48280 419fb4 110 API calls __EH_prolog 46847->48280 46850 40f1d5 46848->46850 46851 40f17e 46849->46851 46852 40f1e1 46850->46852 46853 40f21a 46850->46853 46854 401e65 22 API calls 46851->46854 46855 401e65 22 API calls 46852->46855 47127 41b60d GetComputerNameExW GetUserNameW 46853->47127 46859 40f193 46854->46859 46861 40f1ea 46855->46861 46858 401f13 28 API calls 46860 40f22e 46858->46860 47331 40d9e8 32 API calls 46859->47331 46863 401f09 11 API calls 46860->46863 46864 401e65 22 API calls 46861->46864 46866 40f237 46863->46866 46867 40f1ff 46864->46867 46865 40f1a6 46868 401f13 28 API calls 46865->46868 46869 40f240 SetProcessDEPPolicy 46866->46869 46870 40f243 CreateThread 46866->46870 46877 43baac 40 API calls 46867->46877 46871 40f1b2 46868->46871 46869->46870 46872 40f264 46870->46872 46873 40f258 CreateThread 46870->46873 48249 40f7a7 46870->48249 46874 401f09 11 API calls 46871->46874 46875 40f279 46872->46875 46876 40f26d CreateThread 46872->46876 46873->46872 46878 40f1bb CreateThread 46874->46878 46880 40f2cc 46875->46880 46882 402093 28 API calls 46875->46882 46876->46875 48278 4126db 38 API calls ___scrt_fastfail 46876->48278 46879 40f20c 46877->46879 46878->46845 48279 401be9 50 API calls 46878->48279 47332 40c162 7 API calls 46879->47332 47138 4134ff RegOpenKeyExA 46880->47138 46883 40f29c 46882->46883 47333 4052fd 28 API calls 46883->47333 46889 40f2ed 46891 41bc5e 28 API calls 46889->46891 46893 40f2fd 46891->46893 47334 41361b 31 API calls 46893->47334 46897 40f313 46898 401f09 11 API calls 46897->46898 46901 40f31e 46898->46901 46899 40f346 DeleteFileW 46900 40f34d 46899->46900 46899->46901 46900->46707 46901->46707 46901->46899 46902 40f334 Sleep 46901->46902 46902->46901 46903->46581 46904->46585 46905->46591 46906->46588 46907->46598 46908->46599 46909->46601 46910->46604 46911->46608 46912->46610 46913->46613 46914->46611 46916 434b27 GetStartupInfoW 46915->46916 46916->46619 46918 44f06b 46917->46918 46919 44f062 46917->46919 46918->46623 46922 44ef58 49 API calls 4 library calls 46919->46922 46921->46623 46922->46918 46924 41cb8f LoadLibraryA GetProcAddress 46923->46924 46925 41cb7f GetModuleHandleA GetProcAddress 46923->46925 46926 41cbb8 44 API calls 46924->46926 46927 41cba8 LoadLibraryA GetProcAddress 46924->46927 46925->46924 46926->46627 46927->46926 47337 41b4a8 FindResourceA 46928->47337 46932 40f3ed _Yarn 47347 4020b7 46932->47347 46935 401fe2 28 API calls 46936 40f413 46935->46936 46937 401fd8 11 API calls 46936->46937 46938 40f41c 46937->46938 46939 43bd51 _Yarn 21 API calls 46938->46939 46940 40f42d _Yarn 46939->46940 47353 406dd8 46940->47353 46942 40f460 46942->46629 46944 40210c 46943->46944 46945 4023ce 11 API calls 46944->46945 46946 402126 46945->46946 46947 402569 28 API calls 46946->46947 46948 402134 46947->46948 46948->46632 47407 4020df 46949->47407 46951 41be9e 46952 401fd8 11 API calls 46951->46952 46953 41bed0 46952->46953 46954 401fd8 11 API calls 46953->46954 46956 41bed8 46954->46956 46955 41bea0 46957 4041a2 28 API calls 46955->46957 46959 401fd8 11 API calls 46956->46959 46960 41beac 46957->46960 46961 40ea24 46959->46961 46962 401fe2 28 API calls 46960->46962 46971 40fb17 46961->46971 46964 41beb5 46962->46964 46963 401fe2 28 API calls 46970 41be2e 46963->46970 46965 401fd8 11 API calls 46964->46965 46967 41bebd 46965->46967 46966 401fd8 11 API calls 46966->46970 47415 41ce34 28 API calls 46967->47415 46970->46951 46970->46955 46970->46963 46970->46966 47411 4041a2 46970->47411 47414 41ce34 28 API calls 46970->47414 46972 40fb23 46971->46972 46974 40fb2a 46971->46974 47422 402163 11 API calls 46972->47422 46974->46637 46976 402163 46975->46976 46977 40219f 46976->46977 47423 402730 11 API calls 46976->47423 46977->46639 46979 402184 47424 402712 11 API calls std::_Deallocate 46979->47424 46982 401e6d 46981->46982 46983 401e75 46982->46983 47425 402158 22 API calls 46982->47425 46983->46644 46987 4020df 11 API calls 46986->46987 46988 40532a 46987->46988 47426 4032a0 46988->47426 46990 405346 46990->46652 47430 4051ef 46991->47430 46993 406391 47434 402055 46993->47434 46996 401fe2 46997 401ff1 46996->46997 46998 402039 46996->46998 46999 4023ce 11 API calls 46997->46999 47005 401fd8 46998->47005 47000 401ffa 46999->47000 47001 40203c 47000->47001 47003 402015 47000->47003 47002 40267a 11 API calls 47001->47002 47002->46998 47466 403098 28 API calls 47003->47466 47006 4023ce 11 API calls 47005->47006 47007 401fe1 47006->47007 47007->46664 47009 401fd2 47008->47009 47010 401fc9 47008->47010 47009->46670 47467 4025e0 28 API calls 47010->47467 47468 401fab 47012->47468 47014 40d073 CreateMutexA GetLastError 47014->46686 47469 41bfb7 47015->47469 47020 401fe2 28 API calls 47021 41b2ff 47020->47021 47022 401fd8 11 API calls 47021->47022 47023 41b307 47022->47023 47024 4135a6 31 API calls 47023->47024 47026 41b35d 47023->47026 47025 41b330 47024->47025 47027 41b33b StrToIntA 47025->47027 47026->46692 47028 41b352 47027->47028 47029 41b349 47027->47029 47031 401fd8 11 API calls 47028->47031 47478 41cf69 22 API calls 47029->47478 47031->47026 47033 40772a 47032->47033 47034 413549 3 API calls 47033->47034 47035 407731 47034->47035 47035->46704 47035->46705 47037 41bc72 47036->47037 47479 40b904 47037->47479 47039 41bc7a 47039->46720 47041 401f22 47040->47041 47048 401f6a 47040->47048 47042 402252 11 API calls 47041->47042 47043 401f2b 47042->47043 47044 401f6d 47043->47044 47045 401f46 47043->47045 47512 402336 47044->47512 47511 40305c 28 API calls 47045->47511 47049 401f09 47048->47049 47050 402252 11 API calls 47049->47050 47051 401f12 47050->47051 47051->46732 47053 413965 47052->47053 47054 406dd8 28 API calls 47053->47054 47055 41397a 47054->47055 47056 4020f6 28 API calls 47055->47056 47057 41398a 47056->47057 47058 41376f 14 API calls 47057->47058 47059 413994 47058->47059 47060 401fd8 11 API calls 47059->47060 47061 4139a1 47060->47061 47061->46780 47063 40209b 47062->47063 47064 4023ce 11 API calls 47063->47064 47065 4020a6 47064->47065 47516 4024ed 47065->47516 47069 4137bf 47068->47069 47071 413788 47068->47071 47070 401fd8 11 API calls 47069->47070 47072 40ef9e 47070->47072 47073 41379a RegSetValueExA RegCloseKey 47071->47073 47072->46783 47073->47069 47075 43bac5 _swprintf 47074->47075 47520 43ae03 47075->47520 47077 40efb7 47077->46789 47077->46791 47079 41b5a0 47078->47079 47080 41b505 GetLocalTime 47078->47080 47082 401fd8 11 API calls 47079->47082 47081 40531e 28 API calls 47080->47081 47083 41b547 47081->47083 47084 41b5a8 47082->47084 47085 406383 28 API calls 47083->47085 47086 401fd8 11 API calls 47084->47086 47087 41b553 47085->47087 47088 40f00d 47086->47088 47548 402f10 47087->47548 47088->46807 47091 406383 28 API calls 47092 41b56b 47091->47092 47553 407200 77 API calls 47092->47553 47094 41b579 47095 401fd8 11 API calls 47094->47095 47096 41b585 47095->47096 47097 401fd8 11 API calls 47096->47097 47098 41b58e 47097->47098 47099 401fd8 11 API calls 47098->47099 47100 41b597 47099->47100 47101 401fd8 11 API calls 47100->47101 47101->47079 47103 409e02 _wcslen 47102->47103 47104 409e24 47103->47104 47105 409e0d 47103->47105 47107 40da34 32 API calls 47104->47107 47106 40da34 32 API calls 47105->47106 47108 409e15 47106->47108 47109 409e2c 47107->47109 47110 401f13 28 API calls 47108->47110 47111 401f13 28 API calls 47109->47111 47114 409e1f 47110->47114 47112 409e3a 47111->47112 47113 401f09 11 API calls 47112->47113 47115 409e42 47113->47115 47116 401f09 11 API calls 47114->47116 47572 40915b 28 API calls 47115->47572 47118 409e79 47116->47118 47557 40a109 47118->47557 47119 409e54 47573 403014 47119->47573 47124 401f13 28 API calls 47125 409e69 47124->47125 47126 401f09 11 API calls 47125->47126 47126->47114 47777 40417e 47127->47777 47132 403014 28 API calls 47133 41b672 47132->47133 47134 401f09 11 API calls 47133->47134 47135 41b67b 47134->47135 47136 401f09 11 API calls 47135->47136 47137 40f223 47136->47137 47137->46858 47139 413520 RegQueryValueExA RegCloseKey 47138->47139 47140 40f2e4 47138->47140 47139->47140 47140->46733 47140->46889 47142 40f392 47141->47142 47143 413a3f RegDeleteValueW 47141->47143 47142->46727 47143->47142 47145 40dd5b 47144->47145 47146 4134ff 3 API calls 47145->47146 47147 40dd62 47146->47147 47148 40dd81 47147->47148 47869 401707 47147->47869 47152 414f2a 47148->47152 47150 40dd6f 47872 413877 RegCreateKeyA 47150->47872 47153 4020df 11 API calls 47152->47153 47154 414f3e 47153->47154 47886 41b8b3 47154->47886 47157 4020df 11 API calls 47158 414f54 47157->47158 47159 401e65 22 API calls 47158->47159 47160 414f62 47159->47160 47161 43baac 40 API calls 47160->47161 47162 414f6f 47161->47162 47163 414f81 47162->47163 47164 414f74 Sleep 47162->47164 47165 402093 28 API calls 47163->47165 47164->47163 47166 414f90 47165->47166 47167 401e65 22 API calls 47166->47167 47168 414f99 47167->47168 47169 4020f6 28 API calls 47168->47169 47170 414fa4 47169->47170 47171 41be1b 28 API calls 47170->47171 47172 414fac 47171->47172 47890 40489e WSAStartup 47172->47890 47174 414fb6 47175 401e65 22 API calls 47174->47175 47176 414fbf 47175->47176 47177 401e65 22 API calls 47176->47177 47238 41503e 47176->47238 47178 414fd8 47177->47178 47179 401e65 22 API calls 47178->47179 47180 414fe9 47179->47180 47182 401e65 22 API calls 47180->47182 47181 41be1b 28 API calls 47181->47238 47183 414ffa 47182->47183 47185 401e65 22 API calls 47183->47185 47184 406c1e 28 API calls 47184->47238 47186 41500b 47185->47186 47188 401e65 22 API calls 47186->47188 47187 401fe2 28 API calls 47187->47238 47189 41501c 47188->47189 47190 401e65 22 API calls 47189->47190 47191 41502e 47190->47191 48041 40473d 89 API calls 47191->48041 47193 406383 28 API calls 47193->47238 47194 402093 28 API calls 47194->47238 47195 401e65 22 API calls 47195->47238 47197 41518c WSAGetLastError 48042 41cae1 30 API calls 47197->48042 47202 402093 28 API calls 47203 41519c 47202->47203 47203->47202 47205 41b4ef 80 API calls 47203->47205 47208 401e65 22 API calls 47203->47208 47209 401e8d 11 API calls 47203->47209 47210 43baac 40 API calls 47203->47210 47203->47238 47240 415a71 CreateThread 47203->47240 47241 401fd8 11 API calls 47203->47241 47242 401f09 11 API calls 47203->47242 48043 4052fd 28 API calls 47203->48043 48044 40b051 85 API calls 47203->48044 48045 404e26 99 API calls 47203->48045 47205->47203 47207 40531e 28 API calls 47207->47238 47208->47203 47209->47203 47211 415acf Sleep 47210->47211 47211->47203 47212 41b4ef 80 API calls 47212->47238 47215 40905c 28 API calls 47215->47238 47216 441e81 20 API calls 47216->47238 47217 4020f6 28 API calls 47217->47238 47218 4136f8 3 API calls 47218->47238 47219 4135a6 31 API calls 47219->47238 47220 40417e 28 API calls 47220->47238 47223 41bb8e 28 API calls 47223->47238 47224 401e65 22 API calls 47225 415439 GetTickCount 47224->47225 47226 41bb8e 28 API calls 47225->47226 47226->47238 47229 41bd1e 28 API calls 47229->47238 47232 402f10 28 API calls 47232->47238 47233 402ea1 28 API calls 47233->47238 47235 401fd8 11 API calls 47235->47238 47236 401f09 11 API calls 47236->47238 47238->47181 47238->47184 47238->47187 47238->47193 47238->47194 47238->47195 47238->47197 47238->47203 47238->47207 47238->47212 47238->47215 47238->47216 47238->47217 47238->47218 47238->47219 47238->47220 47238->47223 47238->47224 47238->47229 47238->47232 47238->47233 47238->47235 47238->47236 47891 414ee9 47238->47891 47897 40482d 47238->47897 47904 404f51 47238->47904 47919 4048c8 connect 47238->47919 47979 41b7e0 47238->47979 47982 4145bd 47238->47982 47985 40dd89 47238->47985 47991 41bc42 47238->47991 47994 41bae6 GetLastInputInfo GetTickCount 47238->47994 47995 41ba96 47238->47995 48000 40f8d1 GetLocaleInfoA 47238->48000 48003 402f31 47238->48003 48008 404aa1 47238->48008 48023 404c10 47238->48023 47240->47203 48239 41ad17 106 API calls 47240->48239 47241->47203 47242->47203 47243->46645 47244->46653 47245->46657 47248 4020df 11 API calls 47247->47248 47249 406c2a 47248->47249 47250 4032a0 28 API calls 47249->47250 47251 406c47 47250->47251 47251->46678 47253 40eba4 47252->47253 47254 413573 RegQueryValueExA RegCloseKey 47252->47254 47253->46675 47253->46693 47254->47253 47255->46681 47256->46712 47257->46705 47258->46695 47259->46710 47261 401f86 11 API calls 47260->47261 47262 40da50 47261->47262 47263 40da70 47262->47263 47264 40daa5 47262->47264 47265 40da66 47262->47265 48240 41b5b4 29 API calls 47263->48240 47268 41bfb7 2 API calls 47264->47268 47267 40db99 GetLongPathNameW 47265->47267 47270 40417e 28 API calls 47267->47270 47271 40daaa 47268->47271 47269 40da79 47274 401f13 28 API calls 47269->47274 47275 40dbae 47270->47275 47272 40db00 47271->47272 47273 40daae 47271->47273 47276 40417e 28 API calls 47272->47276 47277 40417e 28 API calls 47273->47277 47278 40da83 47274->47278 47279 40417e 28 API calls 47275->47279 47280 40db0e 47276->47280 47281 40dabc 47277->47281 47284 401f09 11 API calls 47278->47284 47282 40dbbd 47279->47282 47287 40417e 28 API calls 47280->47287 47288 40417e 28 API calls 47281->47288 48243 40ddd1 28 API calls 47282->48243 47284->47265 47285 40dbd0 48244 402fa5 28 API calls 47285->48244 47290 40db24 47287->47290 47291 40dad2 47288->47291 47289 40dbdb 48245 402fa5 28 API calls 47289->48245 48242 402fa5 28 API calls 47290->48242 48241 402fa5 28 API calls 47291->48241 47295 40dbe5 47298 401f09 11 API calls 47295->47298 47296 40db2f 47299 401f13 28 API calls 47296->47299 47297 40dadd 47300 401f13 28 API calls 47297->47300 47301 40dbef 47298->47301 47302 40db3a 47299->47302 47303 40dae8 47300->47303 47304 401f09 11 API calls 47301->47304 47305 401f09 11 API calls 47302->47305 47306 401f09 11 API calls 47303->47306 47307 40dbf8 47304->47307 47308 40db43 47305->47308 47309 40daf1 47306->47309 47310 401f09 11 API calls 47307->47310 47311 401f09 11 API calls 47308->47311 47312 401f09 11 API calls 47309->47312 47313 40dc01 47310->47313 47311->47278 47312->47278 47314 401f09 11 API calls 47313->47314 47315 40dc0a 47314->47315 47316 401f09 11 API calls 47315->47316 47317 40dc13 47316->47317 47317->46769 47318->46781 47319->46803 47321 41371e RegQueryValueExA RegCloseKey 47320->47321 47322 413742 47320->47322 47321->47322 47322->46762 47323->46795 47330 4344ef 47324->47330 47325 43bd51 _Yarn 21 API calls 47325->47330 47326 40f0d1 47326->46833 47330->47325 47330->47326 48246 442f80 7 API calls 2 library calls 47330->48246 48247 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47330->48247 48248 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47330->48248 47331->46865 47332->46853 47334->46897 47335->46700 47338 41b4c5 LoadResource LockResource SizeofResource 47337->47338 47339 40f3de 47337->47339 47338->47339 47340 43bd51 47339->47340 47346 446137 ___crtLCMapStringA 47340->47346 47341 446175 47357 4405dd 20 API calls _abort 47341->47357 47342 446160 RtlAllocateHeap 47344 446173 47342->47344 47342->47346 47344->46932 47346->47341 47346->47342 47356 442f80 7 API calls 2 library calls 47346->47356 47348 4020bf 47347->47348 47358 4023ce 47348->47358 47350 4020ca 47362 40250a 47350->47362 47352 4020d9 47352->46935 47354 4020b7 28 API calls 47353->47354 47355 406dec 47354->47355 47355->46942 47356->47346 47357->47344 47359 402428 47358->47359 47360 4023d8 47358->47360 47359->47350 47360->47359 47369 4027a7 11 API calls std::_Deallocate 47360->47369 47363 40251a 47362->47363 47364 402520 47363->47364 47365 402535 47363->47365 47370 402569 47364->47370 47380 4028e8 47365->47380 47368 402533 47368->47352 47369->47359 47391 402888 47370->47391 47372 40257d 47373 402592 47372->47373 47374 4025a7 47372->47374 47396 402a34 22 API calls 47373->47396 47376 4028e8 28 API calls 47374->47376 47379 4025a5 47376->47379 47377 40259b 47397 4029da 22 API calls 47377->47397 47379->47368 47381 4028f1 47380->47381 47382 402953 47381->47382 47383 4028fb 47381->47383 47405 4028a4 22 API calls 47382->47405 47386 402904 47383->47386 47388 402917 47383->47388 47399 402cae 47386->47399 47389 402915 47388->47389 47390 4023ce 11 API calls 47388->47390 47389->47368 47390->47389 47393 402890 47391->47393 47392 402898 47392->47372 47393->47392 47398 402ca3 22 API calls 47393->47398 47396->47377 47397->47379 47400 402cb8 __EH_prolog 47399->47400 47406 402e54 22 API calls 47400->47406 47402 4023ce 11 API calls 47404 402d92 47402->47404 47403 402d24 47403->47402 47404->47389 47406->47403 47408 4020e7 47407->47408 47409 4023ce 11 API calls 47408->47409 47410 4020f2 47409->47410 47410->46970 47416 40423a 47411->47416 47414->46970 47415->46951 47417 404243 47416->47417 47418 4023ce 11 API calls 47417->47418 47419 40424e 47418->47419 47420 402569 28 API calls 47419->47420 47421 4041b5 47420->47421 47421->46970 47422->46974 47423->46979 47424->46977 47428 4032aa 47426->47428 47427 4032c9 47427->46990 47428->47427 47429 4028e8 28 API calls 47428->47429 47429->47427 47431 4051fb 47430->47431 47440 405274 47431->47440 47433 405208 47433->46993 47435 402061 47434->47435 47436 4023ce 11 API calls 47435->47436 47437 40207b 47436->47437 47462 40267a 47437->47462 47441 405282 47440->47441 47442 405288 47441->47442 47443 40529e 47441->47443 47451 4025f0 47442->47451 47445 4052f5 47443->47445 47446 4052b6 47443->47446 47460 4028a4 22 API calls 47445->47460 47449 4028e8 28 API calls 47446->47449 47450 40529c 47446->47450 47449->47450 47450->47433 47452 402888 22 API calls 47451->47452 47453 402602 47452->47453 47454 402672 47453->47454 47455 402629 47453->47455 47461 4028a4 22 API calls 47454->47461 47457 40263b 47455->47457 47459 4028e8 28 API calls 47455->47459 47457->47450 47459->47457 47463 40268b 47462->47463 47464 4023ce 11 API calls 47463->47464 47465 40208d 47464->47465 47465->46996 47466->46998 47467->47009 47470 41bfc4 GetCurrentProcess IsWow64Process 47469->47470 47471 41b2d1 47469->47471 47470->47471 47472 41bfdb 47470->47472 47473 4135a6 RegOpenKeyExA 47471->47473 47472->47471 47474 4135d4 RegQueryValueExA RegCloseKey 47473->47474 47475 4135fe 47473->47475 47474->47475 47476 402093 28 API calls 47475->47476 47477 413613 47476->47477 47477->47020 47478->47028 47480 40b90c 47479->47480 47485 402252 47480->47485 47482 40b917 47489 40b92c 47482->47489 47484 40b926 47484->47039 47486 4022ac 47485->47486 47487 40225c 47485->47487 47486->47482 47487->47486 47496 402779 11 API calls std::_Deallocate 47487->47496 47490 40b966 47489->47490 47491 40b938 47489->47491 47508 4028a4 22 API calls 47490->47508 47497 4027e6 47491->47497 47495 40b942 47495->47484 47496->47486 47498 4027ef 47497->47498 47499 402851 47498->47499 47500 4027f9 47498->47500 47510 4028a4 22 API calls 47499->47510 47503 402802 47500->47503 47505 402815 47500->47505 47509 402aea 28 API calls __EH_prolog 47503->47509 47506 402813 47505->47506 47507 402252 11 API calls 47505->47507 47506->47495 47507->47506 47509->47506 47511->47048 47513 402347 47512->47513 47514 402252 11 API calls 47513->47514 47515 4023c7 47514->47515 47515->47048 47517 4024f9 47516->47517 47518 40250a 28 API calls 47517->47518 47519 4020b1 47518->47519 47519->46774 47536 43ba0a 47520->47536 47522 43ae50 47542 43a7b7 36 API calls 3 library calls 47522->47542 47523 43ae15 47523->47522 47524 43ae2a 47523->47524 47535 43ae2f pre_c_initialization 47523->47535 47541 4405dd 20 API calls _abort 47524->47541 47528 43ae5c 47529 43ae8b 47528->47529 47543 43ba4f 40 API calls __Tolower 47528->47543 47532 43aef7 47529->47532 47544 43b9b6 20 API calls 2 library calls 47529->47544 47545 43b9b6 20 API calls 2 library calls 47532->47545 47533 43afbe _swprintf 47533->47535 47546 4405dd 20 API calls _abort 47533->47546 47535->47077 47537 43ba22 47536->47537 47538 43ba0f 47536->47538 47537->47523 47547 4405dd 20 API calls _abort 47538->47547 47540 43ba14 pre_c_initialization 47540->47523 47541->47535 47542->47528 47543->47528 47544->47532 47545->47533 47546->47535 47547->47540 47554 401fb0 47548->47554 47550 402f1e 47551 402055 11 API calls 47550->47551 47552 402f2d 47551->47552 47552->47091 47553->47094 47555 4025f0 28 API calls 47554->47555 47556 401fbd 47555->47556 47556->47550 47558 40a127 47557->47558 47559 413549 3 API calls 47558->47559 47560 40a12e 47559->47560 47561 40a142 47560->47561 47562 40a15c 47560->47562 47564 409e9b 47561->47564 47565 40a147 47561->47565 47578 40905c 47562->47578 47564->46826 47567 40905c 28 API calls 47565->47567 47569 40a155 47567->47569 47606 40a22d 29 API calls 47569->47606 47571 40a15a 47571->47564 47572->47119 47754 403222 47573->47754 47575 403022 47758 403262 47575->47758 47579 409072 47578->47579 47580 402252 11 API calls 47579->47580 47581 40908c 47580->47581 47607 404267 47581->47607 47583 40909a 47584 40a179 47583->47584 47619 40b8ec 47584->47619 47587 40a1a2 47589 402093 28 API calls 47587->47589 47588 40a1ca 47590 402093 28 API calls 47588->47590 47592 40a1ac 47589->47592 47591 40a1d5 47590->47591 47593 402093 28 API calls 47591->47593 47594 41bc5e 28 API calls 47592->47594 47595 40a1e4 47593->47595 47596 40a1ba 47594->47596 47597 41b4ef 80 API calls 47595->47597 47623 40b164 31 API calls _Yarn 47596->47623 47599 40a1e9 CreateThread 47597->47599 47601 40a210 CreateThread 47599->47601 47602 40a204 CreateThread 47599->47602 47625 40a27d 47599->47625 47600 40a1c1 47603 401fd8 11 API calls 47600->47603 47604 401f09 11 API calls 47601->47604 47631 40a289 47601->47631 47602->47601 47628 40a267 47602->47628 47603->47588 47605 40a224 47604->47605 47605->47564 47606->47571 47753 40a273 164 API calls 47606->47753 47608 402888 22 API calls 47607->47608 47609 40427b 47608->47609 47610 404290 47609->47610 47611 4042a5 47609->47611 47617 4042df 22 API calls 47610->47617 47612 4027e6 28 API calls 47611->47612 47616 4042a3 47612->47616 47614 404299 47618 402c48 22 API calls 47614->47618 47616->47583 47617->47614 47618->47616 47620 40b8f5 47619->47620 47621 40a197 47619->47621 47624 40b96c 28 API calls 47620->47624 47621->47587 47621->47588 47623->47600 47624->47621 47634 40a726 47625->47634 47681 40a2b8 47628->47681 47711 40acd6 47631->47711 47635 40a73b Sleep 47634->47635 47655 40a675 47635->47655 47637 40a286 47638 40a78c GetFileAttributesW 47641 40a74d 47638->47641 47639 40a77b CreateDirectoryW 47639->47641 47640 40a7a3 SetFileAttributesW 47640->47641 47641->47635 47641->47637 47641->47638 47641->47639 47641->47640 47642 40a7ee 47641->47642 47646 401e65 22 API calls 47641->47646 47668 41c3f1 47641->47668 47643 4020df 11 API calls 47642->47643 47645 40a81d PathFileExistsW 47642->47645 47648 4020b7 28 API calls 47642->47648 47649 40a926 SetFileAttributesW 47642->47649 47650 401fd8 11 API calls 47642->47650 47651 401fe2 28 API calls 47642->47651 47652 406dd8 28 API calls 47642->47652 47654 401fd8 11 API calls 47642->47654 47678 41c485 32 API calls 47642->47678 47679 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 47642->47679 47643->47642 47645->47642 47646->47641 47648->47642 47649->47641 47650->47642 47651->47642 47652->47642 47654->47641 47656 40a722 47655->47656 47658 40a68b 47655->47658 47656->47641 47657 40a6aa CreateFileW 47657->47658 47659 40a6b8 GetFileSize 47657->47659 47658->47657 47660 40a6ed FindCloseChangeNotification 47658->47660 47661 40a6ff 47658->47661 47662 40a6e2 Sleep 47658->47662 47663 40a6db 47658->47663 47659->47658 47659->47660 47660->47658 47661->47656 47665 40905c 28 API calls 47661->47665 47662->47660 47680 40b0dc 84 API calls 47663->47680 47666 40a71b 47665->47666 47667 40a179 125 API calls 47666->47667 47667->47656 47669 41c404 CreateFileW 47668->47669 47671 41c441 47669->47671 47672 41c43d 47669->47672 47673 41c461 WriteFile 47671->47673 47674 41c448 SetFilePointer 47671->47674 47672->47641 47676 41c474 47673->47676 47677 41c476 FindCloseChangeNotification 47673->47677 47674->47673 47675 41c458 CloseHandle 47674->47675 47675->47672 47676->47677 47677->47672 47678->47642 47679->47642 47680->47662 47682 40a2d1 GetModuleHandleA SetWindowsHookExA 47681->47682 47683 40a333 GetMessageA 47681->47683 47682->47683 47685 40a2ed GetLastError 47682->47685 47684 40a345 TranslateMessage DispatchMessageA 47683->47684 47695 40a270 47683->47695 47684->47683 47684->47695 47696 41bb8e 47685->47696 47702 441e81 47696->47702 47699 402093 28 API calls 47700 40a2fe 47699->47700 47701 4052fd 28 API calls 47700->47701 47703 441e8d 47702->47703 47706 441c7d 47703->47706 47705 41bbb2 47705->47699 47707 441c94 47706->47707 47709 441ccb pre_c_initialization 47707->47709 47710 4405dd 20 API calls _abort 47707->47710 47709->47705 47710->47709 47740 40ace4 47711->47740 47712 40a292 47713 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 47715 40b904 28 API calls 47713->47715 47715->47740 47719 41bae6 GetLastInputInfo GetTickCount 47719->47740 47720 40ad84 GetWindowTextW 47720->47740 47722 40aedc 47724 401f09 11 API calls 47722->47724 47723 40b8ec 28 API calls 47723->47740 47724->47712 47725 40ae49 Sleep 47725->47740 47726 441e81 20 API calls 47726->47740 47728 402093 28 API calls 47728->47740 47729 40add1 47730 40905c 28 API calls 47729->47730 47729->47740 47749 40b164 31 API calls _Yarn 47729->47749 47730->47729 47734 403014 28 API calls 47734->47740 47735 406383 28 API calls 47735->47740 47736 41bc5e 28 API calls 47736->47740 47737 40a636 12 API calls 47737->47740 47738 401f09 11 API calls 47738->47740 47739 401fd8 11 API calls 47739->47740 47740->47712 47740->47713 47740->47719 47740->47720 47740->47722 47740->47723 47740->47725 47740->47726 47740->47728 47740->47729 47740->47734 47740->47735 47740->47736 47740->47737 47740->47738 47740->47739 47741 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 47740->47741 47742 401f86 47740->47742 47746 434770 23 API calls __onexit 47740->47746 47747 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 47740->47747 47748 409044 28 API calls 47740->47748 47750 40b97c 28 API calls 47740->47750 47751 40b748 40 API calls 2 library calls 47740->47751 47752 4052fd 28 API calls 47740->47752 47743 401f8e 47742->47743 47744 402252 11 API calls 47743->47744 47745 401f99 47744->47745 47745->47740 47746->47740 47747->47740 47748->47740 47749->47729 47750->47740 47751->47740 47755 40322e 47754->47755 47764 403618 47755->47764 47757 40323b 47757->47575 47759 40326e 47758->47759 47760 402252 11 API calls 47759->47760 47761 403288 47760->47761 47762 402336 11 API calls 47761->47762 47763 403031 47762->47763 47763->47124 47765 403626 47764->47765 47766 403644 47765->47766 47767 40362c 47765->47767 47769 40365c 47766->47769 47770 40369e 47766->47770 47775 4036a6 28 API calls 47767->47775 47773 4027e6 28 API calls 47769->47773 47774 403642 47769->47774 47776 4028a4 22 API calls 47770->47776 47773->47774 47774->47757 47775->47774 47778 404186 47777->47778 47779 402252 11 API calls 47778->47779 47780 404191 47779->47780 47788 4041bc 47780->47788 47783 4042fc 47799 404353 47783->47799 47785 40430a 47786 403262 11 API calls 47785->47786 47787 404319 47786->47787 47787->47132 47789 4041c8 47788->47789 47792 4041d9 47789->47792 47791 40419c 47791->47783 47793 4041e9 47792->47793 47794 404206 47793->47794 47795 4041ef 47793->47795 47796 4027e6 28 API calls 47794->47796 47797 404267 28 API calls 47795->47797 47798 404204 47796->47798 47797->47798 47798->47791 47800 40435f 47799->47800 47803 404371 47800->47803 47802 40436d 47802->47785 47804 40437f 47803->47804 47805 404385 47804->47805 47806 40439e 47804->47806 47867 4034e6 28 API calls 47805->47867 47807 402888 22 API calls 47806->47807 47808 4043a6 47807->47808 47810 404419 47808->47810 47811 4043bf 47808->47811 47868 4028a4 22 API calls 47810->47868 47813 4027e6 28 API calls 47811->47813 47823 40439c 47811->47823 47813->47823 47823->47802 47867->47823 47875 43aa9a 47869->47875 47873 4138b9 47872->47873 47874 41388f RegSetValueExA RegCloseKey 47872->47874 47873->47148 47874->47873 47878 43aa1b 47875->47878 47877 40170d 47877->47150 47879 43aa2a 47878->47879 47880 43aa3e 47878->47880 47884 4405dd 20 API calls _abort 47879->47884 47883 43aa2f pre_c_initialization __alldvrm 47880->47883 47885 448957 11 API calls 2 library calls 47880->47885 47883->47877 47884->47883 47885->47883 47887 41b8f9 _Yarn ___scrt_fastfail 47886->47887 47888 402093 28 API calls 47887->47888 47889 414f49 47888->47889 47889->47157 47890->47174 47892 414f02 WSASetLastError 47891->47892 47893 414ef8 47891->47893 47892->47238 48046 414d86 29 API calls ___std_exception_copy 47893->48046 47895 414efd 47895->47892 47898 404846 socket 47897->47898 47899 404839 47897->47899 47901 404860 CreateEventW 47898->47901 47902 404842 47898->47902 48047 40489e WSAStartup 47899->48047 47901->47238 47902->47238 47903 40483e 47903->47898 47903->47902 47905 404f65 47904->47905 47906 404fea 47904->47906 47907 404f6e 47905->47907 47908 404fc0 CreateEventA CreateThread 47905->47908 47909 404f7d GetLocalTime 47905->47909 47906->47238 47907->47908 47908->47906 48049 405150 47908->48049 47910 41bb8e 28 API calls 47909->47910 47911 404f91 47910->47911 48048 4052fd 28 API calls 47911->48048 47920 404a1b 47919->47920 47921 4048ee 47919->47921 47922 404a21 WSAGetLastError 47920->47922 47972 40497e 47920->47972 47923 404923 47921->47923 47926 40531e 28 API calls 47921->47926 47921->47972 47924 404a31 47922->47924 47922->47972 48053 420c60 27 API calls 47923->48053 47927 404932 47924->47927 47928 404a36 47924->47928 47930 40490f 47926->47930 47933 402093 28 API calls 47927->47933 48058 41cae1 30 API calls 47928->48058 47929 40492b 47929->47927 47932 404941 47929->47932 47934 402093 28 API calls 47930->47934 47943 404950 47932->47943 47944 404987 47932->47944 47937 404a80 47933->47937 47938 40491e 47934->47938 47935 404a40 48059 4052fd 28 API calls 47935->48059 47940 402093 28 API calls 47937->47940 47941 41b4ef 80 API calls 47938->47941 47945 404a8f 47940->47945 47941->47923 47948 402093 28 API calls 47943->47948 48055 421a40 54 API calls 47944->48055 47949 41b4ef 80 API calls 47945->47949 47952 40495f 47948->47952 47949->47972 47951 40498f 47954 4049c4 47951->47954 47955 404994 47951->47955 47956 402093 28 API calls 47952->47956 48057 420e06 28 API calls 47954->48057 47958 402093 28 API calls 47955->47958 47959 40496e 47956->47959 47962 4049a3 47958->47962 47963 41b4ef 80 API calls 47959->47963 47961 4049cc 47964 4049f9 CreateEventW CreateEventW 47961->47964 47966 402093 28 API calls 47961->47966 47965 402093 28 API calls 47962->47965 47968 404973 47963->47968 47964->47972 47967 4049b2 47965->47967 47970 4049e2 47966->47970 47971 41b4ef 80 API calls 47967->47971 48054 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47968->48054 47973 402093 28 API calls 47970->47973 47974 4049b7 47971->47974 47972->47238 47975 4049f1 47973->47975 48056 4210b2 52 API calls 47974->48056 47977 41b4ef 80 API calls 47975->47977 47978 4049f6 47977->47978 47978->47964 48060 41b7b6 GlobalMemoryStatusEx 47979->48060 47981 41b7f5 47981->47238 48061 414580 47982->48061 47986 40dda5 47985->47986 47987 4134ff 3 API calls 47986->47987 47988 40ddac 47987->47988 47989 413549 3 API calls 47988->47989 47990 40ddc4 47988->47990 47989->47990 47990->47238 47992 4020b7 28 API calls 47991->47992 47993 41bc57 47992->47993 47993->47238 47994->47238 47996 436e90 ___scrt_fastfail 47995->47996 47997 41bab5 GetForegroundWindow GetWindowTextW 47996->47997 47998 40417e 28 API calls 47997->47998 47999 41badf 47998->47999 47999->47238 48001 402093 28 API calls 48000->48001 48002 40f8f6 48001->48002 48002->47238 48004 4020df 11 API calls 48003->48004 48005 402f3d 48004->48005 48006 4032a0 28 API calls 48005->48006 48007 402f59 48006->48007 48007->47238 48009 404ab4 48008->48009 48099 40520c 48009->48099 48011 404ac9 _Yarn 48012 404b40 WaitForSingleObject 48011->48012 48013 404b20 48011->48013 48015 404b56 48012->48015 48014 404b32 send 48013->48014 48016 404b7b 48014->48016 48105 42103a 54 API calls 48015->48105 48019 401fd8 11 API calls 48016->48019 48018 404b69 SetEvent 48018->48016 48020 404b83 48019->48020 48021 401fd8 11 API calls 48020->48021 48022 404b8b 48021->48022 48022->47238 48024 4020df 11 API calls 48023->48024 48025 404c27 48024->48025 48026 4020df 11 API calls 48025->48026 48028 404c30 48026->48028 48027 43bd51 _Yarn 21 API calls 48027->48028 48028->48027 48030 4020b7 28 API calls 48028->48030 48031 404ca1 48028->48031 48032 401fe2 28 API calls 48028->48032 48034 401fd8 11 API calls 48028->48034 48123 404b96 48028->48123 48129 404cc3 48028->48129 48030->48028 48141 404e26 99 API calls 48031->48141 48032->48028 48034->48028 48035 404ca8 48036 401fd8 11 API calls 48035->48036 48037 404cb1 48036->48037 48038 401fd8 11 API calls 48037->48038 48039 404cba 48038->48039 48039->47238 48041->47238 48042->47203 48044->47203 48045->47203 48046->47895 48047->47903 48052 40515c 102 API calls 48049->48052 48051 405159 48052->48051 48053->47929 48054->47972 48055->47951 48056->47968 48057->47961 48058->47935 48060->47981 48064 414553 48061->48064 48065 414568 ___scrt_initialize_default_local_stdio_options 48064->48065 48068 43f79d 48065->48068 48071 43c4f0 48068->48071 48072 43c530 48071->48072 48073 43c518 48071->48073 48072->48073 48075 43c538 48072->48075 48093 4405dd 20 API calls _abort 48073->48093 48094 43a7b7 36 API calls 3 library calls 48075->48094 48077 43c548 48095 43cc76 20 API calls 2 library calls 48077->48095 48080 414576 48080->47238 48081 43c5c0 48096 43d2e4 51 API calls 3 library calls 48081->48096 48084 43c51d pre_c_initialization 48086 434fcb 48084->48086 48085 43c5cb 48097 43cce0 20 API calls _free 48085->48097 48087 434fd6 IsProcessorFeaturePresent 48086->48087 48088 434fd4 48086->48088 48090 435018 48087->48090 48088->48080 48098 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48090->48098 48092 4350fb 48092->48080 48093->48084 48094->48077 48095->48081 48096->48085 48097->48084 48098->48092 48100 405214 48099->48100 48101 4023ce 11 API calls 48100->48101 48102 40521f 48101->48102 48106 405234 48102->48106 48104 40522e 48104->48011 48105->48018 48107 405240 48106->48107 48108 40526e 48106->48108 48110 4028e8 28 API calls 48107->48110 48122 4028a4 22 API calls 48108->48122 48112 40524a 48110->48112 48112->48104 48124 404ba0 WaitForSingleObject 48123->48124 48125 404bcd recv 48123->48125 48142 421076 54 API calls 48124->48142 48126 404be0 48125->48126 48126->48028 48128 404bbc SetEvent 48128->48126 48130 4020df 11 API calls 48129->48130 48140 404cde 48130->48140 48131 404e13 48132 401fd8 11 API calls 48131->48132 48133 404e1c 48132->48133 48133->48028 48134 4041a2 28 API calls 48134->48140 48135 401fe2 28 API calls 48135->48140 48136 401fd8 11 API calls 48136->48140 48137 4020f6 28 API calls 48137->48140 48138 401fc0 28 API calls 48139 404dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 48138->48139 48139->48140 48143 415aea 48139->48143 48140->48131 48140->48134 48140->48135 48140->48136 48140->48137 48140->48138 48141->48035 48142->48128 48144 4020f6 28 API calls 48143->48144 48145 415b0c SetEvent 48144->48145 48146 415b21 48145->48146 48147 4041a2 28 API calls 48146->48147 48148 415b3b 48147->48148 48149 4020f6 28 API calls 48148->48149 48150 415b4b 48149->48150 48151 4020f6 28 API calls 48150->48151 48152 415b5d 48151->48152 48153 41be1b 28 API calls 48152->48153 48154 415b66 48153->48154 48156 415b86 GetTickCount 48154->48156 48218 415ce5 48154->48218 48220 415cd6 48154->48220 48155 401e8d 11 API calls 48157 417092 48155->48157 48158 41bb8e 28 API calls 48156->48158 48159 401fd8 11 API calls 48157->48159 48160 415b97 48158->48160 48162 41709e 48159->48162 48222 41bae6 GetLastInputInfo GetTickCount 48160->48222 48165 401fd8 11 API calls 48162->48165 48164 415ba3 48166 41bb8e 28 API calls 48164->48166 48167 4170aa 48165->48167 48168 415bae 48166->48168 48169 41ba96 30 API calls 48168->48169 48170 415bbc 48169->48170 48223 41bd1e 48170->48223 48173 401e65 22 API calls 48174 415bd8 48173->48174 48175 402f31 28 API calls 48174->48175 48176 415be6 48175->48176 48227 402ea1 48176->48227 48179 402f10 28 API calls 48180 415c04 48179->48180 48181 402ea1 28 API calls 48180->48181 48182 415c13 48181->48182 48183 402f10 28 API calls 48182->48183 48184 415c1f 48183->48184 48185 402ea1 28 API calls 48184->48185 48186 415c29 48185->48186 48187 404aa1 61 API calls 48186->48187 48188 415c38 48187->48188 48189 401fd8 11 API calls 48188->48189 48190 415c41 48189->48190 48191 401fd8 11 API calls 48190->48191 48192 415c4d 48191->48192 48193 401fd8 11 API calls 48192->48193 48194 415c59 48193->48194 48195 401fd8 11 API calls 48194->48195 48196 415c65 48195->48196 48197 401fd8 11 API calls 48196->48197 48198 415c71 48197->48198 48199 401fd8 11 API calls 48198->48199 48200 415c7d 48199->48200 48201 401f09 11 API calls 48200->48201 48202 415c86 48201->48202 48203 401fd8 11 API calls 48202->48203 48204 415c8f 48203->48204 48205 401fd8 11 API calls 48204->48205 48206 415c98 48205->48206 48207 401e65 22 API calls 48206->48207 48208 415ca3 48207->48208 48209 43baac 40 API calls 48208->48209 48210 415cb0 48209->48210 48211 415cb5 48210->48211 48212 415cdb 48210->48212 48214 415cc3 48211->48214 48215 415cce 48211->48215 48213 401e65 22 API calls 48212->48213 48213->48218 48236 404ff4 82 API calls 48214->48236 48217 404f51 105 API calls 48215->48217 48217->48220 48218->48220 48221 415cf9 48218->48221 48219 415cc9 48219->48220 48220->48155 48237 4050e4 84 API calls 48221->48237 48222->48164 48224 41bd2b 48223->48224 48225 4020b7 28 API calls 48224->48225 48226 415bca 48225->48226 48226->48173 48232 402eb0 48227->48232 48228 402ef2 48229 401fb0 28 API calls 48228->48229 48230 402ef0 48229->48230 48231 402055 11 API calls 48230->48231 48233 402f09 48231->48233 48232->48228 48234 402ee7 48232->48234 48233->48179 48238 403365 28 API calls 48234->48238 48236->48219 48237->48219 48238->48230 48240->47269 48241->47297 48242->47296 48243->47285 48244->47289 48245->47295 48246->47330 48251 40f7c2 48249->48251 48250 413549 3 API calls 48250->48251 48251->48250 48252 40f866 48251->48252 48254 40f856 Sleep 48251->48254 48268 40f7f4 48251->48268 48255 40905c 28 API calls 48252->48255 48253 40905c 28 API calls 48253->48268 48254->48251 48256 40f871 48255->48256 48259 41bc5e 28 API calls 48256->48259 48258 41bc5e 28 API calls 48258->48268 48260 40f87d 48259->48260 48283 413814 14 API calls 48260->48283 48263 401f09 11 API calls 48263->48268 48264 40f890 48265 401f09 11 API calls 48264->48265 48267 40f89c 48265->48267 48266 402093 28 API calls 48266->48268 48269 402093 28 API calls 48267->48269 48268->48253 48268->48254 48268->48258 48268->48263 48268->48266 48271 41376f 14 API calls 48268->48271 48281 40d096 112 API calls ___scrt_fastfail 48268->48281 48282 413814 14 API calls 48268->48282 48270 40f8ad 48269->48270 48272 41376f 14 API calls 48270->48272 48271->48268 48273 40f8c0 48272->48273 48284 412850 TerminateProcess WaitForSingleObject 48273->48284 48275 40f8c8 ExitProcess 48282->48268 48283->48264 48284->48275 48285 415d06 48300 41b380 48285->48300 48287 415d0f 48288 4020f6 28 API calls 48287->48288 48289 415d1e 48288->48289 48290 404aa1 61 API calls 48289->48290 48291 415d2a 48290->48291 48292 417089 48291->48292 48293 401fd8 11 API calls 48291->48293 48294 401e8d 11 API calls 48292->48294 48293->48292 48295 417092 48294->48295 48296 401fd8 11 API calls 48295->48296 48297 41709e 48296->48297 48298 401fd8 11 API calls 48297->48298 48299 4170aa 48298->48299 48301 4020df 11 API calls 48300->48301 48302 41b38e 48301->48302 48303 43bd51 _Yarn 21 API calls 48302->48303 48304 41b39e InternetOpenW InternetOpenUrlW 48303->48304 48305 41b3c5 InternetReadFile 48304->48305 48309 41b3e8 48305->48309 48306 41b415 InternetCloseHandle InternetCloseHandle 48308 41b427 48306->48308 48307 4020b7 28 API calls 48307->48309 48308->48287 48309->48305 48309->48306 48309->48307 48310 401fd8 11 API calls 48309->48310 48310->48309 48311 44375d 48312 443766 48311->48312 48313 44377f 48311->48313 48314 44376e 48312->48314 48318 4437e5 48312->48318 48316 443776 48316->48314 48329 443ab2 22 API calls 2 library calls 48316->48329 48319 4437f1 48318->48319 48320 4437ee 48318->48320 48330 44f3dd GetEnvironmentStringsW 48319->48330 48320->48316 48323 4437fe 48325 446782 _free 20 API calls 48323->48325 48326 443833 48325->48326 48326->48316 48328 443809 48354 446782 48328->48354 48329->48313 48331 44f3f1 48330->48331 48332 4437f8 48330->48332 48360 446137 21 API calls 3 library calls 48331->48360 48332->48323 48337 44390a 48332->48337 48334 446782 _free 20 API calls 48336 44f41f FreeEnvironmentStringsW 48334->48336 48335 44f405 _Yarn 48335->48334 48336->48332 48339 443928 48337->48339 48361 445af3 48339->48361 48340 443962 48341 4439d3 48340->48341 48344 445af3 __Getctype 20 API calls 48340->48344 48345 4439d5 48340->48345 48349 4439f7 48340->48349 48352 446782 _free 20 API calls 48340->48352 48368 447b61 20 API calls 2 library calls 48340->48368 48342 446782 _free 20 API calls 48341->48342 48343 4439ed 48342->48343 48343->48328 48344->48340 48369 443a04 20 API calls _free 48345->48369 48348 4439db 48350 446782 _free 20 API calls 48348->48350 48370 43bd19 11 API calls _abort 48349->48370 48350->48341 48352->48340 48353 443a03 48355 44678d RtlFreeHeap 48354->48355 48356 4467b6 _free 48354->48356 48355->48356 48357 4467a2 48355->48357 48356->48323 48373 4405dd 20 API calls _abort 48357->48373 48359 4467a8 GetLastError 48359->48356 48360->48335 48366 445b00 ___crtLCMapStringA 48361->48366 48362 445b40 48372 4405dd 20 API calls _abort 48362->48372 48363 445b2b RtlAllocateHeap 48364 445b3e 48363->48364 48363->48366 48364->48340 48366->48362 48366->48363 48371 442f80 7 API calls 2 library calls 48366->48371 48368->48340 48369->48348 48370->48353 48371->48366 48372->48364 48373->48359 48374 43be58 48375 43be64 _swprintf ___scrt_is_nonwritable_in_current_image 48374->48375 48376 43be72 48375->48376 48378 43be9c 48375->48378 48390 4405dd 20 API calls _abort 48376->48390 48385 445888 EnterCriticalSection 48378->48385 48380 43be77 pre_c_initialization ___scrt_is_nonwritable_in_current_image 48381 43bea7 48386 43bf48 48381->48386 48385->48381 48388 43bf56 48386->48388 48387 43beb2 48391 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48387->48391 48388->48387 48392 44976c 37 API calls 2 library calls 48388->48392 48390->48380 48391->48380 48392->48388 48393 40165e 48394 401666 48393->48394 48395 401669 48393->48395 48396 4016a8 48395->48396 48398 401696 48395->48398 48397 4344ea new 22 API calls 48396->48397 48400 40169c 48397->48400 48399 4344ea new 22 API calls 48398->48399 48399->48400

                              Executed Functions

                              Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad$HandleModule
                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                              • API String ID: 4236061018-3687161714
                              • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                              • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                              • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                              • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                              Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 48 40eef2-40ef03 call 401fd8 23->48 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 90 40ec13-40ec1a 79->90 91 40ec0c-40ec0e 79->91 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 92 40ec1c 90->92 93 40ec1e-40ec2a call 41b2c3 90->93 96 40eef1 91->96 92->93 103 40ec33-40ec37 93->103 104 40ec2c-40ec2e 93->104 96->48 98->79 124 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->124 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 129 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->129 130 40ec8b call 407755 107->130 118 40ec3e-40ec40 108->118 121 40ec42-40ec47 call 407738 call 407260 118->121 122 40ec4c-40ec5f call 401e65 call 401fab 118->122 121->122 122->107 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 124->157 177 40ed80-40ed84 129->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 129->178 130->129 141->107 144 40ec69-40ec6f 141->144 144->107 147 40ec71 call 407260 144->147 147->107 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 202 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->202 233 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->233 182 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 192 40ee1e-40ee42 call 40247c call 434798 182->192 183->192 213 40ee51 192->213 214 40ee44-40ee4f call 436e90 192->214 202->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 213->217 214->217 271 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->271 286 40efc1 233->286 287 40efdc-40efde 233->287 271->233 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 271->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->233 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->96 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 368 40f1cc-40f1df call 401e65 call 401fab 356->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 426 40f2e4-40f2e7 416->426 418->416 426->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 426->428 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->124 445->124 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                              APIs
                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe,00000104), ref: 0040E9EE
                                • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                              • String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-HKC0PV$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                              • API String ID: 2830904901-3751985341
                              • Opcode ID: cc67e54aedd94bd188949fffc6f37dabdb480af775679b2e47580a4ac9d4071a
                              • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                              • Opcode Fuzzy Hash: cc67e54aedd94bd188949fffc6f37dabdb480af775679b2e47580a4ac9d4071a
                              • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                              Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1260 40a2b8-40a2cf 1261 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1260->1261 1262 40a333-40a343 GetMessageA 1260->1262 1261->1262 1265 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1261->1265 1263 40a345-40a35d TranslateMessage DispatchMessageA 1262->1263 1264 40a35f 1262->1264 1263->1262 1263->1264 1266 40a361-40a366 1264->1266 1265->1266
                              APIs
                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                              • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                              • GetLastError.KERNEL32 ref: 0040A2ED
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                              • TranslateMessage.USER32(?), ref: 0040A34A
                              • DispatchMessageA.USER32(?), ref: 0040A355
                              Strings
                              • Keylogger initialization failure: error , xrefs: 0040A301
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                              • String ID: Keylogger initialization failure: error
                              • API String ID: 3219506041-952744263
                              • Opcode ID: 351146aa31e7d8f010798953617ef069e45ce016b2dcdd27b6cd7b94982b1026
                              • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                              • Opcode Fuzzy Hash: 351146aa31e7d8f010798953617ef069e45ce016b2dcdd27b6cd7b94982b1026
                              • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                              Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                              • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                              • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                              Strings
                              • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleOpen$FileRead
                              • String ID: http://geoplugin.net/json.gp
                              • API String ID: 3121278467-91888290
                              • Opcode ID: 61b1c066cbf1f6e44ea73c093b6391bf97cae0235be39f00c5f2dbf4af9b1548
                              • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                              • Opcode Fuzzy Hash: 61b1c066cbf1f6e44ea73c093b6391bf97cae0235be39f00c5f2dbf4af9b1548
                              • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                              Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                • Part of subcall function 00413549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                              • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                              • ExitProcess.KERNEL32 ref: 0040F8CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseExitOpenProcessQuerySleepValue
                              • String ID: 5.0.0 Pro$override$pth_unenc
                              • API String ID: 2281282204-3992771774
                              • Opcode ID: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                              • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                              • Opcode Fuzzy Hash: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                              • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                              Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                              • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                              Strings
                              • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Create$EventLocalThreadTime
                              • String ID: KeepAlive | Enabled | Timeout:
                              • API String ID: 2532271599-1507639952
                              • Opcode ID: 83e50ac4dae1b8c5f58466140d22aecb7b5797b4a98a9f2a00060ccb3113e507
                              • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                              • Opcode Fuzzy Hash: 83e50ac4dae1b8c5f58466140d22aecb7b5797b4a98a9f2a00060ccb3113e507
                              • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                              Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
                              • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name$ComputerUser
                              • String ID:
                              • API String ID: 4229901323-0
                              • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                              • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                              • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                              • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                              Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID:
                              • API String ID: 2299586839-0
                              • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                              • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                              • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                              • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                              Function 00414F2A Relevance: 49.8, APIs: 5, Strings: 23, Instructions: 809sleepnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 567 415210-415225 call 404f51 call 4048c8 560->567 568 4151e5-41520b call 402093 * 2 call 41b4ef 560->568 583 415aa3-415ab5 call 404e26 call 4021fa 561->583 567->583 584 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 567->584 568->583 596 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 583->596 597 415add-415ae5 call 401e8d 583->597 648 415380-41538d call 405aa6 584->648 649 415392-4153b9 call 401fab call 4135a6 584->649 596->597 597->477 648->649 655 4153c0-415a0a call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->655 656 4153bb-4153bd 649->656 901 415a0f-415a16 655->901 656->655 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->583
                              APIs
                              • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                              • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                              • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$ErrorLastLocalTime
                              • String ID: | $%I64u$5.0.0 Pro$8SG$C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-HKC0PV$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                              • API String ID: 524882891-1454189577
                              • Opcode ID: c785b9e31bf6176af97dcc867692fda02e54ee60402fcd2181b2e23f60a563ca
                              • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                              • Opcode Fuzzy Hash: c785b9e31bf6176af97dcc867692fda02e54ee60402fcd2181b2e23f60a563ca
                              • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                              Function 0040A726 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • Sleep.KERNEL32(00001388), ref: 0040A740
                                • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                • Part of subcall function 0040A675: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                              • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                              • String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
                              • API String ID: 110482706-4009011672
                              • Opcode ID: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
                              • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                              • Opcode Fuzzy Hash: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
                              • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                              Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420c60 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b4ef 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1042 404941-40494e call 420e8f 1031->1042 1043 404932-40493c 1031->1043 1032->1031 1036 404a71-404a76 1033->1036 1037 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1033->1037 1039 404a7b-404a94 call 402093 * 2 call 41b4ef 1036->1039 1037->1029 1039->1029 1057 404950-404973 call 402093 * 2 call 41b4ef 1042->1057 1058 404987-404992 call 421a40 1042->1058 1043->1039 1086 404976-404982 call 420ca0 1057->1086 1069 4049c4-4049d1 call 420e06 1058->1069 1070 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1058->1070 1080 4049d3-4049f6 call 402093 * 2 call 41b4ef 1069->1080 1081 4049f9-404a14 CreateEventW * 2 1069->1081 1070->1086 1080->1081 1081->1026 1086->1029
                              APIs
                              • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                              • WSAGetLastError.WS2_32 ref: 00404A21
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                              • API String ID: 994465650-2151626615
                              • Opcode ID: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
                              • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                              • Opcode Fuzzy Hash: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
                              • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                              Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __Init_thread_footer.LIBCMT ref: 0040AD38
                              • Sleep.KERNEL32(000001F4), ref: 0040AD43
                              • GetForegroundWindow.USER32 ref: 0040AD49
                              • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                              • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                              • String ID: [${ User has been idle for $ minutes }$]
                              • API String ID: 911427763-3954389425
                              • Opcode ID: 0353f8177fafd3cd9a3a1f2f9d997a593271c35778fb8a74e0f6d4403574b366
                              • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                              • Opcode Fuzzy Hash: 0353f8177fafd3cd9a3a1f2f9d997a593271c35778fb8a74e0f6d4403574b366
                              • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                              Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1178 40da34-40da59 call 401f86 1181 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1178->1181 1182 40da5f 1178->1182 1208 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1181->1208 1183 40da70-40da7e call 41b5b4 call 401f13 1182->1183 1184 40da91-40da96 1182->1184 1185 40db51-40db56 1182->1185 1186 40daa5-40daac call 41bfb7 1182->1186 1187 40da66-40da6b 1182->1187 1188 40db58-40db5d 1182->1188 1189 40da9b-40daa0 1182->1189 1190 40db6e 1182->1190 1191 40db5f-40db64 call 43c0cf 1182->1191 1211 40da83 1183->1211 1193 40db73-40db78 call 43c0cf 1184->1193 1185->1193 1203 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1186->1203 1204 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1186->1204 1187->1193 1188->1193 1189->1193 1190->1193 1198 40db69-40db6c 1191->1198 1205 40db79-40db7e call 409057 1193->1205 1198->1190 1198->1205 1203->1211 1216 40da87-40da8c call 401f09 1204->1216 1205->1181 1211->1216 1216->1181
                              APIs
                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: LongNamePath
                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                              • API String ID: 82841172-425784914
                              • Opcode ID: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
                              • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                              • Opcode Fuzzy Hash: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
                              • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                              Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1295 41c3f1-41c402 1296 41c404-41c407 1295->1296 1297 41c41a-41c421 1295->1297 1298 41c410-41c418 1296->1298 1299 41c409-41c40e 1296->1299 1300 41c422-41c43b CreateFileW 1297->1300 1298->1300 1299->1300 1301 41c441-41c446 1300->1301 1302 41c43d-41c43f 1300->1302 1304 41c461-41c472 WriteFile 1301->1304 1305 41c448-41c456 SetFilePointer 1301->1305 1303 41c47f-41c484 1302->1303 1307 41c474 1304->1307 1308 41c476-41c47d FindCloseChangeNotification 1304->1308 1305->1304 1306 41c458-41c45f CloseHandle 1305->1306 1306->1302 1307->1308 1308->1303
                              APIs
                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                              • CloseHandle.KERNEL32(00000000), ref: 0041C459
                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                              • FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C477
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                              • String ID: hpF
                              • API String ID: 1087594267-151379673
                              • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                              • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                              • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                              • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                              Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1309 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1320 41b35d-41b366 1309->1320 1321 41b31c-41b32b call 4135a6 1309->1321 1323 41b368-41b36d 1320->1323 1324 41b36f 1320->1324 1325 41b330-41b347 call 401fab StrToIntA 1321->1325 1326 41b374-41b37f call 40537d 1323->1326 1324->1326 1331 41b355-41b358 call 401fd8 1325->1331 1332 41b349-41b352 call 41cf69 1325->1332 1331->1320 1332->1331
                              APIs
                                • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                              • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseCurrentOpenQueryValueWow64
                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                              • API String ID: 782494840-2070987746
                              • Opcode ID: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
                              • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                              • Opcode Fuzzy Hash: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
                              • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                              Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1383 40a675-40a685 1384 40a722-40a725 1383->1384 1385 40a68b-40a68d 1383->1385 1386 40a690-40a6b6 call 401f04 CreateFileW 1385->1386 1389 40a6f6 1386->1389 1390 40a6b8-40a6c6 GetFileSize 1386->1390 1391 40a6f9-40a6fd 1389->1391 1392 40a6c8 1390->1392 1393 40a6ed-40a6f4 FindCloseChangeNotification 1390->1393 1391->1386 1394 40a6ff-40a702 1391->1394 1395 40a6d2-40a6d9 1392->1395 1396 40a6ca-40a6d0 1392->1396 1393->1391 1394->1384 1399 40a704-40a70b 1394->1399 1397 40a6e2-40a6e7 Sleep 1395->1397 1398 40a6db-40a6dd call 40b0dc 1395->1398 1396->1393 1396->1395 1397->1393 1398->1397 1399->1384 1401 40a70d-40a71d call 40905c call 40a179 1399->1401 1401->1384
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                              • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                              • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                              • String ID: XQG
                              • API String ID: 4068920109-3606453820
                              • Opcode ID: c123891714ba34b2fc86ee474269cf7d4a952ef3128b037d3b88976122030326
                              • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                              • Opcode Fuzzy Hash: c123891714ba34b2fc86ee474269cf7d4a952ef3128b037d3b88976122030326
                              • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                              Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CountEventTick
                              • String ID: !D@$NG
                              • API String ID: 180926312-2721294649
                              • Opcode ID: 87f01666be64a039b827cbeb6ffbb1ffa2cbd05f3ed2e4b8e32ab8874605ad87
                              • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                              • Opcode Fuzzy Hash: 87f01666be64a039b827cbeb6ffbb1ffa2cbd05f3ed2e4b8e32ab8874605ad87
                              • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                              Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                                • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTimewsprintf
                              • String ID: Offline Keylogger Started
                              • API String ID: 465354869-4114347211
                              • Opcode ID: 4ca78bee1b29c2b2eaf028355388d4b479c826490612efa5b39e4efab7956beb
                              • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                              • Opcode Fuzzy Hash: 4ca78bee1b29c2b2eaf028355388d4b479c826490612efa5b39e4efab7956beb
                              • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                              Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                              • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.0.0 Pro), ref: 004137A6
                              • RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,5.0.0 Pro), ref: 004137B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: pth_unenc
                              • API String ID: 1818849710-4028850238
                              • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                              • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                              • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                              • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                              Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                              • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                              • FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                              • String ID:
                              • API String ID: 2579639479-0
                              • Opcode ID: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
                              • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                              • Opcode Fuzzy Hash: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
                              • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                              Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: $G
                              • API String ID: 269201875-4251033865
                              • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                              • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                              • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                              • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                              Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                              • GetLastError.KERNEL32 ref: 0040D083
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateErrorLastMutex
                              • String ID: Rmc-HKC0PV
                              • API String ID: 1925916568-1511587195
                              • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                              • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                              • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                              • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                              Function 0044390A Relevance: 4.6, APIs: 3, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 4bd7fc6ee94724d89121ca04f8cc2d4adc6c5e1b2b6a7a38f6f4ef2949ad302d
                              • Instruction ID: 6ba20a86e5d17c942c68f45beeabd846a52a026a255a9301ae21e2c24e206bb8
                              • Opcode Fuzzy Hash: 4bd7fc6ee94724d89121ca04f8cc2d4adc6c5e1b2b6a7a38f6f4ef2949ad302d
                              • Instruction Fuzzy Hash: C131B07790011097EF20AF69C4825BBB3A4EF44B15B14015FF90597340EB795F42C2D8
                              Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                              Download Yara Rule
                              APIs
                              • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                              • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: EventObjectSingleWaitsend
                              • String ID:
                              • API String ID: 3963590051-0
                              • Opcode ID: 778a05176575217d70e804aa02ba2bb4ca6cce75f32be32a141a68c09f8a03c8
                              • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                              • Opcode Fuzzy Hash: 778a05176575217d70e804aa02ba2bb4ca6cce75f32be32a141a68c09f8a03c8
                              • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                              Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                              • RegCloseKey.KERNEL32(?), ref: 004135F2
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                              • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                              • Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                              • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                              Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                              • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                              • RegCloseKey.KERNEL32(00000000), ref: 00413738
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                              • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                              • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                              • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                              Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                              • RegCloseKey.KERNEL32(?), ref: 00413592
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                              • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                              • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                              • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                              Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                              • RegCloseKey.KERNEL32(?,?,?,0040C19C,00466C48), ref: 00413535
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                              • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                              • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                              • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                              Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                              • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                              • RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID:
                              • API String ID: 1818849710-0
                              • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                              • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                              • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                              • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                              Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                              • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                              • recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: EventObjectSingleWaitrecv
                              • String ID:
                              • API String ID: 311754179-0
                              • Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                              • Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
                              • Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                              • Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5
                              Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _wcslen
                              • String ID: pQG
                              • API String ID: 176396367-3769108836
                              • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                              • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                              • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                              • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                              Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID: @
                              • API String ID: 1890195054-2766056989
                              • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                              • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                              • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                              • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                              Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WS2_32(?,00000001,00000006), ref: 00404852
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateEventStartupsocket
                              • String ID:
                              • API String ID: 1953588214-0
                              • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                              • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                              • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                              • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                              Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                              • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                              • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                              • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                              Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 0041BAB8
                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$ForegroundText
                              • String ID:
                              • API String ID: 29597999-0
                              • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                              • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                              • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                              • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                              Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                              • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                              • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                              • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                              Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                              • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                              • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                              • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                              Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Startup
                              • String ID:
                              • API String ID: 724789610-0
                              • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                              • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                              • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                              • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA

                              Non-executed Functions

                              Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 00407CB9
                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                              • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                              • DeleteFileA.KERNEL32(?), ref: 00408652
                                • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                              • Sleep.KERNEL32(000007D0), ref: 004086F8
                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                              • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                              • API String ID: 1067849700-181434739
                              • Opcode ID: ba0348ee6b73155157fb9b6e468fbe911bccdd51d5321804534e068badcf2fa8
                              • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                              • Opcode Fuzzy Hash: ba0348ee6b73155157fb9b6e468fbe911bccdd51d5321804534e068badcf2fa8
                              • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                              Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 004056E6
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              • __Init_thread_footer.LIBCMT ref: 00405723
                              • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                              • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                              • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                              • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                              • CloseHandle.KERNEL32 ref: 00405A23
                              • CloseHandle.KERNEL32 ref: 00405A2B
                              • CloseHandle.KERNEL32 ref: 00405A3D
                              • CloseHandle.KERNEL32 ref: 00405A45
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                              • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                              • API String ID: 2994406822-18413064
                              • Opcode ID: 72b0109be3a274f73d274b85dc94e936419a63b01eadff607cfa2e7c6af28b3b
                              • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                              • Opcode Fuzzy Hash: 72b0109be3a274f73d274b85dc94e936419a63b01eadff607cfa2e7c6af28b3b
                              • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                              Function 00412117 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 227threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                              • CloseHandle.KERNEL32(00000000), ref: 00412155
                              • CreateThread.KERNEL32(00000000,00000000,Function_000127EE,00000000,00000000,00000000), ref: 004121AB
                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateOpen$HandleMutexProcessThreadValue
                              • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                              • API String ID: 261377708-13974260
                              • Opcode ID: f5863e728546d794f483388620a9ba98951bb2a7d5e86a395bbd2eac8edf96d1
                              • Instruction ID: 5044532447ce4e70f722e285ad7bc5f912dfeea71c25201e33dbc8cc77036b6f
                              • Opcode Fuzzy Hash: f5863e728546d794f483388620a9ba98951bb2a7d5e86a395bbd2eac8edf96d1
                              • Instruction Fuzzy Hash: 8171823160430167C618FB72CD579AE73A4AED0308F50057FF546A61E2FFBC9949C69A
                              Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                              • FindClose.KERNEL32(00000000), ref: 0040BBC9
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                              • FindClose.KERNEL32(00000000), ref: 0040BD12
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                              • API String ID: 1164774033-3681987949
                              • Opcode ID: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
                              • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                              • Opcode Fuzzy Hash: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
                              • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                              Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32 ref: 004168C2
                              • EmptyClipboard.USER32 ref: 004168D0
                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                              • GlobalLock.KERNEL32(00000000), ref: 004168F9
                              • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                              • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                              • CloseClipboard.USER32 ref: 00416955
                              • OpenClipboard.USER32 ref: 0041695C
                              • GetClipboardData.USER32(0000000D), ref: 0041696C
                              • GlobalLock.KERNEL32(00000000), ref: 00416975
                              • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                              • CloseClipboard.USER32 ref: 00416984
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                              • String ID: !D@$hdF
                              • API String ID: 3520204547-3475379602
                              • Opcode ID: e66c59823327cf4acbf01a6e1b07da69e7b75eeac6ee79e0da8023ac416dd7c5
                              • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                              • Opcode Fuzzy Hash: e66c59823327cf4acbf01a6e1b07da69e7b75eeac6ee79e0da8023ac416dd7c5
                              • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                              Function 0040F474 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                              • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$hdF$hdF$ieinstal.exe$ielowutil.exe
                              • API String ID: 3756808967-3633479162
                              • Opcode ID: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
                              • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                              • Opcode Fuzzy Hash: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
                              • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                              Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                              • FindClose.KERNEL32(00000000), ref: 0040BDC9
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                              • FindClose.KERNEL32(00000000), ref: 0040BEAF
                              • FindClose.KERNEL32(00000000), ref: 0040BED0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$Close$File$FirstNext
                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 3527384056-432212279
                              • Opcode ID: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
                              • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                              • Opcode Fuzzy Hash: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
                              • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                              Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                              • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                              • CloseHandle.KERNEL32(00000000), ref: 0041345F
                              • CloseHandle.KERNEL32(?), ref: 00413465
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                              • String ID:
                              • API String ID: 297527592-0
                              • Opcode ID: bef862da68c42bf5fbd2785df6b76de022a9e3cec21f96b302baad986bf2a6f2
                              • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                              • Opcode Fuzzy Hash: bef862da68c42bf5fbd2785df6b76de022a9e3cec21f96b302baad986bf2a6f2
                              • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                              Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0$1$2$3$4$5$6$7$VG
                              • API String ID: 0-1861860590
                              • Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                              • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                              • Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                              • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                              Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 00407521
                              • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Object_wcslen
                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                              • API String ID: 240030777-3166923314
                              • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                              • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                              • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                              • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                              Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                              • GetLastError.KERNEL32 ref: 0041A7BB
                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                              • String ID:
                              • API String ID: 3587775597-0
                              • Opcode ID: e314ccd8c52d6eea2e4540d377f75477af79112b351f4132febb0a489c34d42f
                              • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                              • Opcode Fuzzy Hash: e314ccd8c52d6eea2e4540d377f75477af79112b351f4132febb0a489c34d42f
                              • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                              Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Find$CreateFirstNext
                              • String ID: (eF$8SG$PXG$PXG$NG$PG
                              • API String ID: 341183262-875132146
                              • Opcode ID: 8aa0571499403d58be1e130ca3da03e6fee7ca646c1bdb921da3abf0fdeeb52b
                              • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                              • Opcode Fuzzy Hash: 8aa0571499403d58be1e130ca3da03e6fee7ca646c1bdb921da3abf0fdeeb52b
                              • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                              Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                              • FindClose.KERNEL32(00000000), ref: 0040C47D
                              • FindClose.KERNEL32(00000000), ref: 0040C4A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 1164774033-405221262
                              • Opcode ID: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
                              • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                              • Opcode Fuzzy Hash: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
                              • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                              Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                              • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                              • String ID:
                              • API String ID: 2341273852-0
                              • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                              • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                              • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                              • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                              Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                              • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                              • GetKeyState.USER32(00000010), ref: 0040A433
                              • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                              • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                              • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                              • String ID:
                              • API String ID: 1888522110-0
                              • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                              • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                              • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                              • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                              Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                              • GetProcAddress.KERNEL32(00000000), ref: 00414271
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressCloseCreateLibraryLoadProcsend
                              • String ID: SHDeleteKeyW$Shlwapi.dll
                              • API String ID: 2127411465-314212984
                              • Opcode ID: fb7c7236340fcb0cc32af97ee5a51d4e65813ec50030604b1f4e5ed9fb5d0958
                              • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                              • Opcode Fuzzy Hash: fb7c7236340fcb0cc32af97ee5a51d4e65813ec50030604b1f4e5ed9fb5d0958
                              • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                              Function 00406EB0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: DownloadExecuteFileShell
                              • String ID: aF$ aF$C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe$open
                              • API String ID: 2825088817-2165741227
                              • Opcode ID: 66bde5b1840f9c527649eaf94ccad33dac10dc1a6f20fe2354d26b846e8214af
                              • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                              • Opcode Fuzzy Hash: 66bde5b1840f9c527649eaf94ccad33dac10dc1a6f20fe2354d26b846e8214af
                              • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                              Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00408811
                              • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                              • String ID: hdF
                              • API String ID: 1771804793-665520524
                              • Opcode ID: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
                              • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                              • Opcode Fuzzy Hash: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
                              • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                              Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                              • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                              • GetProcAddress.KERNEL32(00000000), ref: 00416872
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                              • String ID: !D@$PowrProf.dll$SetSuspendState
                              • API String ID: 1589313981-2876530381
                              • Opcode ID: 8ce191c967a42c787c9f60fc832cecced2ee4e9844afd20766cc7ce476c8f96f
                              • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                              • Opcode Fuzzy Hash: 8ce191c967a42c787c9f60fc832cecced2ee4e9844afd20766cc7ce476c8f96f
                              • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                              Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                              • GetLastError.KERNEL32 ref: 0040BA58
                              Strings
                              • [Chrome StoredLogins not found], xrefs: 0040BA72
                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                              • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                              • UserProfile, xrefs: 0040BA1E
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              • API String ID: 2018770650-1062637481
                              • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                              • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                              • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                              • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                              Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                              • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                              • GetLastError.KERNEL32 ref: 0041799D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3534403312-3733053543
                              • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                              • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                              • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                              • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                              Function 00454159 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: __floor_pentium4
                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                              • API String ID: 4168288129-2761157908
                              • Opcode ID: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
                              • Instruction ID: adbfc57a6ba9eb8fd61ef87ee4788d0f45260f030e03b769905361500cdb2a19
                              • Opcode Fuzzy Hash: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
                              • Instruction Fuzzy Hash: EBC26E71E046288FDB25CE28DD407EAB3B5EB85306F1541EBD80DE7241E778AE898F45
                              Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00409258
                                • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                              • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                              • FindClose.KERNEL32(00000000), ref: 004093C1
                                • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                              • FindClose.KERNEL32(00000000), ref: 004095B9
                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                              • String ID:
                              • API String ID: 1824512719-0
                              • Opcode ID: 72b10921a7971adf5ef9a2979ca6100da9cf18bd27a86df75df8988b1f649e25
                              • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                              • Opcode Fuzzy Hash: 72b10921a7971adf5ef9a2979ca6100da9cf18bd27a86df75df8988b1f649e25
                              • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                              Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ManagerStart
                              • String ID:
                              • API String ID: 276877138-0
                              • Opcode ID: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                              • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                              • Opcode Fuzzy Hash: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                              • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                              Function 0045243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004524D5
                              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004524FE
                              • GetACP.KERNEL32 ref: 00452513
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                              • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                              • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                              • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                              Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$FirstNextsend
                              • String ID: (eF$XPG$XPG
                              • API String ID: 4113138495-1496965907
                              • Opcode ID: b7a6a647542a969cd037d0eb723fdddc811f13e057d1182a449fff4599d7b841
                              • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                              • Opcode Fuzzy Hash: b7a6a647542a969cd037d0eb723fdddc811f13e057d1182a449fff4599d7b841
                              • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                              Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                              • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                              • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                              • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Resource$FindLoadLockSizeof
                              • String ID: SETTINGS
                              • API String ID: 3473537107-594951305
                              • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                              • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                              • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                              • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                              Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0040966A
                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstH_prologNext
                              • String ID:
                              • API String ID: 1157919129-0
                              • Opcode ID: ee1845b0ef5c607cfd4356d03837d6fe25fba8810e880e90ca5809c6b8fe6ab1
                              • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                              • Opcode Fuzzy Hash: ee1845b0ef5c607cfd4356d03837d6fe25fba8810e880e90ca5809c6b8fe6ab1
                              • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                              Function 00452610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                              • GetUserDefaultLCID.KERNEL32 ref: 0045271C
                              • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                              • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                              • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                              • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004527ED
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                              • String ID:
                              • API String ID: 745075371-0
                              • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                              • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                              • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                              • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                              Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.0.0 Pro), ref: 004137A6
                                • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,5.0.0 Pro), ref: 004137B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateInfoParametersSystemValue
                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                              • API String ID: 4127273184-3576401099
                              • Opcode ID: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                              • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                              • Opcode Fuzzy Hash: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                              • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                              Function 00451CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • IsValidCodePage.KERNEL32(00000000), ref: 00451DBA
                              • _wcschr.LIBVCRUNTIME ref: 00451E4A
                              • _wcschr.LIBVCRUNTIME ref: 00451E58
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451EFB
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                              • String ID:
                              • API String ID: 4212172061-0
                              • Opcode ID: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                              • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                              • Opcode Fuzzy Hash: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                              • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                              Function 004493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 004493BD
                                • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                              • GetTimeZoneInformation.KERNEL32 ref: 004493CF
                              • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 00449447
                              • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 00449474
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                              • String ID:
                              • API String ID: 806657224-0
                              • Opcode ID: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                              • Instruction ID: 1863d2ad967fb4723a60e4ea427cb143a9fbff6035582c54e6546b9b7662ab80
                              • Opcode Fuzzy Hash: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                              • Instruction Fuzzy Hash: E1312570908201EFDB18DF69DE8086EBBB8FF0572071442AFE054973A1D3748D42DB18
                              Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorInfoLastLocale$_free$_abort
                              • String ID:
                              • API String ID: 2829624132-0
                              • Opcode ID: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
                              • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                              • Opcode Fuzzy Hash: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
                              • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                              Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                              • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                              • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                              • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                              • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                              Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00000000), ref: 00433849
                              • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Crypt$Context$AcquireRandomRelease
                              • String ID:
                              • API String ID: 1815803762-0
                              • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                              • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                              • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                              • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                              Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                              • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                              • ExitProcess.KERNEL32 ref: 004432EF
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                              • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                              • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                              • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                              Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(00000000), ref: 0040B711
                              • GetClipboardData.USER32(0000000D), ref: 0040B71D
                              • CloseClipboard.USER32 ref: 0040B725
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$CloseDataOpen
                              • String ID:
                              • API String ID: 2058664381-0
                              • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                              • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                              • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                              • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                              Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                              • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                              • CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseHandleOpenSuspend
                              • String ID:
                              • API String ID: 1999457699-0
                              • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                              • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                              • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                              • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                              Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                              • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                              • CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseHandleOpenResume
                              • String ID:
                              • API String ID: 3614150671-0
                              • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                              • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                              • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                              • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                              Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: GetLocaleInfoEx
                              • API String ID: 2299586839-2904428671
                              • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                              • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                              • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                              • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                              Function 004461F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                              • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                              • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                              • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                              Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$FreeProcess
                              • String ID:
                              • API String ID: 3859560861-0
                              • Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                              • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                              • Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                              • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                              Function 0045332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00453326,?,?,00000008,?,?,004561DD,00000000), ref: 00453558
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionRaise
                              • String ID:
                              • API String ID: 3997070919-0
                              • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                              • Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
                              • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                              • Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44
                              Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                              • Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
                              • Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                              • Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46
                              Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor
                              • String ID:
                              • API String ID: 2325560087-0
                              • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                              • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                              • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                              • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                              Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$InfoLocale_abort
                              • String ID:
                              • API String ID: 1663032902-0
                              • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                              • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                              • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                              • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                              Function 00451F9B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • EnumSystemLocalesW.KERNEL32(004520C3,00000001), ref: 0045200D
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: 92dc4731b164c5dad593997b290ced1c322b4c5a654dbafbc59ecf52729822b9
                              • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                              • Opcode Fuzzy Hash: 92dc4731b164c5dad593997b290ced1c322b4c5a654dbafbc59ecf52729822b9
                              • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                              Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$InfoLocale_abort_free
                              • String ID:
                              • API String ID: 2692324296-0
                              • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                              • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                              • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                              • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                              Function 00452036 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • EnumSystemLocalesW.KERNEL32(00452313,00000001), ref: 00452082
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
                              • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                              • Opcode Fuzzy Hash: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
                              • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                              Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                              • EnumSystemLocalesW.KERNEL32(Function_000483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalEnterEnumLocalesSectionSystem
                              • String ID:
                              • API String ID: 1272433827-0
                              • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                              • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                              • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                              • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                              Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • EnumSystemLocalesW.KERNEL32(00451EA7,00000001), ref: 00451F87
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                              • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                              • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                              • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                              Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                              • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                              • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                              • Instruction Fuzzy Hash:
                              Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                              • Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
                              • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                              • Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E
                              Function 00427A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                              • Instruction ID: e4f6ca204f58efd2523fb0dbef6dba8f744ce0bfcff40a2940ff04dc0a880f4e
                              • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                              • Instruction Fuzzy Hash: A841FB75A187558BC340CF29C58061BFBE1FFD8318F655A1EF889A3350D375E9428B86
                              Function 0044D9C9 Relevance: .6, Instructions: 637COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                              • Instruction ID: ecf94096385373c2e9f2c5c276bef480e2dc0267d4a411ba40625ecd8b408152
                              • Opcode Fuzzy Hash: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                              • Instruction Fuzzy Hash: 7F323831D69F014DE7239A35C862336A289BFB73C5F15D737F816B5AAAEB28C4834105
                              Function 0041F0FA Relevance: .6, Instructions: 598COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                              • Instruction ID: 709358690f7fb2d2e3012b2358c769367bf3ff6314f01af24d3ecfcd65fe7181
                              • Opcode Fuzzy Hash: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                              • Instruction Fuzzy Hash: 443290716087459BD715DE28C4807AAB7E1BF84318F044A3EF89587392D778DD8BCB8A
                              Function 0042739D Relevance: .4, Instructions: 435COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
                              • Instruction ID: c5d71c01a3a4c2ba568a1e95f45065819b1df519d68335ab1a8a94a68da0c1ef
                              • Opcode Fuzzy Hash: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
                              • Instruction Fuzzy Hash: 1002BFB17146519BC318CF2EEC8053AB7E1BB8D301745863EE495C7795EB34E922CB98
                              Function 00426E0E Relevance: .4, Instructions: 383COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
                              • Instruction ID: 4a18c9c21abf6ab3d0e9afb34562907cd60dbb70f6b305f111ae620774dcdf5c
                              • Opcode Fuzzy Hash: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
                              • Instruction Fuzzy Hash: 42F18C716142559FC304DF1EE89182BB3E1FB89301B450A2EF5C2C7391DB79EA16CB9A
                              Function 00437D33 Relevance: .3, Instructions: 345COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                              • Instruction ID: b3ba5b81110409d95a5723b53b6c8744913893e641e186edab39e166e1bc966b
                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                              • Instruction Fuzzy Hash: 7DC1B1723091930ADF2D4A3D853453FFBA15AA57B171A275FE8F2CB2C1EE18C524D524
                              Function 00438168 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                              • Instruction ID: 7f684bb0481695d58232a2b0d47c85f4cbd32b92c5f53758fc2a28b9861b6fac
                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                              • Instruction Fuzzy Hash: EAC1C5723092930ADF2D463D853453FFBA15AA57B171A275EE8F2CB2C5FE28C524C614
                              Function 004378FE Relevance: .3, Instructions: 331COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                              • Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
                              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                              • Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624
                              Function 004374E6 Relevance: .3, Instructions: 323COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                              • Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                              • Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614
                              Function 0041DB62 Relevance: .3, Instructions: 277COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                              • Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
                              • Opcode Fuzzy Hash: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                              • Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24
                              Function 0043E2FB Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                              • Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
                              • Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                              • Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E
                              Function 0043E558 Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                              • Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
                              • Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                              • Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E
                              Function 0043DE9D Relevance: .2, Instructions: 214COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                              • Instruction ID: b97fed3bff06dc01e1c808345b9e1576e5435f58d5e0cb17a963d6e43aa39459
                              • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                              • Instruction Fuzzy Hash: C8516A21E01A4496DB38892964D67BF67A99B1E304F18390FE443CB7C2C64DED06C35E
                              Function 00427BAF Relevance: .2, Instructions: 187COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                              • Instruction ID: 96b5c22f40dc969dc1399d427f9382315b517a9523814fa291cced01a0c32d8b
                              • Opcode Fuzzy Hash: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                              • Instruction Fuzzy Hash: 5B617E72A083059FC304DF35D581A5FB7E5AFCC318F510E2EF499D6151EA35EA088B86
                              Function 00438770 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                              • Instruction ID: 78f0f7b5b7642c22d8ee35c169576c4e0068381375f86828a5140fd971b96714
                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                              • Instruction Fuzzy Hash: 9311E6BB24034143D6088A2DCCB85B7E797EADD321F7D626FF0424B758DB2AA9459608
                              Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                              • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                              • DeleteDC.GDI32(00000000), ref: 00418F2A
                              • DeleteDC.GDI32(00000000), ref: 00418F2D
                              • DeleteObject.GDI32(00000000), ref: 00418F30
                              • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                              • DeleteDC.GDI32(00000000), ref: 00418F62
                              • DeleteDC.GDI32(00000000), ref: 00418F65
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                              • GetCursorInfo.USER32(?), ref: 00418FA7
                              • GetIconInfo.USER32(?,?), ref: 00418FBD
                              • DeleteObject.GDI32(?), ref: 00418FEC
                              • DeleteObject.GDI32(?), ref: 00418FF9
                              • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                              • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                              • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                              • DeleteDC.GDI32(?), ref: 0041917C
                              • DeleteDC.GDI32(00000000), ref: 0041917F
                              • DeleteObject.GDI32(00000000), ref: 00419182
                              • GlobalFree.KERNEL32(?), ref: 0041918D
                              • DeleteObject.GDI32(00000000), ref: 00419241
                              • GlobalFree.KERNEL32(?), ref: 00419248
                              • DeleteDC.GDI32(?), ref: 00419258
                              • DeleteDC.GDI32(00000000), ref: 00419263
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                              • String ID: DISPLAY
                              • API String ID: 4256916514-865373369
                              • Opcode ID: f392394fe482629c540e7e64cf6a4c742858ec4acf93355850be4a976d5cc3ae
                              • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                              • Opcode Fuzzy Hash: f392394fe482629c540e7e64cf6a4c742858ec4acf93355850be4a976d5cc3ae
                              • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                              Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                              • ExitProcess.KERNEL32 ref: 0040D7D0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
                              • API String ID: 1861856835-2780701618
                              • Opcode ID: fee8ff9718fb40c9beafe4bb2eefbd291afa4f5ad22c135011e1b35f2f9dc20b
                              • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                              • Opcode Fuzzy Hash: fee8ff9718fb40c9beafe4bb2eefbd291afa4f5ad22c135011e1b35f2f9dc20b
                              • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                              Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                              • GetProcAddress.KERNEL32(00000000), ref: 00418139
                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                              • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                              • GetProcAddress.KERNEL32(00000000), ref: 00418161
                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                              • GetProcAddress.KERNEL32(00000000), ref: 00418175
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                              • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                              • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                              • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                              • ResumeThread.KERNEL32(?), ref: 00418435
                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                              • GetCurrentProcess.KERNEL32(?), ref: 00418457
                              • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                              • GetLastError.KERNEL32 ref: 0041847A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                              • API String ID: 4188446516-3035715614
                              • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                              • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                              • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                              • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                              Function 0040D096 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                              • ExitProcess.KERNEL32 ref: 0040D419
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("
                              • API String ID: 3797177996-2616068718
                              • Opcode ID: 4b4a4e1b4e3b5756a36c8647b5f37cacc16024b06e010f5374005e12c290012d
                              • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                              • Opcode Fuzzy Hash: 4b4a4e1b4e3b5756a36c8647b5f37cacc16024b06e010f5374005e12c290012d
                              • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                              Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                              • ExitProcess.KERNEL32(00000000), ref: 004124A0
                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                              • CloseHandle.KERNEL32(00000000), ref: 0041253B
                              • GetCurrentProcessId.KERNEL32 ref: 00412541
                              • PathFileExistsW.SHLWAPI(?), ref: 00412572
                              • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                              • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                              • Sleep.KERNEL32(000001F4), ref: 00412682
                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                              • CloseHandle.KERNEL32(00000000), ref: 004126A9
                              • GetCurrentProcessId.KERNEL32 ref: 004126AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                              • String ID: .exe$8SG$WDH$exepath$open$temp_
                              • API String ID: 2649220323-436679193
                              • Opcode ID: 4f95786cf2f2c00e5bb866ed93791c3a94b5cceb6ba25eb1f7637f0f1d303f44
                              • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                              • Opcode Fuzzy Hash: 4f95786cf2f2c00e5bb866ed93791c3a94b5cceb6ba25eb1f7637f0f1d303f44
                              • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                              Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                              • SetEvent.KERNEL32 ref: 0041B219
                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                              • CloseHandle.KERNEL32 ref: 0041B23A
                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                              • API String ID: 738084811-2094122233
                              • Opcode ID: d8e8c206765fb8c6cce3e10abac076b9acf238fed8b3c118489cf00483a7f27b
                              • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                              • Opcode Fuzzy Hash: d8e8c206765fb8c6cce3e10abac076b9acf238fed8b3c118489cf00483a7f27b
                              • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                              Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                              • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                              • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                              • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Write$Create
                              • String ID: RIFF$WAVE$data$fmt
                              • API String ID: 1602526932-4212202414
                              • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                              • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                              • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                              • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                              Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe,00000001,0040764D,C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                              • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                              • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                              • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                              • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                              • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                              • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                              • API String ID: 1646373207-268084153
                              • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                              • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                              • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                              • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                              Function 0040CDF9 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 0040CE07
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                              • _wcslen.LIBCMT ref: 0040CEE6
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe,00000000,00000000), ref: 0040CF84
                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                              • _wcslen.LIBCMT ref: 0040CFC6
                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                              • ExitProcess.KERNEL32 ref: 0040D062
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                              • String ID: 6$C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe$del$hdF$open
                              • API String ID: 1579085052-1451950516
                              • Opcode ID: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
                              • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                              • Opcode Fuzzy Hash: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
                              • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                              Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?), ref: 0041C036
                              • _memcmp.LIBVCRUNTIME ref: 0041C04E
                              • lstrlenW.KERNEL32(?), ref: 0041C067
                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                              • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                              • _wcslen.LIBCMT ref: 0041C13B
                              • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                              • GetLastError.KERNEL32 ref: 0041C173
                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                              • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                              • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                              • GetLastError.KERNEL32 ref: 0041C1D0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                              • String ID: ?
                              • API String ID: 3941738427-1684325040
                              • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                              • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                              • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                              • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                              Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$EnvironmentVariable$_wcschr
                              • String ID:
                              • API String ID: 3899193279-0
                              • Opcode ID: 29e20a8b6f82b01f2bc0b1928d1843f4180e688e59a8e557996253b0e818dfbc
                              • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                              • Opcode Fuzzy Hash: 29e20a8b6f82b01f2bc0b1928d1843f4180e688e59a8e557996253b0e818dfbc
                              • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                              Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                              • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                              • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                              • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                              • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                              • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                              • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                              • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                              • Sleep.KERNEL32(00000064), ref: 00412E94
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                              • String ID: /stext "$0TG$0TG$NG$NG
                              • API String ID: 1223786279-2576077980
                              • Opcode ID: 90d4c092a4d8c3a62046acd6d990d67ec0442bc5a2b437def16d8d1283c17e39
                              • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                              • Opcode Fuzzy Hash: 90d4c092a4d8c3a62046acd6d990d67ec0442bc5a2b437def16d8d1283c17e39
                              • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                              Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                              • __aulldiv.LIBCMT ref: 00408D4D
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                              • CloseHandle.KERNEL32(00000000), ref: 00408F64
                              • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                              • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
                              • API String ID: 3086580692-1206044436
                              • Opcode ID: 0e3b00f0d054dd9d4e65558b8748f047901974dbbd6c7312783ad86e8ae83a30
                              • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                              • Opcode Fuzzy Hash: 0e3b00f0d054dd9d4e65558b8748f047901974dbbd6c7312783ad86e8ae83a30
                              • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                              Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                              • GetCursorPos.USER32(?), ref: 0041D5E9
                              • SetForegroundWindow.USER32(?), ref: 0041D5F2
                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                              • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                              • ExitProcess.KERNEL32 ref: 0041D665
                              • CreatePopupMenu.USER32 ref: 0041D66B
                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                              • String ID: Close
                              • API String ID: 1657328048-3535843008
                              • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                              • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                              • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                              • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                              Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$Info
                              • String ID:
                              • API String ID: 2509303402-0
                              • Opcode ID: 9094c5905650f009f2c76acd15db721ffce709daf4134b43c64b0333b658fa34
                              • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                              • Opcode Fuzzy Hash: 9094c5905650f009f2c76acd15db721ffce709daf4134b43c64b0333b658fa34
                              • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                              Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                              • ExitProcess.KERNEL32 ref: 0040D9C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                              • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$hdF$open
                              • API String ID: 1913171305-51354631
                              • Opcode ID: 920a0537c73373d1fa928f529e957bf362437fc51c5983c7c145f5f31e510bcc
                              • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                              • Opcode Fuzzy Hash: 920a0537c73373d1fa928f529e957bf362437fc51c5983c7c145f5f31e510bcc
                              • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                              Function 00414D86 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                              • LoadLibraryA.KERNEL32(?), ref: 00414E17
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                              • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                              • LoadLibraryA.KERNEL32(?), ref: 00414E76
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                              • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                              • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                              • String ID: \ws2_32$\wship6$getaddrinfo
                              • API String ID: 2490988753-3078833738
                              • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                              • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                              • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                              • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                              Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 0045130A
                                • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                              • _free.LIBCMT ref: 004512FF
                                • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                              • _free.LIBCMT ref: 00451321
                              • _free.LIBCMT ref: 00451336
                              • _free.LIBCMT ref: 00451341
                              • _free.LIBCMT ref: 00451363
                              • _free.LIBCMT ref: 00451376
                              • _free.LIBCMT ref: 00451384
                              • _free.LIBCMT ref: 0045138F
                              • _free.LIBCMT ref: 004513C7
                              • _free.LIBCMT ref: 004513CE
                              • _free.LIBCMT ref: 004513EB
                              • _free.LIBCMT ref: 00451403
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID:
                              • API String ID: 161543041-0
                              • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                              • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                              • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                              • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                              Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00419FB9
                              • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                              • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                              • GetLocalTime.KERNEL32(?), ref: 0041A105
                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                              • API String ID: 489098229-1431523004
                              • Opcode ID: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
                              • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                              • Opcode Fuzzy Hash: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
                              • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                              Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 254a45d13dc17f8193fb49a21e0437c2e24f1d30005ae806f7b55d059326d2f9
                              • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                              • Opcode Fuzzy Hash: 254a45d13dc17f8193fb49a21e0437c2e24f1d30005ae806f7b55d059326d2f9
                              • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                              Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                              • closesocket.WS2_32(000000FF), ref: 00404E5A
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                              • String ID:
                              • API String ID: 3658366068-0
                              • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                              • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                              • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                              • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                              Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                              • GetLastError.KERNEL32 ref: 00455CEF
                              • __dosmaperr.LIBCMT ref: 00455CF6
                              • GetFileType.KERNEL32(00000000), ref: 00455D02
                              • GetLastError.KERNEL32 ref: 00455D0C
                              • __dosmaperr.LIBCMT ref: 00455D15
                              • CloseHandle.KERNEL32(00000000), ref: 00455D35
                              • CloseHandle.KERNEL32(?), ref: 00455E7F
                              • GetLastError.KERNEL32 ref: 00455EB1
                              • __dosmaperr.LIBCMT ref: 00455EB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: H
                              • API String ID: 4237864984-2852464175
                              • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                              • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                              • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                              • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                              Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: \&G$\&G$`&G
                              • API String ID: 269201875-253610517
                              • Opcode ID: 54bacd4608e85086af0c53d36c04cab1eac326f32a298170f026442155b41016
                              • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                              • Opcode Fuzzy Hash: 54bacd4608e85086af0c53d36c04cab1eac326f32a298170f026442155b41016
                              • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                              Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 65535$udp
                              • API String ID: 0-1267037602
                              • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                              • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                              • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                              • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                              Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32 ref: 00416941
                              • EmptyClipboard.USER32 ref: 0041694F
                              • CloseClipboard.USER32 ref: 00416955
                              • OpenClipboard.USER32 ref: 0041695C
                              • GetClipboardData.USER32(0000000D), ref: 0041696C
                              • GlobalLock.KERNEL32(00000000), ref: 00416975
                              • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                              • CloseClipboard.USER32 ref: 00416984
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                              • String ID: !D@$hdF
                              • API String ID: 2172192267-3475379602
                              • Opcode ID: d2446446bc78ff156cd0a5b9c1ed5396e902ca05eeaaad5f80401f9e45e0f5b8
                              • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                              • Opcode Fuzzy Hash: d2446446bc78ff156cd0a5b9c1ed5396e902ca05eeaaad5f80401f9e45e0f5b8
                              • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                              Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                              • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                              • __dosmaperr.LIBCMT ref: 0043A8A6
                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                              • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                              • __dosmaperr.LIBCMT ref: 0043A8E3
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                              • __dosmaperr.LIBCMT ref: 0043A937
                              • _free.LIBCMT ref: 0043A943
                              • _free.LIBCMT ref: 0043A94A
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                              • String ID:
                              • API String ID: 2441525078-0
                              • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                              • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                              • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                              • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                              Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 004054BF
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                              • TranslateMessage.USER32(?), ref: 0040557E
                              • DispatchMessageA.USER32(?), ref: 00405589
                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                              • String ID: CloseChat$DisplayMessage$GetMessage
                              • API String ID: 2956720200-749203953
                              • Opcode ID: 4e03373af7eeeb9936375b269bef3945a6131de3e34cc77984f59bad7a7b41d8
                              • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                              • Opcode Fuzzy Hash: 4e03373af7eeeb9936375b269bef3945a6131de3e34cc77984f59bad7a7b41d8
                              • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                              Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                              • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                              • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                              • String ID: 0VG$0VG$<$@$Temp
                              • API String ID: 1704390241-2575729100
                              • Opcode ID: 0e0595c1528403dfbc3bd7d0ff12dc6c712b705655a801e4077f90c78fb903f7
                              • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                              • Opcode Fuzzy Hash: 0e0595c1528403dfbc3bd7d0ff12dc6c712b705655a801e4077f90c78fb903f7
                              • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                              Function 00410E61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                              • int.LIBCPMT ref: 00410E81
                                • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                              • std::_Facet_Register.LIBCPMT ref: 00410EC1
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                              • __Init_thread_footer.LIBCMT ref: 00410F29
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                              • String ID: ,kG$0kG$@!G
                              • API String ID: 3815856325-312998898
                              • Opcode ID: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                              • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                              • Opcode Fuzzy Hash: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                              • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                              Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
                              • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                              • Opcode Fuzzy Hash: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
                              • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                              Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00448135
                                • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                              • _free.LIBCMT ref: 00448141
                              • _free.LIBCMT ref: 0044814C
                              • _free.LIBCMT ref: 00448157
                              • _free.LIBCMT ref: 00448162
                              • _free.LIBCMT ref: 0044816D
                              • _free.LIBCMT ref: 00448178
                              • _free.LIBCMT ref: 00448183
                              • _free.LIBCMT ref: 0044818E
                              • _free.LIBCMT ref: 0044819C
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                              • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                              • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                              • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                              Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Eventinet_ntoa
                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                              • API String ID: 3578746661-3604713145
                              • Opcode ID: 83326b39564adc2a5c543354c5cc6bace838cf1f2ecf1d5adf4f21e91a931bff
                              • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                              • Opcode Fuzzy Hash: 83326b39564adc2a5c543354c5cc6bace838cf1f2ecf1d5adf4f21e91a931bff
                              • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                              Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                              • Sleep.KERNEL32(00000064), ref: 00417521
                              • DeleteFileW.KERNEL32(00000000), ref: 00417555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CreateDeleteExecuteShellSleep
                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                              • API String ID: 1462127192-2001430897
                              • Opcode ID: 446d5803efde6a9f1d6c5190944227576de240e19d7a317c876067d7af06ff34
                              • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                              • Opcode Fuzzy Hash: 446d5803efde6a9f1d6c5190944227576de240e19d7a317c876067d7af06ff34
                              • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                              Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                              • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe), ref: 0040749E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CurrentProcess
                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                              • API String ID: 2050909247-4242073005
                              • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                              • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                              • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                              • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                              Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • _strftime.LIBCMT ref: 00401D50
                                • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                              • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                              • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                              • API String ID: 3809562944-243156785
                              • Opcode ID: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
                              • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                              • Opcode Fuzzy Hash: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
                              • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                              Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                              • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                              • waveInStart.WINMM ref: 00401CFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                              • String ID: dMG$|MG$PG
                              • API String ID: 1356121797-532278878
                              • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                              • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                              • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                              • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                              Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                              • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                              • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                              • TranslateMessage.USER32(?), ref: 0041D4E9
                              • DispatchMessageA.USER32(?), ref: 0041D4F3
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                              • String ID: Remcos
                              • API String ID: 1970332568-165870891
                              • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                              • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                              • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                              • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                              Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                              • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                              • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                              • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                              Function 00453D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(?,?), ref: 00453E2F
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453EB2
                              • __alloca_probe_16.LIBCMT ref: 00453EEA
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453F45
                              • __alloca_probe_16.LIBCMT ref: 00453F94
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F5C
                                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FD8
                              • __freea.LIBCMT ref: 00454003
                              • __freea.LIBCMT ref: 0045400F
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                              • String ID:
                              • API String ID: 201697637-0
                              • Opcode ID: 41faff77b3ca8bcb7800d11aee7d3bd6127a2cdf4248cdb25627aedf265c2dc0
                              • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                              • Opcode Fuzzy Hash: 41faff77b3ca8bcb7800d11aee7d3bd6127a2cdf4248cdb25627aedf265c2dc0
                              • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                              Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • _memcmp.LIBVCRUNTIME ref: 00445423
                              • _free.LIBCMT ref: 00445494
                              • _free.LIBCMT ref: 004454AD
                              • _free.LIBCMT ref: 004454DF
                              • _free.LIBCMT ref: 004454E8
                              • _free.LIBCMT ref: 004454F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorLast$_abort_memcmp
                              • String ID: C
                              • API String ID: 1679612858-1037565863
                              • Opcode ID: f6fd18d4392df02cbe2be5e2d03c6f20a759fef808f06ac5ce3ebcd5771f977e
                              • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                              • Opcode Fuzzy Hash: f6fd18d4392df02cbe2be5e2d03c6f20a759fef808f06ac5ce3ebcd5771f977e
                              • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                              Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: tcp$udp
                              • API String ID: 0-3725065008
                              • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                              • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                              • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                              • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                              Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 004018BE
                              • ExitThread.KERNEL32 ref: 004018F6
                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                              • String ID: SN$PkG$NG$NG
                              • API String ID: 1649129571-1009871445
                              • Opcode ID: 3112d8a7119d3212cc95ed1c57af8847b596d544db43cbe7024ea2d1079bf73c
                              • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                              • Opcode Fuzzy Hash: 3112d8a7119d3212cc95ed1c57af8847b596d544db43cbe7024ea2d1079bf73c
                              • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                              Function 00413D0D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnumInfoOpenQuerysend
                              • String ID: hdF$xUG$NG$NG$TG
                              • API String ID: 3114080316-2774981958
                              • Opcode ID: d5d568273ac789f380ea000cc321d881b21a875cc534d84a08e4633975987438
                              • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                              • Opcode Fuzzy Hash: d5d568273ac789f380ea000cc321d881b21a875cc534d84a08e4633975987438
                              • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                              Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                              • String ID: .part
                              • API String ID: 1303771098-3499674018
                              • Opcode ID: c2a296b167e086494c659215c5e52d087b3aa464f6e1000890bb20d2f8d2fd06
                              • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                              • Opcode Fuzzy Hash: c2a296b167e086494c659215c5e52d087b3aa464f6e1000890bb20d2f8d2fd06
                              • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                              Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                              Download Yara Rule
                              APIs
                              • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                              • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                              • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Console$Window$AllocOutputShow
                              • String ID: Remcos v$5.0.0 Pro$CONOUT$
                              • API String ID: 4067487056-2278869229
                              • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                              • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                              • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                              • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                              Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                              • __alloca_probe_16.LIBCMT ref: 0044ACDB
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                              • __alloca_probe_16.LIBCMT ref: 0044ADC0
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                              • __freea.LIBCMT ref: 0044AE30
                                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                              • __freea.LIBCMT ref: 0044AE39
                              • __freea.LIBCMT ref: 0044AE5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                              • String ID:
                              • API String ID: 3864826663-0
                              • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                              • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                              • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                              • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                              Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                              • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: InputSend
                              • String ID:
                              • API String ID: 3431551938-0
                              • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                              • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                              • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                              • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                              Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: __freea$__alloca_probe_16_free
                              • String ID: a/p$am/pm$zD
                              • API String ID: 2936374016-2723203690
                              • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                              • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                              • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                              • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                              Function 0041C6F3 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041C726
                              • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnumOpen
                              • String ID: DisplayName
                              • API String ID: 1332880857-3786665039
                              • Opcode ID: f8c39a8c5312d126ce2fea3caf237c12ed67f6eb61076c5a3b07a390ba7738a1
                              • Instruction ID: 30dd124696def6d144da0f01c12024620090e461f41beb3abd2b2340f2562d2c
                              • Opcode Fuzzy Hash: f8c39a8c5312d126ce2fea3caf237c12ed67f6eb61076c5a3b07a390ba7738a1
                              • Instruction Fuzzy Hash: E961F3711082419AD325EF11D851EEFB3E8BF94309F10493FB589921A2FF789E49CA5A
                              Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Enum$InfoQueryValue
                              • String ID: [regsplt]$xUG$TG
                              • API String ID: 3554306468-1165877943
                              • Opcode ID: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
                              • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                              • Opcode Fuzzy Hash: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
                              • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                              Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                              • __fassign.LIBCMT ref: 0044B479
                              • __fassign.LIBCMT ref: 0044B494
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                              • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                              • String ID:
                              • API String ID: 1324828854-0
                              • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                              • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                              • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                              • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                              Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                              • _wcslen.LIBCMT ref: 0041B763
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                              • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                              • API String ID: 3286818993-122982132
                              • Opcode ID: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
                              • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                              • Opcode Fuzzy Hash: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
                              • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                              Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                              • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                              • API String ID: 1133728706-4073444585
                              • Opcode ID: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
                              • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                              • Opcode Fuzzy Hash: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
                              • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                              Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                              • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                              • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                              • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                              Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                              • _free.LIBCMT ref: 00450F48
                                • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                              • _free.LIBCMT ref: 00450F53
                              • _free.LIBCMT ref: 00450F5E
                              • _free.LIBCMT ref: 00450FB2
                              • _free.LIBCMT ref: 00450FBD
                              • _free.LIBCMT ref: 00450FC8
                              • _free.LIBCMT ref: 00450FD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                              • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                              • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                              • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                              Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                              • int.LIBCPMT ref: 00411183
                                • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                              • std::_Facet_Register.LIBCPMT ref: 004111C3
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                              • String ID: (mG
                              • API String ID: 2536120697-4059303827
                              • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                              • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                              • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                              • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                              Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                              • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: 638d684b347ac06dfe4bc535c577f59ea1be28aca40328da122190a265038ba8
                              • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                              • Opcode Fuzzy Hash: 638d684b347ac06dfe4bc535c577f59ea1be28aca40328da122190a265038ba8
                              • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                              Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe), ref: 004075D0
                                • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                              • CoUninitialize.OLE32 ref: 00407629
                              Strings
                              • [+] ShellExec success, xrefs: 0040760E
                              • C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, xrefs: 004075B0, 004075B3, 00407605
                              • [+] before ShellExec, xrefs: 004075F1
                              • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: InitializeObjectUninitialize_wcslen
                              • String ID: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                              • API String ID: 3851391207-3373532818
                              • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                              • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                              • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                              • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                              Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                              • GetLastError.KERNEL32 ref: 0040BAE7
                              Strings
                              • [Chrome Cookies not found], xrefs: 0040BB01
                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                              • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                              • UserProfile, xrefs: 0040BAAD
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                              • API String ID: 2018770650-304995407
                              • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                              • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                              • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                              • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                              Function 00407260 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                              Download Yara Rule
                              Strings
                              • C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe, xrefs: 004076C4
                              • hdF, xrefs: 004076A9
                              • Rmc-HKC0PV, xrefs: 004076DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe$Rmc-HKC0PV$hdF
                              • API String ID: 0-3712256101
                              • Opcode ID: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
                              • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                              • Opcode Fuzzy Hash: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
                              • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                              Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              • __allrem.LIBCMT ref: 0043AC69
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                              • __allrem.LIBCMT ref: 0043AC9C
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                              • __allrem.LIBCMT ref: 0043ACD1
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                              • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                              • Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                              • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                              Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prologSleep
                              • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                              • API String ID: 3469354165-3054508432
                              • Opcode ID: cd90b27e917ca089b67d7d34f698c3359d294e5eeadafa87bd93eb15658e6d2e
                              • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                              • Opcode Fuzzy Hash: cd90b27e917ca089b67d7d34f698c3359d294e5eeadafa87bd93eb15658e6d2e
                              • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                              Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                              • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                              • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                              • String ID:
                              • API String ID: 3950776272-0
                              • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                              • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                              • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                              • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                              Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: __cftoe
                              • String ID:
                              • API String ID: 4189289331-0
                              • Opcode ID: 165df0ea7fc9238c1efbb66498e65079e2499c128035cb03019ae282adde0dd8
                              • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                              • Opcode Fuzzy Hash: 165df0ea7fc9238c1efbb66498e65079e2499c128035cb03019ae282adde0dd8
                              • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                              Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                              • String ID:
                              • API String ID: 493672254-0
                              • Opcode ID: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
                              • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                              • Opcode Fuzzy Hash: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
                              • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                              Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • _free.LIBCMT ref: 0044824C
                              • _free.LIBCMT ref: 00448274
                              • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                              • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • _abort.LIBCMT ref: 00448293
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$_abort
                              • String ID:
                              • API String ID: 3160817290-0
                              • Opcode ID: 71db10fc24a70005e39e09c48abdeccdca04614ce37e94d0988fc0aee66b8325
                              • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                              • Opcode Fuzzy Hash: 71db10fc24a70005e39e09c48abdeccdca04614ce37e94d0988fc0aee66b8325
                              • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                              Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
                              • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                              • Opcode Fuzzy Hash: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
                              • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                              Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
                              • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                              • Opcode Fuzzy Hash: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
                              • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                              Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
                              • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                              • Opcode Fuzzy Hash: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
                              • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                              Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe,00000104), ref: 00443475
                              • _free.LIBCMT ref: 00443540
                              • _free.LIBCMT ref: 0044354A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$FileModuleName
                              • String ID: C:\Users\user\Desktop\6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exe$P'M
                              • API String ID: 2506810119-2359972219
                              • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                              • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                              • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                              • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                              Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegisterClassExA.USER32(00000030), ref: 0041D55B
                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                              • GetLastError.KERNEL32 ref: 0041D580
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ClassCreateErrorLastRegisterWindow
                              • String ID: 0$MsgWindowClass
                              • API String ID: 2877667751-2410386613
                              • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                              • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                              • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                              • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                              Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                              • CloseHandle.KERNEL32(?), ref: 004077AA
                              • CloseHandle.KERNEL32(?), ref: 004077AF
                              Strings
                              • C:\Windows\System32\cmd.exe, xrefs: 00407796
                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreateProcess
                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                              • API String ID: 2922976086-4183131282
                              • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                              • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                              • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                              • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                              Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                              • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                              • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                              • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                              • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                              Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                              • String ID: KeepAlive | Disabled
                              • API String ID: 2993684571-305739064
                              • Opcode ID: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                              • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                              • Opcode Fuzzy Hash: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                              • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                              Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                              • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                              • Sleep.KERNEL32(00002710), ref: 0041AE07
                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: PlaySound$HandleLocalModuleSleepTime
                              • String ID: Alarm triggered
                              • API String ID: 614609389-2816303416
                              • Opcode ID: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                              • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                              • Opcode Fuzzy Hash: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                              • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                              Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                              Strings
                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                              • API String ID: 3024135584-2418719853
                              • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                              • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                              • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                              • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                              Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                              • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                              • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                              • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                              Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                              • _free.LIBCMT ref: 00444E06
                              • _free.LIBCMT ref: 00444E1D
                              • _free.LIBCMT ref: 00444E3C
                              • _free.LIBCMT ref: 00444E57
                              • _free.LIBCMT ref: 00444E6E
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$AllocateHeap
                              • String ID:
                              • API String ID: 3033488037-0
                              • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                              • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                              • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                              • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                              Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                              • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                              • String ID:
                              • API String ID: 2180151492-0
                              • Opcode ID: bc4163984acb67f3763b954a4e60ef5345a244623aad4191208eb1456dde199f
                              • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                              • Opcode Fuzzy Hash: bc4163984acb67f3763b954a4e60ef5345a244623aad4191208eb1456dde199f
                              • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                              Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                              • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                              • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                              • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                              Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                              • __alloca_probe_16.LIBCMT ref: 004511B1
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                              • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                              • __freea.LIBCMT ref: 0045121D
                                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                              • String ID:
                              • API String ID: 313313983-0
                              • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                              • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                              • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                              • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                              Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                              • _free.LIBCMT ref: 0044F3BF
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                              • String ID:
                              • API String ID: 336800556-0
                              • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                              • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                              • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                              • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                              Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                              • _free.LIBCMT ref: 004482D3
                              • _free.LIBCMT ref: 004482FA
                              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free
                              • String ID:
                              • API String ID: 3170660625-0
                              • Opcode ID: 571d41474ce1ecf249379c1426acfa822363cfd76659d15f34c4b7271f688646
                              • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                              • Opcode Fuzzy Hash: 571d41474ce1ecf249379c1426acfa822363cfd76659d15f34c4b7271f688646
                              • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                              Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                              • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseHandleOpen$FileImageName
                              • String ID:
                              • API String ID: 2951400881-0
                              • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                              • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                              • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                              • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                              Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 004509D4
                                • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                              • _free.LIBCMT ref: 004509E6
                              • _free.LIBCMT ref: 004509F8
                              • _free.LIBCMT ref: 00450A0A
                              • _free.LIBCMT ref: 00450A1C
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                              • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                              • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                              • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                              Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00444066
                                • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                              • _free.LIBCMT ref: 00444078
                              • _free.LIBCMT ref: 0044408B
                              • _free.LIBCMT ref: 0044409C
                              • _free.LIBCMT ref: 004440AD
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                              • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                              • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                              • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                              Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFileKeyboardLayoutNameconnectsend
                              • String ID: XQG$NG$PG
                              • API String ID: 1634807452-3565412412
                              • Opcode ID: bb7d47dd1c0574d1f8bbd65173e441b9c22a58920cc1a0f10f4e6527fe2c0be8
                              • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                              • Opcode Fuzzy Hash: bb7d47dd1c0574d1f8bbd65173e441b9c22a58920cc1a0f10f4e6527fe2c0be8
                              • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                              Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: `#D$`#D
                              • API String ID: 885266447-2450397995
                              • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                              • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                              • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                              • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                              Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                              • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                              • String ID: /sort "Visit Time" /stext "$0NG
                              • API String ID: 368326130-3219657780
                              • Opcode ID: 4ca3e23d37222fde7400e40ebd3a0efd5546e71d852519533edc46d7893c20f4
                              • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                              • Opcode Fuzzy Hash: 4ca3e23d37222fde7400e40ebd3a0efd5546e71d852519533edc46d7893c20f4
                              • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                              Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                              • __Init_thread_footer.LIBCMT ref: 0040B797
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Init_thread_footer__onexit
                              • String ID: [End of clipboard]$[Text copied to clipboard]$hdF
                              • API String ID: 1881088180-1379921833
                              • Opcode ID: f72f7acb6e995bab9069cebdaf7e12266999cf1a5a480981143d2b12499a9b58
                              • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                              • Opcode Fuzzy Hash: f72f7acb6e995bab9069cebdaf7e12266999cf1a5a480981143d2b12499a9b58
                              • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                              Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 004162F5
                                • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _wcslen$CloseCreateValue
                              • String ID: !D@$okmode$PG
                              • API String ID: 3411444782-3370592832
                              • Opcode ID: 0b5bfbcb24497edc23cadcade7b987103f73c59b25c5745cb5cc2b363945fd23
                              • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                              • Opcode Fuzzy Hash: 0b5bfbcb24497edc23cadcade7b987103f73c59b25c5745cb5cc2b363945fd23
                              • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                              Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                              Strings
                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                              • User Data\Default\Network\Cookies, xrefs: 0040C603
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                              • API String ID: 1174141254-1980882731
                              • Opcode ID: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
                              • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                              • Opcode Fuzzy Hash: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
                              • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                              Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                              Strings
                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                              • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                              • API String ID: 1174141254-1980882731
                              • Opcode ID: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
                              • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                              • Opcode Fuzzy Hash: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
                              • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                              Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                              • wsprintfW.USER32 ref: 0040B1F3
                                • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: EventLocalTimewsprintf
                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                              • API String ID: 1497725170-1359877963
                              • Opcode ID: 146ec40d80975ce460983ba45166e756595be86b93ab3a07005c0417d446001b
                              • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                              • Opcode Fuzzy Hash: 146ec40d80975ce460983ba45166e756595be86b93ab3a07005c0417d446001b
                              • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                              Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                              • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTime$wsprintf
                              • String ID: Online Keylogger Started
                              • API String ID: 112202259-1258561607
                              • Opcode ID: 18c80faa916e37ff587b460602bbba5bb4c1a333ebe42aa4448383553abdc9cc
                              • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                              • Opcode Fuzzy Hash: 18c80faa916e37ff587b460602bbba5bb4c1a333ebe42aa4448383553abdc9cc
                              • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                              Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                              • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: CryptUnprotectData$crypt32
                              • API String ID: 2574300362-2380590389
                              • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                              • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                              • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                              • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                              Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                              • CloseHandle.KERNEL32(?), ref: 004051CA
                              • SetEvent.KERNEL32(?), ref: 004051D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandleObjectSingleWait
                              • String ID: Connection Timeout
                              • API String ID: 2055531096-499159329
                              • Opcode ID: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                              • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                              • Opcode Fuzzy Hash: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                              • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                              Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 2005118841-1866435925
                              • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                              • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                              • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                              • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                              Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                              • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                              • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: pth_unenc
                              • API String ID: 1818849710-4028850238
                              • Opcode ID: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
                              • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                              • Opcode Fuzzy Hash: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
                              • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                              Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                              • String ID: bad locale name
                              • API String ID: 3628047217-1405518554
                              • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                              • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                              • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                              • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                              Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                              • ShowWindow.USER32(00000009), ref: 00416C61
                              • SetForegroundWindow.USER32 ref: 00416C6D
                                • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                              • String ID: !D@
                              • API String ID: 186401046-604454484
                              • Opcode ID: e059714e8af422b030354d623efbd6a9b9292f4f91efc962f73d79e52ecb3699
                              • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                              • Opcode Fuzzy Hash: e059714e8af422b030354d623efbd6a9b9292f4f91efc962f73d79e52ecb3699
                              • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                              Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell
                              • String ID: /C $cmd.exe$open
                              • API String ID: 587946157-3896048727
                              • Opcode ID: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
                              • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                              • Opcode Fuzzy Hash: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
                              • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                              Function 0040B869 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                              • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteDirectoryFileRemove
                              • String ID: hdF$pth_unenc
                              • API String ID: 3325800564-514923600
                              • Opcode ID: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
                              • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                              • Opcode Fuzzy Hash: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
                              • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                              Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                              Download Yara Rule
                              APIs
                              • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                              • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                              • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: TerminateThread$HookUnhookWindows
                              • String ID: pth_unenc
                              • API String ID: 3123878439-4028850238
                              • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                              • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                              • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                              • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                              Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: __alldvrm$_strrchr
                              • String ID:
                              • API String ID: 1036877536-0
                              • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                              • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                              • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                              • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                              Function 00456C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: abd76489b18f0fdd780040683ace070f7017758c22b2519f94f5cc06fc47972b
                              • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                              • Opcode Fuzzy Hash: abd76489b18f0fdd780040683ace070f7017758c22b2519f94f5cc06fc47972b
                              • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                              Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                              • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                              • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                              • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                              Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                              • Cleared browsers logins and cookies., xrefs: 0040C0F5
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep
                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                              • API String ID: 3472027048-1236744412
                              • Opcode ID: 869c68868b6bc63859781ffb2e009ba49a6506eb104a18a1f5cb86d920a24655
                              • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                              • Opcode Fuzzy Hash: 869c68868b6bc63859781ffb2e009ba49a6506eb104a18a1f5cb86d920a24655
                              • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                              Function 004126DB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                              • Sleep.KERNEL32(00000BB8), ref: 0041277A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQuerySleepValue
                              • String ID: 8SG$exepath$hdF
                              • API String ID: 4119054056-3379396883
                              • Opcode ID: abf20036ad70d98174a07eb652c7711c4b2f7adaf8a1d534f2fe302cffeed402
                              • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                              • Opcode Fuzzy Hash: abf20036ad70d98174a07eb652c7711c4b2f7adaf8a1d534f2fe302cffeed402
                              • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                              Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                              • Sleep.KERNEL32(000001F4), ref: 0040A573
                              • Sleep.KERNEL32(00000064), ref: 0040A5FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$ForegroundLength
                              • String ID: [ $ ]
                              • API String ID: 3309952895-93608704
                              • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                              • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                              • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                              • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                              Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: SystemTimes$Sleep__aulldiv
                              • String ID:
                              • API String ID: 188215759-0
                              • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                              • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                              • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                              • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                              Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1402187dc894a4e12df99dfbae9386d73ba971c9ebc4e926ae82cbef636365bd
                              • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                              • Opcode Fuzzy Hash: 1402187dc894a4e12df99dfbae9386d73ba971c9ebc4e926ae82cbef636365bd
                              • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                              Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e053bf99a2e41e93cc482c8ec4f229103dbcdbffd9494e67af00337bfa3268c1
                              • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                              • Opcode Fuzzy Hash: e053bf99a2e41e93cc482c8ec4f229103dbcdbffd9494e67af00337bfa3268c1
                              • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                              Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                              • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID:
                              • API String ID: 3177248105-0
                              • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                              • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                              • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                              • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                              Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                              • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleReadSize
                              • String ID:
                              • API String ID: 3919263394-0
                              • Opcode ID: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                              • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                              • Opcode Fuzzy Hash: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                              • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                              Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                              • _UnwindNestedFrames.LIBCMT ref: 00439891
                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                              • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                              • String ID:
                              • API String ID: 2633735394-0
                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                              • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                              • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                              Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                              • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                              • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                              • GetSystemMetrics.USER32(0000004F), ref: 00419402
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: MetricsSystem
                              • String ID:
                              • API String ID: 4116985748-0
                              • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                              • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                              • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                              • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                              Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                              • String ID:
                              • API String ID: 1761009282-0
                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                              • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                              • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                              Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHandling__start
                              • String ID: pow
                              • API String ID: 3213639722-2276729525
                              • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                              • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                              • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                              • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                              Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                              • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                              • String ID: image/jpeg
                              • API String ID: 1291196975-3785015651
                              • Opcode ID: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                              • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                              • Opcode Fuzzy Hash: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                              • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                              Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C12
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ACP$OCP
                              • API String ID: 0-711371036
                              • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                              • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                              • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                              • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                              Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                              • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                              • String ID: image/png
                              • API String ID: 1291196975-2966254431
                              • Opcode ID: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                              • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                              • Opcode Fuzzy Hash: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                              • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                              Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                              Strings
                              • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: KeepAlive | Enabled | Timeout:
                              • API String ID: 481472006-1507639952
                              • Opcode ID: d7ff175fedf05b7445783633cdb62c4b571b838359eb1ad13fe403eca5861c2a
                              • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                              • Opcode Fuzzy Hash: d7ff175fedf05b7445783633cdb62c4b571b838359eb1ad13fe403eca5861c2a
                              • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                              Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32 ref: 00416640
                              • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: DownloadFileSleep
                              • String ID: !D@
                              • API String ID: 1931167962-604454484
                              • Opcode ID: a0ec73807b07b55f12d7be1e643fec4cddf46813b039fcbaa5035cf5dcd737ac
                              • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                              • Opcode Fuzzy Hash: a0ec73807b07b55f12d7be1e643fec4cddf46813b039fcbaa5035cf5dcd737ac
                              • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                              Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: | $%02i:%02i:%02i:%03i
                              • API String ID: 481472006-2430845779
                              • Opcode ID: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
                              • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                              • Opcode Fuzzy Hash: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
                              • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                              Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: alarm.wav$hYG
                              • API String ID: 1174141254-2782910960
                              • Opcode ID: 1ca1b3cc47252a1631e26160b8d0d2f72150c654b90b32622389016ea0759ec0
                              • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                              • Opcode Fuzzy Hash: 1ca1b3cc47252a1631e26160b8d0d2f72150c654b90b32622389016ea0759ec0
                              • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                              Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              • CloseHandle.KERNEL32(?), ref: 0040B0B4
                              • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                              • String ID: Online Keylogger Stopped
                              • API String ID: 1623830855-1496645233
                              • Opcode ID: 33f513a8367aa60c9c39e45db4b09adeb783fa014ebf533a38ecdd59b48b7fa1
                              • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                              • Opcode Fuzzy Hash: 33f513a8367aa60c9c39e45db4b09adeb783fa014ebf533a38ecdd59b48b7fa1
                              • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                              Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • waveInPrepareHeader.WINMM(004EDC58,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                              • waveInAddBuffer.WINMM(004EDC58,00000020,?,00000000,00401A15), ref: 0040185F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$BufferHeaderPrepare
                              • String ID: SN
                              • API String ID: 2315374483-3355377138
                              • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                              • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                              • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                              • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                              Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: $G
                              • API String ID: 269201875-4251033865
                              • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                              • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                              • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                              • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                              Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocaleValid
                              • String ID: IsValidLocaleName$JD
                              • API String ID: 1901932003-2234456777
                              • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                              • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                              • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                              • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                              Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                              • API String ID: 1174141254-4188645398
                              • Opcode ID: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
                              • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                              • Opcode Fuzzy Hash: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
                              • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                              Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                              • API String ID: 1174141254-2800177040
                              • Opcode ID: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
                              • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                              • Opcode Fuzzy Hash: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
                              • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                              Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: AppData$\Opera Software\Opera Stable\
                              • API String ID: 1174141254-1629609700
                              • Opcode ID: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
                              • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                              • Opcode Fuzzy Hash: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
                              • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                              Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000011), ref: 0040B64B
                                • Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                                • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                              • String ID: [AltL]$[AltR]
                              • API String ID: 2738857842-2658077756
                              • Opcode ID: dd2f914049f4f370ef2f5aa51de3004961a69ba16bdb171d6c04a041743c3e8a
                              • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                              • Opcode Fuzzy Hash: dd2f914049f4f370ef2f5aa51de3004961a69ba16bdb171d6c04a041743c3e8a
                              • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                              Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                              • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: uD
                              • API String ID: 0-2547262877
                              • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                              • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                              • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                              • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                              Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell
                              • String ID: !D@$open
                              • API String ID: 587946157-1586967515
                              • Opcode ID: 28875262e4bf0174853db4a5e6fd65081a004c09e6690994ece775789ea22bec
                              • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                              • Opcode Fuzzy Hash: 28875262e4bf0174853db4a5e6fd65081a004c09e6690994ece775789ea22bec
                              • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                              Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000012), ref: 0040B6A5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: State
                              • String ID: [CtrlL]$[CtrlR]
                              • API String ID: 1649606143-2446555240
                              • Opcode ID: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
                              • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                              • Opcode Fuzzy Hash: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
                              • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                              Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                              • __Init_thread_footer.LIBCMT ref: 00410F29
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Init_thread_footer__onexit
                              • String ID: ,kG$0kG
                              • API String ID: 1881088180-2015055088
                              • Opcode ID: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                              • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                              • Opcode Fuzzy Hash: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                              • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                              Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                              • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                              Strings
                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteOpenValue
                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                              • API String ID: 2654517830-1051519024
                              • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                              • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                              • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                              • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                              Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                              • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ObjectProcessSingleTerminateWait
                              • String ID: pth_unenc
                              • API String ID: 1872346434-4028850238
                              • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                              • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                              • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                              • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                              Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CommandLine
                              • String ID: P'M
                              • API String ID: 3253501508-1096120554
                              • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                              • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                              • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                              • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                              Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                              • GetLastError.KERNEL32 ref: 00440D35
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                              • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                              • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                              • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                              Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                              • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                              • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                              • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                              Memory Dump Source
                              • Source File: 00000000.00000002.4092129254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.4092116036.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092156946.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092172142.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.4092198582.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_paylo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastRead
                              • String ID:
                              • API String ID: 4100373531-0
                              • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                              • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                              • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                              • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99